feat: expose Notification.getHistory()

* feat: add support for `long-animation-frame` script attribution

* docs: document `AlwaysLogLOAFURL`

* chore: add test

* docs: adjust docs as per PR comment

* fix: test failures

* chore: simplify test

* fix: tests on Windows and Linux

.github/PULL_REQUEST_TEMPLATE.md

@@ -11,6 +11,7 @@ Contributors guide: https://github.com/electron/electron/blob/main/CONTRIBUTING.
 <!-- Remove items that do not apply. For completed items, change [ ] to [x]. -->
 
 - [ ] PR description included
+- [ ] I have built and tested this PR
 - [ ] `npm test` passes
 - [ ] tests are [changed or added](https://github.com/electron/electron/blob/main/docs/development/testing.md)
 - [ ] relevant API documentation, tutorials, and examples are updated and follow the [documentation style guide](https://github.com/electron/electron/blob/main/docs/development/style-guide.md)

.github/actions/build-electron/action.yml

@@ -26,6 +26,9 @@ inputs:
   is-asan:
     description: 'The ASan Linux build'
     required: false
+  upload-out-gen-artifacts:
+    description: 'Whether to upload the out/${dir}/gen artifacts'
+    required: false
 runs:
   using: "composite"
   steps:
@@ -280,3 +283,9 @@ runs:
       with:
         name: src_artifacts_${{ env.ARTIFACT_KEY }}
         path: ./src_artifacts_${{ inputs.artifact-platform }}_${{ inputs.target-arch }}
+    - name: Upload Out Gen Artifacts ${{ inputs.step-suffix }}
+      if: ${{ inputs.upload-out-gen-artifacts == 'true' }}
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
+      with:
+        name: out_gen_artifacts_${{ env.ARTIFACT_KEY }}
+        path: ./src/out/Default/gen

.github/workflows/archaeologist-dig.yml

@@ -13,11 +13,11 @@ jobs:
       contents: read
     steps:
       - name: Checkout Electron
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
       - name: Setup Node.js/npm
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
         with:
           node-version: 24.12.x
       - name: Setting Up Dig Site

.github/workflows/audit-branch-ci.yml

@@ -11,16 +11,17 @@ permissions: {}
 jobs:
   audit_branch_ci:
     name: Audit CI on Branches
+    if: github.repository == 'electron/electron'
     runs-on: ubuntu-latest
     permissions:
       contents: read
     steps:
       - name: Setup Node.js
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: 22.17.x
       - name: Sparse checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           sparse-checkout: |
             .

.github/workflows/branch-created.yml

@@ -14,7 +14,7 @@ permissions: {}
 jobs:
   release-branch-created:
     name: Release Branch Created
-    if: ${{ github.event_name == 'workflow_dispatch' || (github.event.ref_type == 'branch' && endsWith(github.event.ref, '-x-y') && !startsWith(github.event.ref, 'roller')) }}
+    if: ${{ github.repository == 'electron/electron' && (github.event_name == 'workflow_dispatch' || (github.event.ref_type == 'branch' && endsWith(github.event.ref, '-x-y') && !startsWith(github.event.ref, 'roller'))) }}
     permissions:
       contents: read
       pull-requests: write
@@ -68,7 +68,7 @@ jobs:
           done
       - name: Generate GitHub App token
         if: ${{ steps.check-major-version.outputs.MAJOR }}
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
         id: generate-token
         with:
           creds: ${{ secrets.RELEASE_BOARD_GH_APP_CREDS }}

.github/workflows/build-git-cache.yml

@@ -10,6 +10,7 @@ permissions: {}
 
 jobs:
   build-git-cache-linux:
+    if: github.repository == 'electron/electron'
     runs-on: electron-arc-centralus-linux-amd64-32core
     permissions:
       contents: read
@@ -23,7 +24,7 @@ jobs:
       GCLIENT_EXTRA_ARGS: '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True'
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         path: src/electron
         fetch-depth: 0
@@ -33,6 +34,7 @@ jobs:
         target-platform: linux
 
   build-git-cache-windows:
+    if: github.repository == 'electron/electron'
     runs-on: electron-arc-centralus-linux-amd64-32core
     permissions:
       contents: read
@@ -47,7 +49,7 @@ jobs:
       TARGET_OS: 'win'
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         path: src/electron
         fetch-depth: 0
@@ -57,6 +59,7 @@ jobs:
         target-platform: win
 
   build-git-cache-macos:
+    if: github.repository == 'electron/electron'
     runs-on: electron-arc-centralus-linux-amd64-32core
     permissions:
       contents: read
@@ -72,7 +75,7 @@ jobs:
       GCLIENT_EXTRA_ARGS: '--custom-var=checkout_mac=True --custom-var=host_os=mac'
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         path: src/electron
         fetch-depth: 0

.github/workflows/build.yml

@@ -47,6 +47,7 @@ permissions: {}
 
 jobs:
   setup:
+    if: github.repository == 'electron/electron'
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -57,7 +58,7 @@ jobs:
         build-image-sha: ${{ steps.set-output.outputs.build-image-sha }}
         docs-only: ${{ steps.set-output.outputs.docs-only }}
     steps:
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         ref: ${{ github.event.pull_request.head.sha }}
     - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
@@ -124,7 +125,7 @@ jobs:
       build-image-sha: ${{ needs.setup.outputs.build-image-sha }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         path: src/electron
         fetch-depth: 0
@@ -156,7 +157,7 @@ jobs:
       build-image-sha: ${{ needs.setup.outputs.build-image-sha}}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         path: src/electron
         fetch-depth: 0
@@ -188,7 +189,7 @@ jobs:
       build-image-sha: ${{ needs.setup.outputs.build-image-sha}}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         path: src/electron
         fetch-depth: 0
@@ -283,13 +284,15 @@ jobs:
       contents: read
       issues: read
       pull-requests: read
-    uses: ./.github/workflows/pipeline-electron-build-and-test-and-nan.yml
+    uses: ./.github/workflows/pipeline-electron-build-and-tidy-and-test-and-nan.yml
     needs: checkout-linux
     if: ${{ needs.setup.outputs.src == 'true' }}
     with:
       build-runs-on: electron-arc-centralus-linux-amd64-32core
+      clang-tidy-runs-on: electron-arc-centralus-linux-amd64-8core
       test-runs-on: electron-arc-centralus-linux-amd64-4core
       build-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
+      clang-tidy-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       test-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init"}'
       target-platform: linux
       target-arch: x64
@@ -426,7 +429,7 @@ jobs:
     permissions:
       contents: read
     needs: [docs-only, macos-x64, macos-arm64, linux-x64, linux-x64-asan, linux-arm, linux-arm64, windows-x64, windows-x86, windows-arm64]
-    if: always() && !contains(needs.*.result, 'failure')
+    if: always() && github.repository == 'electron/electron' && !contains(needs.*.result, 'failure')
     steps: 
     - name: GitHub Actions Jobs Done
       run: |

.github/workflows/clean-src-cache.yml

@@ -12,6 +12,7 @@ permissions: {}
 
 jobs:
   clean-src-cache:
+    if: github.repository == 'electron/electron'
     runs-on: electron-arc-centralus-linux-amd64-32core
     permissions:
       contents: read

.github/workflows/issue-commented.yml

@@ -21,7 +21,7 @@ jobs:
           AUTHOR_ASSOCIATION=$(gh api /repos/electron/electron/issues/comments/${{ github.event.comment.id }} --jq '.author_association')
           echo "author_association=$AUTHOR_ASSOCIATION" >> "$GITHUB_OUTPUT"
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
         if: ${{ !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), steps.get-author-association.outputs.author_association) }}
         id: generate-token
         with:

.github/workflows/issue-labeled.yml

@@ -15,7 +15,7 @@ jobs:
       contents: read
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
@@ -36,7 +36,7 @@ jobs:
       contents: read
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
@@ -69,7 +69,7 @@ jobs:
           fi
       - name: Generate GitHub App token
         if: ${{ steps.check-for-comment.outputs.SHOULD_COMMENT }}
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}

.github/workflows/issue-opened.yml

@@ -14,7 +14,7 @@ jobs:
     permissions: {}
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
@@ -32,13 +32,13 @@ jobs:
     permissions: {}
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
           org: electron
       - name: Sparse checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           sparse-checkout: |
             .

.github/workflows/issue-transferred.yml

@@ -14,7 +14,7 @@ jobs:
     if: ${{ !github.event.changes.new_repository.private }}
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}

.github/workflows/issue-unlabeled.yml

@@ -24,7 +24,7 @@ jobs:
           fi
       - name: Generate GitHub App token
         if: ${{ steps.check-for-blocked-labels.outputs.NOT_BLOCKED }}
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}

.github/workflows/linux-publish.yml

@@ -21,6 +21,7 @@ permissions: {}
 
 jobs:
   checkout-linux:
+    if: github.repository == 'electron/electron'
     runs-on: electron-arc-centralus-linux-amd64-32core
     permissions:
       contents: read
@@ -35,7 +36,7 @@ jobs:
       GCLIENT_EXTRA_ARGS: '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True'
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         path: src/electron
         fetch-depth: 0

.github/workflows/macos-disk-cleanup.yml

@@ -13,6 +13,7 @@ permissions: {}
 
 jobs:
   macos-disk-cleanup:
+    if: github.repository == 'electron/electron'
     strategy:
       fail-fast: false
       matrix:
@@ -25,7 +26,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           sparse-checkout: |
             .github/actions/free-space-macos

.github/workflows/macos-publish.yml

@@ -22,6 +22,7 @@ permissions: {}
 
 jobs:
   checkout-macos:
+    if: github.repository == 'electron/electron'
     runs-on: electron-arc-centralus-linux-amd64-32core
     permissions:
       contents: read
@@ -36,7 +37,7 @@ jobs:
       GCLIENT_EXTRA_ARGS: '--custom-var=checkout_mac=True --custom-var=host_os=mac'
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         path: src/electron
         fetch-depth: 0

.github/workflows/pipeline-electron-build-and-tidy-and-test-and-nan.yml

@@ -0,0 +1,124 @@
+name: Electron Build & Clang Tidy & Test (+ Node + NaN) Pipeline
+
+on:
+  workflow_call:
+    inputs:
+      target-platform:
+        type: string
+        description: 'Platform to run on, can be macos, win or linux.'
+        required: true
+      target-arch:
+        type: string
+        description: 'Arch to build for, can be x64, arm64 or arm'
+        required: true
+      build-runs-on:
+        type: string
+        description: 'What host to run the build'
+        required: true
+      clang-tidy-runs-on:
+        type: string
+        description: 'What host to run clang-tidy on'
+        required: true
+      test-runs-on:
+        type: string
+        description: 'What host to run the tests on'
+        required: true
+      build-container:
+        type: string
+        description: 'JSON container information for aks runs-on'
+        required: false
+        default: '{"image":null}'
+      clang-tidy-container:
+        type: string
+        description: 'JSON container information to run clang-tidy on'
+        required: false
+        default: '{"image":null}'
+      test-container:
+        type: string
+        description: 'JSON container information for testing'
+        required: false
+        default: '{"image":null}'
+      is-release:
+        description: 'Whether this build job is a release job'
+        required: true
+        type: boolean
+        default: false
+      gn-build-type:
+        description: 'The gn build type - testing or release'
+        required: true
+        type: string
+        default: testing
+      generate-symbols: 
+        description: 'Whether or not to generate symbols'
+        required: true
+        type: boolean
+        default: false
+      upload-to-storage: 
+        description: 'Whether or not to upload build artifacts to external storage'
+        required: true
+        type: string
+        default: '0'
+      is-asan: 
+        description: 'Building the Address Sanitizer (ASan) Linux build'
+        required: false
+        type: boolean
+        default: false
+
+permissions: {}
+
+concurrency:
+  group: electron-build-and-test-and-nan-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
+  cancel-in-progress: ${{ github.ref_protected != true }}
+
+jobs:
+  build:
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    permissions:
+      contents: read
+    with:
+      build-runs-on: ${{ inputs.build-runs-on }}
+      build-container: ${{ inputs.build-container }}
+      target-platform: ${{ inputs.target-platform }}
+      target-arch: ${{ inputs.target-arch }}
+      is-release: ${{ inputs.is-release }}
+      gn-build-type: ${{ inputs.gn-build-type }}
+      generate-symbols: ${{ inputs.generate-symbols }}
+      upload-to-storage: ${{ inputs.upload-to-storage }}
+      upload-out-gen-artifacts: true
+    secrets: inherit
+  clang-tidy:
+    uses: ./.github/workflows/pipeline-segment-electron-clang-tidy.yml
+    permissions:
+      contents: read
+    needs: build
+    with:
+      clang-tidy-runs-on: ${{ inputs.clang-tidy-runs-on }}
+      clang-tidy-container: ${{ inputs.clang-tidy-container }}
+      target-platform: ${{ inputs.target-platform }}
+      target-arch: ${{ inputs.target-arch }}
+    secrets: inherit
+  test:
+    uses: ./.github/workflows/pipeline-segment-electron-test.yml
+    permissions:
+      contents: read
+      issues: read
+      pull-requests: read
+    needs: build
+    with:
+      target-arch: ${{ inputs.target-arch }}
+      target-platform: ${{ inputs.target-platform }}
+      test-runs-on: ${{ inputs.test-runs-on }}
+      test-container: ${{ inputs.test-container }}
+    secrets: inherit
+  nn-test:
+    uses: ./.github/workflows/pipeline-segment-node-nan-test.yml
+    permissions:
+      contents: read
+    needs: build
+    with:
+      target-arch: ${{ inputs.target-arch }}
+      target-platform: ${{ inputs.target-platform }}
+      test-runs-on: ${{ inputs.test-runs-on }}
+      test-container: ${{ inputs.test-container }}
+      gn-build-type: ${{ inputs.gn-build-type }}
+    secrets: inherit

.github/workflows/pipeline-electron-build-and-tidy-and-test.yml

@@ -0,0 +1,121 @@
+name: Electron Build & Clang Tidy & Test Pipeline
+
+on:
+  workflow_call:
+    inputs:
+      target-platform:
+        type: string
+        description: 'Platform to run on, can be macos, win or linux'
+        required: true
+      target-arch:
+        type: string
+        description: 'Arch to build for, can be x64, arm64 or arm'
+        required: true
+      build-runs-on:
+        type: string
+        description: 'What host to run the build'
+        required: true
+      clang-tidy-runs-on:
+        type: string
+        description: 'What host to run clang-tidy on'
+        required: true
+      test-runs-on:
+        type: string
+        description: 'What host to run the tests on'
+        required: true
+      build-container:
+        type: string
+        description: 'JSON container information for aks runs-on'
+        required: false
+        default: '{"image":null}'
+      clang-tidy-container:
+        type: string
+        description: 'JSON container information to run clang-tidy on'
+        required: false
+        default: '{"image":null}'
+      test-container:
+        type: string
+        description: 'JSON container information for testing'
+        required: false
+        default: '{"image":null}'
+      is-release:
+        description: 'Whether this build job is a release job'
+        required: true
+        type: boolean
+        default: false
+      gn-build-type:
+        description: 'The gn build type - testing or release'
+        required: true
+        type: string
+        default: testing
+      generate-symbols: 
+        description: 'Whether or not to generate symbols'
+        required: true
+        type: boolean
+        default: false
+      upload-to-storage: 
+        description: 'Whether or not to upload build artifacts to external storage'
+        required: true
+        type: string
+        default: '0'
+      is-asan: 
+        description: 'Building the Address Sanitizer (ASan) Linux build'
+        required: false
+        type: boolean
+        default: false
+      enable-ssh:
+        description: 'Enable SSH debugging'
+        required: false
+        type: boolean
+        default: false
+
+concurrency:
+  group: electron-build-and-tidy-and-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
+  cancel-in-progress: ${{ github.ref_protected != true }}
+
+permissions: {}
+
+jobs:
+  build:
+    uses: ./.github/workflows/pipeline-segment-electron-build.yml
+    permissions:
+      contents: read
+    with:
+      build-runs-on: ${{ inputs.build-runs-on }}
+      build-container: ${{ inputs.build-container }}
+      target-platform: ${{ inputs.target-platform }}
+      target-arch: ${{ inputs.target-arch }}
+      is-release: ${{ inputs.is-release }}
+      gn-build-type: ${{ inputs.gn-build-type }}
+      generate-symbols: ${{ inputs.generate-symbols }}
+      upload-to-storage: ${{ inputs.upload-to-storage }}
+      is-asan: ${{ inputs.is-asan }}
+      enable-ssh: ${{ inputs.enable-ssh }}
+      upload-out-gen-artifacts: true
+    secrets: inherit
+  clang-tidy:
+    uses: ./.github/workflows/pipeline-segment-electron-clang-tidy.yml
+    permissions:
+      contents: read
+    needs: build
+    with:
+      clang-tidy-runs-on: ${{ inputs.clang-tidy-runs-on }}
+      clang-tidy-container: ${{ inputs.clang-tidy-container }}
+      target-platform: ${{ inputs.target-platform }}
+      target-arch: ${{ inputs.target-arch }}
+    secrets: inherit
+  test:
+    uses: ./.github/workflows/pipeline-segment-electron-test.yml
+    permissions:
+      contents: read
+      issues: read
+      pull-requests: read
+    needs: build
+    with:
+      target-arch: ${{ inputs.target-arch }}
+      target-platform: ${{ inputs.target-platform }}
+      test-runs-on: ${{ inputs.test-runs-on }}
+      test-container: ${{ inputs.test-container }}
+      is-asan: ${{ inputs.is-asan }}
+      enable-ssh: ${{ inputs.enable-ssh }}
+    secrets: inherit

.github/workflows/pipeline-electron-docs-only.yml

@@ -27,7 +27,7 @@ jobs:
     container: ${{ fromJSON(inputs.container) }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         path: src/electron
         fetch-depth: 0
@@ -43,7 +43,7 @@ jobs:
       with:
         target-platform: linux
     - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         path: src/electron
         fetch-depth: 0

.github/workflows/pipeline-electron-lint.yml

@@ -27,7 +27,7 @@ jobs:
     container: ${{ fromJSON(inputs.container) }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         path: src/electron
         fetch-depth: 0

.github/workflows/pipeline-segment-electron-build.yml

@@ -53,6 +53,11 @@ on:
         required: false
         type: boolean
         default: false
+      upload-out-gen-artifacts:
+        description: 'Whether to upload the src/gen artifacts'
+        required: false
+        type: boolean
+        default: false
       enable-ssh:
         description: 'Enable SSH debugging'
         required: false
@@ -95,7 +100,7 @@ jobs:
       run: |
         mkdir src
     - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         path: src/electron
         fetch-depth: 0
@@ -119,7 +124,7 @@ jobs:
       run: df -h
     - name: Setup Node.js/npm
       if: ${{ inputs.target-platform == 'macos' }}
-      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
+      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
       with:
         node-version: 22.21.x
         cache: yarn
@@ -163,7 +168,7 @@ jobs:
       if: ${{ inputs.target-platform == 'linux' }}
       uses: ./src/electron/.github/actions/restore-cache-aks
     - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         path: src/electron
         fetch-depth: 0
@@ -201,6 +206,7 @@ jobs:
         generate-symbols: '${{ inputs.generate-symbols }}'
         upload-to-storage: '${{ inputs.upload-to-storage }}'
         is-asan: '${{ inputs.is-asan }}'
+        upload-out-gen-artifacts: '${{ inputs.upload-out-gen-artifacts }}'
     - name: Set GN_EXTRA_ARGS for MAS Build
       if: ${{ inputs.target-platform == 'macos' && (inputs.target-variant == 'all' || inputs.target-variant == 'mas') }}
       run: |

.github/workflows/pipeline-segment-electron-clang-tidy.yml

@@ -0,0 +1,159 @@
+name: Pipeline Segment - Electron Clang-Tidy
+
+on:
+  workflow_call:
+    inputs:
+      target-platform:
+        type: string
+        description: 'Platform to run on, can be macos, win or linux'
+        required: true
+      target-arch:
+        type: string
+        description: 'Arch to build for, can be x64, arm64 or arm'
+        required: true
+      clang-tidy-runs-on:
+        type: string
+        description: 'What host to run clang-tidy on'
+        required: true
+      clang-tidy-container:
+        type: string
+        description: 'JSON container information for aks runs-on'
+        required: false
+        default: '{"image":null}'
+
+permissions: {}
+
+concurrency:
+  group: electron-clang-tidy-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  GCLIENT_EXTRA_ARGS: ${{ inputs.target-platform == 'macos' && '--custom-var=checkout_mac=True --custom-var=host_os=mac' || (inputs.target-platform == 'linux' && '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True' || '--custom-var=checkout_win=True') }}
+  ELECTRON_OUT_DIR: Default
+
+jobs:
+  clang-tidy:
+    defaults:
+      run:
+        shell: bash
+    runs-on: ${{ inputs.clang-tidy-runs-on }}
+    permissions:
+      contents: read
+    container: ${{ fromJSON(inputs.clang-tidy-container) }}
+    env:
+      BUILD_TYPE: ${{ inputs.target-platform == 'macos' && 'darwin' || inputs.target-platform }}
+      TARGET_ARCH: ${{ inputs.target-arch }}
+      TARGET_PLATFORM: ${{ inputs.target-platform }}
+      ARTIFACT_KEY: ${{ inputs.target-platform == 'macos' && 'darwin' || inputs.target-platform }}_${{ inputs.target-arch }}
+    steps:
+    - name: Checkout Electron
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      with:
+        path: src/electron
+        fetch-depth: 0
+        ref: ${{ github.event.pull_request.head.sha }}
+    - name: Cleanup disk space on macOS
+      if: ${{ inputs.target-platform == 'macos' }}
+      shell: bash
+      run: |   
+        sudo mkdir -p $TMPDIR/del-target
+
+        tmpify() {
+          if [ -d "$1" ]; then
+            sudo mv "$1" $TMPDIR/del-target/$(echo $1|shasum -a 256|head -n1|cut -d " " -f1)
+          fi
+        }   
+        tmpify /Library/Developer/CoreSimulator
+        tmpify ~/Library/Developer/CoreSimulator
+        sudo rm -rf $TMPDIR/del-target
+    - name: Check disk space after freeing up space
+      if: ${{ inputs.target-platform == 'macos' }}
+      run: df -h
+    - name: Set Chromium Git Cookie
+      uses: ./src/electron/.github/actions/set-chromium-cookie
+    - name: Install Build Tools
+      uses: ./src/electron/.github/actions/install-build-tools
+    - name: Enable windows toolchain
+      if: ${{ inputs.target-platform == 'win' }}
+      run: |
+        echo "ELECTRON_DEPOT_TOOLS_WIN_TOOLCHAIN=1" >> $GITHUB_ENV
+    - name: Generate DEPS Hash
+      run: |
+        node src/electron/script/generate-deps-hash.js
+        DEPSHASH=v1-src-cache-$(cat src/electron/.depshash)
+        echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
+        echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
+    - name: Restore src cache via AZCopy
+      if: ${{ inputs.target-platform == 'macos' }}
+      uses: ./src/electron/.github/actions/restore-cache-azcopy
+      with:
+        target-platform: ${{ inputs.target-platform }}      
+    - name: Restore src cache via AKS
+      if: ${{ inputs.target-platform == 'linux' || inputs.target-platform == 'win' }}
+      uses: ./src/electron/.github/actions/restore-cache-aks
+      with:
+        target-platform: ${{ inputs.target-platform }}
+    - name: Run Electron Only Hooks
+      run: |
+        echo "solutions=[{'name':'src/electron','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':False},'managed':False}]" > tmpgclient
+        if [ "${{ inputs.target-platform }}" = "win" ]; then
+          echo "solutions=[{'name':'src/electron','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':False,'install_sysroot':False,'checkout_win':True},'managed':False}]" > tmpgclient
+          echo "target_os=['win']" >> tmpgclient
+        fi
+        e d gclient runhooks --gclientfile=tmpgclient
+
+        # Fix VS Toolchain
+        if [ "${{ inputs.target-platform }}" = "win" ]; then
+          rm -rf src/third_party/depot_tools/win_toolchain/vs_files
+          e d python3 src/build/vs_toolchain.py update --force
+        fi
+    - name: Regenerate DEPS Hash
+      run: |
+        (cd src/electron && git checkout .) && node src/electron/script/generate-deps-hash.js
+        echo "DEPSHASH=$(cat src/electron/.depshash)" >> $GITHUB_ENV
+    - name: Add CHROMIUM_BUILDTOOLS_PATH to env
+      run: echo "CHROMIUM_BUILDTOOLS_PATH=$(pwd)/src/buildtools" >> $GITHUB_ENV
+    - name: Checkout Electron
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      with:
+        path: src/electron
+        fetch-depth: 0
+        ref: ${{ github.event.pull_request.head.sha }}
+    - name: Install Dependencies
+      uses: ./src/electron/.github/actions/install-dependencies
+    - name: Default GN gen
+      run: |
+        cd src/electron
+        git pack-refs
+    - name: Download Out Gen Artifacts
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
+      with:
+        name: out_gen_artifacts_${{ env.ARTIFACT_KEY }}
+        path: ./src/out/${{ env.ELECTRON_OUT_DIR }}/gen
+    - name: Add Clang problem matcher
+      shell: bash
+      run: echo "::add-matcher::src/electron/.github/problem-matchers/clang.json"
+    - name: Run Clang-Tidy
+      run: |
+        e init -f --root=$(pwd) --out=${ELECTRON_OUT_DIR} testing --target-cpu ${TARGET_ARCH}
+
+        export GN_EXTRA_ARGS="target_cpu=\"${TARGET_ARCH}\""
+        if [ "${{ inputs.target-platform }}" = "win" ]; then
+          export GN_EXTRA_ARGS="$GN_EXTRA_ARGS use_v8_context_snapshot=true target_os=\"win\""
+        fi
+
+        e build --only-gen
+
+        cd src/electron
+        node script/yarn.js lint:clang-tidy --jobs 8 --out-dir ../out/${ELECTRON_OUT_DIR}
+    - name: Remove Clang problem matcher
+      shell: bash
+      run: echo "::remove-matcher owner=clang::"
+    - name: Wait for active SSH sessions
+      if: always() && !cancelled()
+      shell: bash
+      run: |
+        while [ -f /var/.ssh-lock ]
+        do
+          sleep 60
+        done

.github/workflows/pipeline-segment-electron-gn-check.yml

@@ -48,7 +48,7 @@ jobs:
     container: ${{ fromJSON(inputs.check-container) }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         path: src/electron
         fetch-depth: 0
@@ -115,7 +115,7 @@ jobs:
     - name: Add CHROMIUM_BUILDTOOLS_PATH to env
       run: echo "CHROMIUM_BUILDTOOLS_PATH=$(pwd)/src/buildtools" >> $GITHUB_ENV
     - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         path: src/electron
         fetch-depth: 0

.github/workflows/pipeline-segment-electron-publish.yml

@@ -56,6 +56,11 @@ on:
         required: false
         type: boolean
         default: false
+      upload-out-gen-artifacts:
+        description: Whether to upload the src/gen artifacts
+        required: false
+        type: boolean
+        default: false
       enable-ssh:
         description: Enable SSH debugging
         required: false
@@ -102,7 +107,7 @@ jobs:
         run: |
           mkdir src
       - name: Checkout Electron
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           path: src/electron
           fetch-depth: 0
@@ -127,7 +132,7 @@ jobs:
         run: df -h
       - name: Setup Node.js/npm
         if: ${{ inputs.target-platform == 'macos' }}
-        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
         with:
           node-version: 22.21.x
           cache: yarn
@@ -172,7 +177,7 @@ jobs:
         if: ${{ inputs.target-platform == 'linux' }}
         uses: ./src/electron/.github/actions/restore-cache-aks
       - name: Checkout Electron
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           path: src/electron
           fetch-depth: 0
@@ -216,6 +221,7 @@ jobs:
           generate-symbols: ${{ inputs.generate-symbols }}
           upload-to-storage: ${{ inputs.upload-to-storage }}
           is-asan: ${{ inputs.is-asan }}
+          upload-out-gen-artifacts: ${{ inputs.upload-out-gen-artifacts }}
       - name: Set GN_EXTRA_ARGS for MAS Build
         if: ${{ inputs.target-platform == 'macos' && (inputs.target-variant == 'all' ||
           inputs.target-variant == 'mas') }}

.github/workflows/pipeline-segment-electron-test.yml

@@ -72,7 +72,7 @@ jobs:
         cp $(which node) /mnt/runner-externals/node24/bin/
     - name: Setup Node.js/npm
       if: ${{ inputs.target-platform == 'win' }}
-      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
+      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
       with:
         node-version: 22.21.x
     - name: Add TCC permissions on macOS
@@ -119,7 +119,7 @@ jobs:
       if: ${{ inputs.target-platform == 'macos' }}
       run: sudo xcode-select --switch /Applications/Xcode_16.4.app
     - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         path: src/electron
         fetch-depth: 0

.github/workflows/pipeline-segment-node-nan-test.yml

@@ -50,7 +50,7 @@ jobs:
     container: ${{ fromJSON(inputs.test-container) }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         path: src/electron
         fetch-depth: 0
@@ -106,7 +106,7 @@ jobs:
     container: ${{ fromJSON(inputs.test-container) }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         path: src/electron
         fetch-depth: 0

.github/workflows/pull-request-labeled.yml

@@ -32,7 +32,7 @@ jobs:
     permissions: {}
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
         id: generate-token
         with:
           creds: ${{ secrets.RELEASE_BOARD_GH_APP_CREDS }}
@@ -44,3 +44,35 @@ jobs:
           project-number: 94
           field: Status
           field-value: ✅ Reviewed
+  pull-request-labeled-ai-pr:
+    name: ai-pr label added
+    if: github.event.label.name == 'ai-pr'
+    runs-on: ubuntu-latest
+    permissions: {}
+    steps:
+    - name: Generate GitHub App token
+      uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+      id: generate-token
+      with:
+        creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
+    - name: Create comment
+      uses: actions-cool/issues-helper@e2ff99831a4f13625d35064e2b3dfe65c07a0396 # v3.7.5
+      with:
+        actions: 'create-comment'
+        token: ${{ steps.generate-token.outputs.token }}
+        issue-number: ${{ github.event.pull_request.number }}
+        body: |
+          <!-- ai-pr -->
+
+          *AI PR Detected*
+
+          Hello @${{ github.event.pull_request.user.login }}. Due to the high amount of AI spam PRs we receive, if a PR is detected to be majority AI-generated without disclosure and untested, we will automatically close the PR.
+
+          We welcome the use of AI tools, as long as the PR meets our quality standards and has clearly been built and tested. If you believe your PR was closed in error, we welcome you to resubmit. However, please read our [CONTRIBUTING.md](http://contributing.md/) carefully before reopening. Thanks for your contribution.
+    - name: Close the pull request
+      env:
+        GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
+        GH_REPO: electron/electron
+        PR_NUMBER: ${{ github.event.pull_request.number }}
+      run: |
+        gh pr close "$PR_NUMBER"

.github/workflows/scorecards.yml

@@ -13,6 +13,7 @@ permissions: read-all
 jobs:
   analysis:
     name: Scorecards analysis
+    if: github.repository == 'electron/electron'
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload the results to code-scanning dashboard.
@@ -22,7 +23,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
@@ -50,6 +51,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v3.29.5
+        uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v3.29.5
         with:
           sarif_file: results.sarif

.github/workflows/stable-prep-items.yml

@@ -10,11 +10,12 @@ permissions: {}
 jobs:
   check-stable-prep-items:
     name: Check Stable Prep Items
+    if: github.repository == 'electron/electron'
     runs-on: ubuntu-latest
     permissions: {}
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
         id: generate-token
         with:
           creds: ${{ secrets.RELEASE_BOARD_GH_APP_CREDS }}

.github/workflows/stale.yml

@@ -9,11 +9,12 @@ permissions: {}
 
 jobs:
   stale:
+    if: github.repository == 'electron/electron'
     runs-on: ubuntu-latest
     permissions: {}
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
@@ -33,11 +34,11 @@ jobs:
   pending-repro:
     runs-on: ubuntu-latest
     permissions: {}
-    if: ${{ always() }}
+    if: ${{ always() && github.repository == 'electron/electron' }}
     needs: stale
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
+        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}

.github/workflows/windows-publish.yml

@@ -22,6 +22,7 @@ permissions: {}
 
 jobs:
   checkout-windows:
+    if: github.repository == 'electron/electron'
     runs-on: electron-arc-centralus-linux-amd64-32core
     permissions:
       contents: read
@@ -40,7 +41,7 @@ jobs:
       build-image-sha: ${{ inputs.build-image-sha }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         path: src/electron
         fetch-depth: 0

DEPS

@@ -4,7 +4,7 @@ vars = {
   'chromium_version':
     '146.0.7650.0',
   'node_version':
-    'v24.13.1',
+    'v24.13.0',
   'nan_version':
     '675cefebca42410733da8a454c8d9391fcebfbc2',
   'squirrel.mac_version':

docs/api/command-line-switches.md

@@ -370,6 +370,13 @@ Keep in mind that standalone switches can sometimes be split into individual fea
 
 Finally, you'll need to ensure that the version of Chromium in Electron matches the version of the browser you're using to cross-reference the switches.
 
+### Chromium features relevant to Electron apps
+
+* `AlwaysLogLOAFURL`: enables script attribution for
+  [`long-animation-frame`](https://developer.mozilla.org/en-US/docs/Web/API/Performance_API/Long_animation_frame_timing)
+  `PerformanceObserver` events for non-http(s), non-data, non-blob URLs (such as `file:` or custom
+  protocol URLs).
+
 [app]: app.md
 [append-switch]: command-line.md#commandlineappendswitchswitch-value
 [debugging-main-process]: ../tutorial/debugging-main-process.md

docs/api/menu.md

@@ -123,7 +123,7 @@ Appends the `menuItem` to the menu.
 
 - `id` string
 
-Returns `MenuItem | null` the item with the specified `id`
+Returns [`MenuItem | null`](menu-item.md) - the item with the specified `id`
 
 #### `menu.insert(pos, menuItem)`
 

docs/api/notification.md

@@ -30,6 +30,12 @@ The `Notification` class has the following static methods:
 
 Returns `boolean` - Whether or not desktop notifications are supported on the current system
 
+#### `Notification.getHistory()` _Windows_
+
+Returns `Notification[]` - the notification history, for all notifications sent by this app, from Action Center.
+
+See [`ToastNotificationHistory.GetHistory`](https://learn.microsoft.com/en-us/uwp/api/windows.ui.notifications.toastnotificationhistory.gethistory?view=winrt-26100#windows-ui-notifications-toastnotificationhistory-gethistory) for more information
+
 ### `new Notification([options])`
 
 * `options` Object (optional)

docs/api/shared-texture.md

@@ -21,7 +21,7 @@ Imports the shared texture from the given options.
 > [!NOTE]
 > This method is only available in the main process.
 
-Returns `SharedTextureImported` - The imported shared texture.
+Returns [`SharedTextureImported`](structures/shared-texture-imported.md) - The imported shared texture.
 
 ### `sharedTexture.sendSharedTexture(options, ...args)` _Experimental_
 

docs/api/structures/shared-texture-import-texture-info.md

@@ -5,6 +5,7 @@
   * `rgba` - 32bpp RGBA (byte-order), 1 plane.
   * `rgbaf16` - Half float RGBA, 1 plane.
   * `nv12` - 12bpp with Y plane followed by a 2x2 interleaved UV plane.
+  * `p010le` - 4:2:0 10-bit YUV (little-endian), Y plane followed by a 2x2 interleaved UV plane.
 * `colorSpace` [ColorSpace](color-space.md) (optional) - The color space of the texture.
 * `codedSize` [Size](size.md) - The full dimensions of the shared texture.
 * `visibleRect` [Rectangle](rectangle.md) (optional) - A subsection of [0, 0, codedSize.width, codedSize.height]. In common cases, it is the full section area.

docs/api/structures/web-preferences.md

@@ -94,6 +94,7 @@
     The actual output pixel format and color space of the texture should refer to [`OffscreenSharedTexture`](../structures/offscreen-shared-texture.md) object in the `paint` event.
     * `argb` - The requested output texture format is 8-bit unorm RGBA, with SRGB SDR color space.
     * `rgbaf16` - The requested output texture format is 16-bit float RGBA, with scRGB HDR color space.
+  * `deviceScaleFactor` number (optional) _Experimental_ - The device scale factor of the offscreen rendering output. If not set, will use primary display's scale factor as default.
 * `contextIsolation` boolean (optional) - Whether to run Electron APIs and
   the specified `preload` script in a separate JavaScript context. Defaults
   to `true`. The context that the `preload` script runs in will only have

docs/api/view.md

@@ -62,9 +62,17 @@ it becomes the topmost view.
 
 If the view passed as a parameter is not a child of this view, this method is a no-op.
 
-#### `view.setBounds(bounds)`
+#### `view.setBounds(bounds[, options])`
 
 * `bounds` [Rectangle](structures/rectangle.md) - New bounds of the View.
+* `options` Object (optional) - Options for setting the bounds.
+  * `animate` boolean | Object (optional) - If true, the bounds change will be animated. If an object is passed, it can contain the following properties:
+    * `duration` Integer (optional) - Duration of the animation in milliseconds. Default is `250`.
+    * `easing` string (optional) - Easing function for the animation. Default is `linear`.
+      * `linear`
+      * `ease-in`
+      * `ease-out`
+      * `ease-in-out`
 
 #### `view.getBounds()`
 

docs/breaking-changes.md

@@ -12,6 +12,16 @@ This document uses the following convention to categorize breaking changes:
 * **Deprecated:** An API was marked as deprecated. The API will continue to function, but will emit a deprecation warning, and will be removed in a future release.
 * **Removed:** An API or feature was removed, and is no longer supported by Electron.
 
+## Planned Breaking API Changes (42.0)
+
+### Behavior Changed: Offscreen rendering will use `1.0` as default device scale factor.
+
+Previously, OSR used the primary display's device scale factor for rendering, which made the output frame size vary across users.
+Developers had to manually calculate the correct size using `screen.getPrimaryDisplay().scaleFactor`. We now provide an optional property
+`webPreferences.offscreen.deviceScaleFactor` to specify a custom value when creating an OSR window. At first, if the property is not set, it defaults
+to the primary display's scale factor (preserving the old behavior). Starting from Electron 42, the default will change to a constant value of `1.0`
+for more consistent output sizes.
+
 ## Planned Breaking API Changes (41.0)
 
 ### Behavior Changed: PDFs no longer create a separate WebContents

docs/tutorial/performance.md

@@ -60,7 +60,7 @@ at once, consider the [Chrome Tracing](https://www.chromium.org/developers/how-t
 ## Checklist: Performance recommendations
 
 Chances are that your app could be a little leaner, faster, and generally less
-resource-hungry if you attempt these steps.
+resource-hungry if you avoid the following common pitfalls.
 
 1. [Carelessly including modules](#1-carelessly-including-modules)
 2. [Loading and running code too soon](#2-loading-and-running-code-too-soon)

docs/tutorial/tutorial-5-packaging.md

@@ -44,11 +44,25 @@ have to worry about wiring them all together.
 You can install Electron Forge's CLI in your project's `devDependencies` and import your
 existing project with a handy conversion script.
 
-```sh npm2yarn
+<Tabs>
+  <TabItem value="npm" label="npm">
+
+```sh
 npm install --save-dev @electron-forge/cli
 npx electron-forge import
 ```
 
+  </TabItem>
+  <TabItem value="yarn" label="Yarn">
+
+```sh
+yarn add --dev @electron-forge/cli
+yarn electron-forge import
+```
+
+  </TabItem>
+</Tabs>
+
 Once the conversion script is done, Forge should have added a few scripts
 to your `package.json` file.
 

lib/browser/api/notification.ts

@@ -1,8 +1,10 @@
 const {
   Notification: ElectronNotification,
-  isSupported
+  isSupported,
+  getHistory
 } = process._linkedBinding('electron_browser_notification');
 
 ElectronNotification.isSupported = isSupported;
+ElectronNotification.getHistory = getHistory;
 
 export default ElectronNotification;

package.json

@@ -12,6 +12,7 @@
     "@electron/github-app-auth": "^3.2.0",
     "@electron/lint-roller": "^3.2.0",
     "@electron/typescript-definitions": "^9.1.5",
+    "@hurdlegroup/robotjs": "^0.12.3",
     "@octokit/rest": "^20.1.2",
     "@primer/octicons": "^10.0.0",
     "@types/minimist": "^1.2.5",

patches/chromium/.patches

@@ -143,5 +143,6 @@ fix_check_for_file_existence_before_setting_mtime.patch
 fix_linux_tray_id.patch
 expose_gtk_ui_platform_field.patch
 fix_os_crypt_async_cookie_encryption.patch
+patch_osr_control_screen_info.patch
 graphite_handle_out_of_order_recording_errors.patch
-cherry-pick-e045399a1ecb.patch
+loaf_add_feature_to_enable_sourceurl_for_all_protocols.patch

patches/chromium/cherry-pick-e045399a1ecb.patch

@@ -1,132 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Dominik=20R=C3=B6ttsches?= <drott@chromium.org>
-Date: Thu, 12 Feb 2026 06:35:36 -0800
-Subject: Avoid stale iteration in CSSFontFeatureValuesMap
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-To avoid invalid iterator state, take a snapshot of the
-map when creating the iteration source. This addresses
-the immediate problem of iterating while modifying.
-
-Remaining work tracked in https://crbug.com/483936078
-
-Fixed: 483569511
-Change-Id: Ie29cfdf7ed94bbe189b44c842a5efce571bb2cee
-Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7566570
-Commit-Queue: Dominik Röttsches <drott@chromium.org>
-Reviewed-by: Anders Hartvoll Ruud <andruud@chromium.org>
-Cr-Commit-Position: refs/heads/main@{#1583927}
-
-diff --git a/third_party/blink/renderer/core/css/css_font_feature_values_map.cc b/third_party/blink/renderer/core/css/css_font_feature_values_map.cc
-index 0c5990799fbfdff5f1d1e04a9038a471217ad0d2..2ea27901e3ba503e7e1acc5dacf90dc60d52ac1a 100644
---- a/third_party/blink/renderer/core/css/css_font_feature_values_map.cc
-+++ b/third_party/blink/renderer/core/css/css_font_feature_values_map.cc
-@@ -13,16 +13,15 @@ class FontFeatureValuesMapIterationSource final
-     : public PairSyncIterable<CSSFontFeatureValuesMap>::IterationSource {
-  public:
-   FontFeatureValuesMapIterationSource(const CSSFontFeatureValuesMap& map,
--                                      const FontFeatureAliases* aliases)
--      : map_(map), aliases_(aliases), iterator_(aliases->begin()) {}
-+                                      const FontFeatureAliases aliases)
-+      : map_(map),
-+        aliases_(std::move(aliases)),
-+        iterator_(aliases_.begin()) {}
- 
-   bool FetchNextItem(ScriptState* script_state,
-                      String& map_key,
-                      Vector<uint32_t>& map_value) override {
--    if (!aliases_) {
--      return false;
--    }
--    if (iterator_ == aliases_->end()) {
-+    if (iterator_ == aliases_.end()) {
-       return false;
-     }
-     map_key = iterator_->key;
-@@ -37,9 +36,13 @@ class FontFeatureValuesMapIterationSource final
-   }
- 
-  private:
--  // Needs to be kept alive while we're iterating over it.
-   const Member<const CSSFontFeatureValuesMap> map_;
--  const FontFeatureAliases* aliases_;
-+  // Create a copy to keep the iterator from becoming invalid if there are
-+  // modifications to the aliases HashMap while iterating.
-+  // TODO(https://crbug.com/483936078): Implement live/stable iteration over
-+  // FontFeatureAliases by changing its storage type, avoiding taking a copy
-+  // here.
-+  const FontFeatureAliases aliases_;
-   FontFeatureAliases::const_iterator iterator_;
- };
- 
-@@ -49,8 +52,8 @@ uint32_t CSSFontFeatureValuesMap::size() const {
- 
- PairSyncIterable<CSSFontFeatureValuesMap>::IterationSource*
- CSSFontFeatureValuesMap::CreateIterationSource(ScriptState*) {
--  return MakeGarbageCollected<FontFeatureValuesMapIterationSource>(*this,
--                                                                   aliases_);
-+  return MakeGarbageCollected<FontFeatureValuesMapIterationSource>(
-+      *this, aliases_ ? *aliases_ : FontFeatureAliases());
- }
- 
- bool CSSFontFeatureValuesMap::GetMapEntry(ScriptState*,
-diff --git a/third_party/blink/web_tests/external/wpt/css/css-fonts/font_feature_values_map_iteration.html b/third_party/blink/web_tests/external/wpt/css/css-fonts/font_feature_values_map_iteration.html
-new file mode 100644
-index 0000000000000000000000000000000000000000..eac7198b0b4a58007cbcc77ad3e9357a1009117c
---- /dev/null
-+++ b/third_party/blink/web_tests/external/wpt/css/css-fonts/font_feature_values_map_iteration.html
-@@ -0,0 +1,52 @@
-+<!DOCTYPE html>
-+<html>
-+  <head>
-+    <title>CSSFontFeatureValuesMap Iteration and Modification</title>
-+    <link
-+      rel="help"
-+      href="https://drafts.csswg.org/css-fonts-4/#om-fontfeaturevalues"
-+    />
-+    <meta
-+      name="assert"
-+      content="Iteration while modifying CSSFontFeatureValuesMap does not crash."
-+    />
-+    <script type="text/javascript" src="/resources/testharness.js"></script>
-+    <script
-+      type="text/javascript"
-+      src="/resources/testharnessreport.js"
-+    ></script>
-+  </head>
-+  <body>
-+    <style>
-+      @font-feature-values TestFont {
-+        @styleset {
-+          a: 1;
-+          b: 2;
-+          c: 3;
-+        }
-+      }
-+    </style>
-+    <script>
-+      test(() => {
-+        const rule = document.styleSheets[0].cssRules[0];
-+        const map = rule.styleset;
-+        const iterator = map.entries();
-+        let count = 0;
-+
-+        while (count < 10) {
-+          const { value: entry, done } = iterator.next();
-+          if (done) break;
-+
-+          const [key, value] = entry;
-+
-+          map.delete(key);
-+          for (let i = 0; i < 100; i++) {
-+            map.set(`newkey_${count}_${i}`, i);
-+          }
-+
-+          count++;
-+        }
-+      }, "Iteration of the CSSFontFeatureValuesMap does not crash.");
-+    </script>
-+  </body>
-+</html>

patches/chromium/chore_add_electron_objects_to_wrappablepointertag.patch

@@ -8,20 +8,24 @@ electron objects that extend gin::Wrappable and gets
 allocated on the cpp heap
 
 diff --git a/gin/public/wrappable_pointer_tags.h b/gin/public/wrappable_pointer_tags.h
-index 573bcb2e56068a2ade6d8ab28964b077487874fd..42add73062b723b03fc15ddcce905e4d5061c384 100644
+index 573bcb2e56068a2ade6d8ab28964b077487874fd..acb0c0b44f6530e49b32ea7602c25d498ae4f210 100644
 --- a/gin/public/wrappable_pointer_tags.h
 +++ b/gin/public/wrappable_pointer_tags.h
-@@ -74,7 +74,15 @@ enum WrappablePointerTag : uint16_t {
+@@ -74,7 +74,19 @@ enum WrappablePointerTag : uint16_t {
    kTextInputControllerBindings,  // content::TextInputControllerBindings
    kWebAXObjectProxy,             // content::WebAXObjectProxy
    kWrappedExceptionHandler,      // extensions::WrappedExceptionHandler
 -  kLastPointerTag = kWrappedExceptionHandler,
 +  kElectronApp,                         // electron::api::App
++  kElectronDataPipeHolder,              // electron::api::DataPipeHolder
 +  kElectronDebugger,                    // electron::api::Debugger
 +  kElectronEvent,                       // gin_helper::internal::Event
 +  kElectronMenu,                        // electron::api::Menu
 +  kElectronNetLog,                      // electron::api::NetLog
++  kElectronPowerMonitor,                // electron::api::PowerMonitor
++  kElectronPowerSaveBlocker,            // electron::api::PowerSaveBlocker
 +  kElectronReplyChannel,                // gin_helper::internal::ReplyChannel
++  kElectronScreen,                      // electron::api::Screen
 +  kElectronSession,                     // electron::api::Session
 +  kElectronWebRequest,                  // electron::api::WebRequest
 +  kLastPointerTag = kElectronWebRequest,

patches/chromium/loaf_add_feature_to_enable_sourceurl_for_all_protocols.patch

@@ -0,0 +1,52 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Niklas Wenzel <dev@nikwen.de>
+Date: Wed, 4 Feb 2026 06:02:40 -0800
+Subject: LoAF: Add feature to enable sourceURL for all protocols
+
+Backports https://crrev.com/c/7510894 (minus the test changes).
+
+Can be removed when that CL is included via a Chromium roll.
+
+Change-Id: Id5e58a151b13cc0ac054f4ec237b038255d683fd
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7510894
+Commit-Queue: Noam Rosenthal <nrosenthal@google.com>
+Reviewed-by: Dave Tapuska <dtapuska@chromium.org>
+Reviewed-by: Noam Rosenthal <nrosenthal@google.com>
+Cr-Commit-Position: refs/heads/main@{#1579397}
+
+diff --git a/third_party/blink/renderer/core/frame/animation_frame_timing_monitor.cc b/third_party/blink/renderer/core/frame/animation_frame_timing_monitor.cc
+index 24e58da8eaa9319e2bb626c69d5ad23de720e108..0ffea9dafe3e3dffcbaf9031082aa88dccb46267 100644
+--- a/third_party/blink/renderer/core/frame/animation_frame_timing_monitor.cc
++++ b/third_party/blink/renderer/core/frame/animation_frame_timing_monitor.cc
+@@ -516,8 +516,15 @@ void AnimationFrameTimingMonitor::Trace(Visitor* visitor) const {
+   visitor->Trace(frame_handling_input_);
+ }
+ 
++BASE_FEATURE(kAlwaysLogLOAFURL, base::FEATURE_DISABLED_BY_DEFAULT);
++
+ namespace {
++
+ bool ShouldAllowScriptURL(const String& url) {
++  if (base::FeatureList::IsEnabled(kAlwaysLogLOAFURL)) {
++    return true;
++  }
++
+   KURL kurl(url);
+   return kurl.ProtocolIsData() || kurl.ProtocolIsInHTTPFamily() ||
+          kurl.ProtocolIs("blob") || kurl.IsEmpty();
+diff --git a/third_party/blink/renderer/core/frame/animation_frame_timing_monitor.h b/third_party/blink/renderer/core/frame/animation_frame_timing_monitor.h
+index f2fe39be2db525d89fcd9787c2ae9285babab26d..c395cf39d404f6c4f6f6e23c9fb8dfe92151a7d2 100644
+--- a/third_party/blink/renderer/core/frame/animation_frame_timing_monitor.h
++++ b/third_party/blink/renderer/core/frame/animation_frame_timing_monitor.h
+@@ -22,6 +22,11 @@ class TimeTicks;
+ 
+ namespace blink {
+ 
++// When enabled, long-animation-frame events will always include the sourceURL,
++// regardless of protocol. This is useful during development when using `file:`
++// URLs or custom protocols defined by embedders.
++CORE_EXPORT BASE_DECLARE_FEATURE(kAlwaysLogLOAFURL);
++
+ class LocalFrame;
+ 
+ // Monitors long-animation-frame timing (LoAF).

patches/chromium/patch_osr_control_screen_info.patch

@@ -0,0 +1,22 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: reito <reito@chromium.org>
+Date: Wed, 29 Oct 2025 00:50:03 +0800
+Subject: patch: osr control screen info
+
+We need to override GetNewScreenInfosForUpdate to ensure the screen info
+is updated correctly, instead of overriding GetScreenInfo which seems not
+working.
+
+diff --git a/content/browser/renderer_host/render_widget_host_view_base.h b/content/browser/renderer_host/render_widget_host_view_base.h
+index 1a18bdda39f76cfae36adc0ffde136e788a98262..1062bada30908399f5429b51031e245f4d010f84 100644
+--- a/content/browser/renderer_host/render_widget_host_view_base.h
++++ b/content/browser/renderer_host/render_widget_host_view_base.h
+@@ -680,7 +680,7 @@ class CONTENT_EXPORT RenderWidgetHostViewBase
+ 
+   // Generates the most current set of ScreenInfos from the current set of
+   // displays in the system for use in UpdateScreenInfo.
+-  display::ScreenInfos GetNewScreenInfosForUpdate();
++  virtual display::ScreenInfos GetNewScreenInfosForUpdate();
+ 
+   // Called when display properties that need to be synchronized with the
+   // renderer process changes. This method is called before notifying

patches/node/.patches

@@ -28,6 +28,7 @@ fix_adjust_wpt_and_webidl_tests_for_enabled_float16array.patch
 refactor_attach_cppgc_heap_on_v8_isolate_creation.patch
 fix_cppgc_initializing_twice.patch
 fix_expose_readfilesync_override_for_modules.patch
+fix_array_out-of-bounds_read_in_boyer-moore_search.patch
 test_accomodate_v8_thenable_stack_trace_change_in_snapshot.patch
 chore_exclude_electron_node_folder_from_exit-time-destructors.patch
 api_remove_deprecated_getisolate.patch
@@ -39,9 +40,10 @@ api_delete_deprecated_fields_on_v8_isolate.patch
 api_promote_deprecation_of_v8_context_and_v8_object_api_methods.patch
 fix_ensure_traverseparent_bails_on_resource_path_exit.patch
 reland_temporal_unflag_temporal.patch
+src_handle_der_decoding_errors_from_system_certificates.patch
 fix_suppress_nodiscard_warning_for_copy_options_operator.patch
+test_make_buffer_sizes_32bit-aware_in.patch
 src_refactor_module_wrap_cc_to_update_fixedarray_get_params.patch
 src_refactor_wasmstreaming_finish_to_accept_a_callback.patch
 src_stop_using_v8_propertycallbackinfo_t_this.patch
 build_restore_macos_deployment_target_to_12_0.patch
-fix_generate_config_gypi_needs_to_generate_valid_json.patch

patches/node/api_delete_deprecated_fields_on_v8_isolate.patch

@@ -6,10 +6,10 @@ Subject: Delete deprecated fields on v8::Isolate
 https://chromium-review.googlesource.com/c/v8/v8/+/7081397
 
 diff --git a/src/api/environment.cc b/src/api/environment.cc
-index cb1e4e6176e7385f8bc2bc9510761d3fc9c3182d..730254bfc16eceb7394f5aa766b648da4b96511f 100644
+index cfc9b3157d08d62f43e2e5bb01229fe663f3ca61..cce0e1cdc37aa324aa2c52ba134fc1a9a55b10ba 100644
 --- a/src/api/environment.cc
 +++ b/src/api/environment.cc
-@@ -226,8 +226,6 @@ void SetIsolateCreateParamsForNode(Isolate::CreateParams* params) {
+@@ -218,8 +218,6 @@ void SetIsolateCreateParamsForNode(Isolate::CreateParams* params) {
      // heap based on the actual physical memory.
      params->constraints.ConfigureDefaults(total_memory, 0);
    }

patches/node/api_promote_deprecation_of_v8_context_and_v8_object_api_methods.patch

@@ -44,10 +44,10 @@ index 37d83e41b618a07aca98118260abe9618f11256d..26d5c1bd3c8191fce1d22b969996b6bf
  
  template <typename T>
 diff --git a/src/env-inl.h b/src/env-inl.h
-index 777335321fc9037d91d88fb5852bbf5b05f50d0a..3dceb8b5448fd4971245f7408db4cae103f0a347 100644
+index 97c43afb487b58c0c77bd59b4a6b6d7a13690053..23a4d7b651935a4029249fb2f1dd3ed46ea3b26f 100644
 --- a/src/env-inl.h
 +++ b/src/env-inl.h
-@@ -199,7 +199,8 @@ inline Environment* Environment::GetCurrent(v8::Local<v8::Context> context) {
+@@ -189,7 +189,8 @@ inline Environment* Environment::GetCurrent(v8::Local<v8::Context> context) {
    }
    return static_cast<Environment*>(
        context->GetAlignedPointerFromEmbedderData(
@@ -104,10 +104,10 @@ index cb13d84388bcc6806d3b038a51e1cc2d1feccda1..687b2cf3e63b2a3306e2cbac67e3e216
      MakeWeak();
    }
 diff --git a/src/node_realm-inl.h b/src/node_realm-inl.h
-index 0af487a9abc9ee1783367ac86b0016ab89e02006..c01cef477aaba52f9894943acede7fb22ed17dcb 100644
+index f162d1506c990a5fe578be6f1324427e3f9023f4..b57bb0b42e98b954c0c8662c667e589d6c68a5d3 100644
 --- a/src/node_realm-inl.h
 +++ b/src/node_realm-inl.h
-@@ -22,7 +22,8 @@ inline Realm* Realm::GetCurrent(v8::Local<v8::Context> context) {
+@@ -21,7 +21,8 @@ inline Realm* Realm::GetCurrent(v8::Local<v8::Context> context) {
      return nullptr;
    }
    return static_cast<Realm*>(

patches/node/api_remove_deprecated_getisolate.patch

@@ -6,10 +6,10 @@ Subject: Remove deprecated `GetIsolate`
 https://chromium-review.googlesource.com/c/v8/v8/+/6905244
 
 diff --git a/src/api/environment.cc b/src/api/environment.cc
-index 0f19cb09ea0963a9c505c51f89d1c7a939f2730b..cb1e4e6176e7385f8bc2bc9510761d3fc9c3182d 100644
+index d753ad6c6b49b26b86920124f7ac90c1e052638e..cfc9b3157d08d62f43e2e5bb01229fe663f3ca61 100644
 --- a/src/api/environment.cc
 +++ b/src/api/environment.cc
-@@ -682,7 +682,7 @@ std::unique_ptr<MultiIsolatePlatform> MultiIsolatePlatform::Create(
+@@ -668,7 +668,7 @@ std::unique_ptr<MultiIsolatePlatform> MultiIsolatePlatform::Create(
  
  MaybeLocal<Object> GetPerContextExports(Local<Context> context,
                                          IsolateData* isolate_data) {
@@ -18,7 +18,7 @@ index 0f19cb09ea0963a9c505c51f89d1c7a939f2730b..cb1e4e6176e7385f8bc2bc9510761d3f
    EscapableHandleScope handle_scope(isolate);
  
    Local<Object> global = context->Global();
-@@ -728,7 +728,7 @@ void ProtoThrower(const FunctionCallbackInfo<Value>& info) {
+@@ -714,7 +714,7 @@ void ProtoThrower(const FunctionCallbackInfo<Value>& info) {
  // This runs at runtime, regardless of whether the context
  // is created from a snapshot.
  Maybe<void> InitializeContextRuntime(Local<Context> context) {
@@ -27,7 +27,7 @@ index 0f19cb09ea0963a9c505c51f89d1c7a939f2730b..cb1e4e6176e7385f8bc2bc9510761d3f
    HandleScope handle_scope(isolate);
  
    // When `IsCodeGenerationFromStringsAllowed` is true, V8 takes the fast path
-@@ -807,7 +807,7 @@ Maybe<void> InitializeContextRuntime(Local<Context> context) {
+@@ -793,7 +793,7 @@ Maybe<void> InitializeContextRuntime(Local<Context> context) {
  }
  
  Maybe<void> InitializeBaseContextForSnapshot(Local<Context> context) {
@@ -36,7 +36,7 @@ index 0f19cb09ea0963a9c505c51f89d1c7a939f2730b..cb1e4e6176e7385f8bc2bc9510761d3f
    HandleScope handle_scope(isolate);
  
    // Delete `Intl.v8BreakIterator`
-@@ -832,7 +832,7 @@ Maybe<void> InitializeBaseContextForSnapshot(Local<Context> context) {
+@@ -818,7 +818,7 @@ Maybe<void> InitializeBaseContextForSnapshot(Local<Context> context) {
  }
  
  Maybe<void> InitializeMainContextForSnapshot(Local<Context> context) {
@@ -45,7 +45,7 @@ index 0f19cb09ea0963a9c505c51f89d1c7a939f2730b..cb1e4e6176e7385f8bc2bc9510761d3f
    HandleScope handle_scope(isolate);
  
    // Initialize the default values.
-@@ -850,7 +850,7 @@ Maybe<void> InitializeMainContextForSnapshot(Local<Context> context) {
+@@ -836,7 +836,7 @@ Maybe<void> InitializeMainContextForSnapshot(Local<Context> context) {
  MaybeLocal<Object> InitializePrivateSymbols(Local<Context> context,
                                              IsolateData* isolate_data) {
    CHECK(isolate_data);
@@ -54,7 +54,7 @@ index 0f19cb09ea0963a9c505c51f89d1c7a939f2730b..cb1e4e6176e7385f8bc2bc9510761d3f
    EscapableHandleScope scope(isolate);
    Context::Scope context_scope(context);
  
-@@ -874,7 +874,7 @@ MaybeLocal<Object> InitializePrivateSymbols(Local<Context> context,
+@@ -860,7 +860,7 @@ MaybeLocal<Object> InitializePrivateSymbols(Local<Context> context,
  MaybeLocal<Object> InitializePerIsolateSymbols(Local<Context> context,
                                                 IsolateData* isolate_data) {
    CHECK(isolate_data);
@@ -63,7 +63,7 @@ index 0f19cb09ea0963a9c505c51f89d1c7a939f2730b..cb1e4e6176e7385f8bc2bc9510761d3f
    EscapableHandleScope scope(isolate);
    Context::Scope context_scope(context);
  
-@@ -900,7 +900,7 @@ MaybeLocal<Object> InitializePerIsolateSymbols(Local<Context> context,
+@@ -886,7 +886,7 @@ MaybeLocal<Object> InitializePerIsolateSymbols(Local<Context> context,
  Maybe<void> InitializePrimordials(Local<Context> context,
                                    IsolateData* isolate_data) {
    // Run per-context JS files.
@@ -85,10 +85,10 @@ index cc60ddddb037e0279615bbe24821eb20fd8da677..37d83e41b618a07aca98118260abe961
  
    return handle;
 diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
-index 2e3f31e1765024373c3fc2acd33fc3bfb352a906..ca62d3001bf51193d78caac0cccd93c188a8410c 100644
+index f3631d538a38dc3a93a47707ea8dab0462fa2140..12ad6e6ddbda2cc679e733f7a9c6b9e4cf9623dd 100644
 --- a/src/crypto/crypto_context.cc
 +++ b/src/crypto/crypto_context.cc
-@@ -1045,7 +1045,7 @@ bool ArrayOfStringsToX509s(Local<Context> context,
+@@ -1022,7 +1022,7 @@ bool ArrayOfStringsToX509s(Local<Context> context,
                             Local<Array> cert_array,
                             std::vector<X509*>* certs) {
    ClearErrorOnReturn clear_error_on_return;
@@ -120,10 +120,10 @@ index 4c5427596d1c90d3a413cdd9ff4f1151e657073d..70135a6be65e41fcb3564ddf6d1e8083
                             NewStringType::kNormal,
                             mem->length)
 diff --git a/src/encoding_binding.cc b/src/encoding_binding.cc
-index a913e34c73db3fb62aedcf28bee1bf1c4d59de7a..9de38eb9907269e99fdf0907aa35862572a2c643 100644
+index 266f640fb1c6503a424e77cc41fc15bc658bb6a5..877ae8a18f6b8f2c7e3474dfba060d99db88e6b9 100644
 --- a/src/encoding_binding.cc
 +++ b/src/encoding_binding.cc
-@@ -75,7 +75,7 @@ void BindingData::Deserialize(Local<Context> context,
+@@ -76,7 +76,7 @@ void BindingData::Deserialize(Local<Context> context,
                                int index,
                                InternalFieldInfoBase* info) {
    DCHECK_IS_SNAPSHOT_SLOT(index);
@@ -388,10 +388,10 @@ index d278a32c9934c15bc721da164efccca7bc7e7111..ab862bf93a411e6ae6da7c9f9706cee2
    BlobBindingData* binding = realm->AddBindingData<BlobBindingData>(holder);
    CHECK_NOT_NULL(binding);
 diff --git a/src/node_builtins.cc b/src/node_builtins.cc
-index 703ac1be06249736073f797058d170576a0db1bf..f0607ec9fd1983386166d0f4782adac99ace943e 100644
+index e69eb280050cae0c0f394b2f956eef947e628904..9bb4576fcf4f07550e7d6f4ff2310cedc8093c5f 100644
 --- a/src/node_builtins.cc
 +++ b/src/node_builtins.cc
-@@ -275,7 +275,7 @@ MaybeLocal<Function> BuiltinLoader::LookupAndCompileInternal(
+@@ -274,7 +274,7 @@ MaybeLocal<Function> BuiltinLoader::LookupAndCompileInternal(
      const char* id,
      LocalVector<String>* parameters,
      Realm* optional_realm) {
@@ -400,7 +400,7 @@ index 703ac1be06249736073f797058d170576a0db1bf..f0607ec9fd1983386166d0f4782adac9
    EscapableHandleScope scope(isolate);
  
    Local<String> source;
-@@ -397,7 +397,7 @@ void BuiltinLoader::SaveCodeCache(const char* id, Local<Function> fun) {
+@@ -396,7 +396,7 @@ void BuiltinLoader::SaveCodeCache(const char* id, Local<Function> fun) {
  MaybeLocal<Function> BuiltinLoader::LookupAndCompile(Local<Context> context,
                                                       const char* id,
                                                       Realm* optional_realm) {
@@ -409,7 +409,7 @@ index 703ac1be06249736073f797058d170576a0db1bf..f0607ec9fd1983386166d0f4782adac9
    LocalVector<String> parameters(isolate);
    // Detects parameters of the scripts based on module ids.
    // internal/bootstrap/realm: process, getLinkedBinding,
-@@ -451,7 +451,7 @@ MaybeLocal<Function> BuiltinLoader::LookupAndCompile(Local<Context> context,
+@@ -450,7 +450,7 @@ MaybeLocal<Function> BuiltinLoader::LookupAndCompile(Local<Context> context,
  MaybeLocal<Value> BuiltinLoader::CompileAndCall(Local<Context> context,
                                                  const char* id,
                                                  Realm* realm) {
@@ -418,7 +418,7 @@ index 703ac1be06249736073f797058d170576a0db1bf..f0607ec9fd1983386166d0f4782adac9
    // Detects parameters of the scripts based on module ids.
    // internal/bootstrap/realm: process, getLinkedBinding,
    //                           getInternalBinding, primordials
-@@ -507,7 +507,7 @@ MaybeLocal<Value> BuiltinLoader::CompileAndCall(Local<Context> context,
+@@ -506,7 +506,7 @@ MaybeLocal<Value> BuiltinLoader::CompileAndCall(Local<Context> context,
    if (!maybe_fn.ToLocal(&fn)) {
      return MaybeLocal<Value>();
    }
@@ -427,7 +427,7 @@ index 703ac1be06249736073f797058d170576a0db1bf..f0607ec9fd1983386166d0f4782adac9
    return fn->Call(context, undefined, argc, argv);
  }
  
-@@ -545,14 +545,14 @@ bool BuiltinLoader::CompileAllBuiltinsAndCopyCodeCache(
+@@ -544,14 +544,14 @@ bool BuiltinLoader::CompileAllBuiltinsAndCopyCodeCache(
        to_eager_compile_.emplace(id);
      }
  
@@ -533,10 +533,10 @@ index 55a0c986c5b6989ee9ce277bb6a9778abb2ad2ee..809d88f21e5572807e38132d40ee7587
    READONLY_PROPERTY(target, "exitCodes", exit_codes);
  
 diff --git a/src/node_file.cc b/src/node_file.cc
-index ba6ffc2b6565dea500bc8dd4818c8fcb7648694a..e834325a763f7ea8f53210145b5edd134d6b67e6 100644
+index 7dfb7a486040e0188eb53ee7a65f91a99e713a3a..c364f2a4f6dd6ec066b00f364108383154be12ec 100644
 --- a/src/node_file.cc
 +++ b/src/node_file.cc
-@@ -3843,7 +3843,7 @@ void BindingData::Deserialize(Local<Context> context,
+@@ -3834,7 +3834,7 @@ void BindingData::Deserialize(Local<Context> context,
                                int index,
                                InternalFieldInfoBase* info) {
    DCHECK_IS_SNAPSHOT_SLOT(index);
@@ -586,7 +586,7 @@ index 57e068ae249d618c2658638f9f3b03e1fedb6524..8c51ae4e0a435971c6d0288af8781087
    data_.Reset();
    return ret;
 diff --git a/src/node_modules.cc b/src/node_modules.cc
-index cecdda74847801fd5821bc0afdf0dfc9f131c44a..04ebecc5d924f6c2fddd9992462d1ff692e1cee5 100644
+index d3907c3d063c7757cdd7ef99ed09bea1eb58a3fd..df9925404e77ec61900f89a5241c86a599e548c5 100644
 --- a/src/node_modules.cc
 +++ b/src/node_modules.cc
 @@ -70,7 +70,7 @@ void BindingData::Deserialize(v8::Local<v8::Context> context,
@@ -598,7 +598,7 @@ index cecdda74847801fd5821bc0afdf0dfc9f131c44a..04ebecc5d924f6c2fddd9992462d1ff6
    Realm* realm = Realm::GetCurrent(context);
    BindingData* binding = realm->AddBindingData<BindingData>(holder);
    CHECK_NOT_NULL(binding);
-@@ -750,7 +750,7 @@ void BindingData::CreatePerContextProperties(Local<Object> target,
+@@ -709,7 +709,7 @@ void BindingData::CreatePerContextProperties(Local<Object> target,
    Realm* realm = Realm::GetCurrent(context);
    realm->AddBindingData<BindingData>(target);
  
@@ -608,10 +608,10 @@ index cecdda74847801fd5821bc0afdf0dfc9f131c44a..04ebecc5d924f6c2fddd9992462d1ff6
  
  #define V(status)                                                              \
 diff --git a/src/node_process_methods.cc b/src/node_process_methods.cc
-index 4a258e5f140994536386492059d64c9cf94ea0a6..67278974199db46fed85b443e7cdd30accd7687f 100644
+index e453bacc3e5247493a3582c24174bfe6e590825d..fe4aad63bc877be105830a80aa6be10ce3f8fda4 100644
 --- a/src/node_process_methods.cc
 +++ b/src/node_process_methods.cc
-@@ -745,7 +745,7 @@ void BindingData::Deserialize(Local<Context> context,
+@@ -737,7 +737,7 @@ void BindingData::Deserialize(Local<Context> context,
                                int index,
                                InternalFieldInfoBase* info) {
    DCHECK_IS_SNAPSHOT_SLOT(index);
@@ -621,7 +621,7 @@ index 4a258e5f140994536386492059d64c9cf94ea0a6..67278974199db46fed85b443e7cdd30a
    // Recreate the buffer in the constructor.
    InternalFieldInfo* casted_info = static_cast<InternalFieldInfo*>(info);
 diff --git a/src/node_realm.cc b/src/node_realm.cc
-index 6d2e4eb641a8ffaacf4aebd3522008a285387a30..47bd7d9f19077ac7a558c73db5f51bdf8da291e7 100644
+index 2a5fe9fe501d1fd9356eeb7d044a872fa5a55f38..39f6f142044c42904d234da20a266315346c135a 100644
 --- a/src/node_realm.cc
 +++ b/src/node_realm.cc
 @@ -22,7 +22,7 @@ using v8::String;
@@ -660,7 +660,7 @@ index c2e24b4645e7903e08c80aead1c18c7bcff1bd89..e34d24d51d5c090b560d06f727043f20
    // Recreate the buffer in the constructor.
    InternalFieldInfo* casted_info = static_cast<InternalFieldInfo*>(info);
 diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
-index 6bfc54dd81446545ebbb0faedb55a5383b81de49..2e52fb801684feb22800d4809daab006fc7cae9c 100644
+index 955b76cbc71d0cd3a1cc01c3c0dea0536a792dc0..0b111ce1fb1d59cad019ba13bbfc513f157d3f06 100644
 --- a/src/node_sqlite.cc
 +++ b/src/node_sqlite.cc
 @@ -2061,7 +2061,7 @@ bool StatementSync::BindParams(const FunctionCallbackInfo<Value>& args) {
@@ -736,7 +736,7 @@ index 370221d3cddc201180260ecb3a222bc831c91093..f5aff2f65fe6b9f48cf970ab3e7c57cf
      THROW_ERR_WASI_NOT_STARTED(isolate);
      return EinvalError<R>();
 diff --git a/src/node_webstorage.cc b/src/node_webstorage.cc
-index 5c7d268d38ff55ce4db07463b1ea0bcb2f4e63ea..bd83654012442195866e57173b6e5d4d25fecf0f 100644
+index cc90af827a3fbd14fb4cbfbfd39cc661f22cf6e1..5819d9bca845e0eed6d4d93564469d8f3c36200b 100644
 --- a/src/node_webstorage.cc
 +++ b/src/node_webstorage.cc
 @@ -57,7 +57,7 @@ using v8::Value;
@@ -748,7 +748,7 @@ index 5c7d268d38ff55ce4db07463b1ea0bcb2f4e63ea..bd83654012442195866e57173b6e5d4d
    auto dom_exception_str = FIXED_ONE_BYTE_STRING(isolate, "DOMException");
    auto err_name = FIXED_ONE_BYTE_STRING(isolate, "QuotaExceededError");
    auto err_message =
-@@ -437,7 +437,7 @@ Maybe<void> Storage::Store(Local<Name> key, Local<Value> value) {
+@@ -433,7 +433,7 @@ Maybe<void> Storage::Store(Local<Name> key, Local<Value> value) {
  }
  
  static MaybeLocal<String> Uint32ToName(Local<Context> context, uint32_t index) {
@@ -758,10 +758,10 @@ index 5c7d268d38ff55ce4db07463b1ea0bcb2f4e63ea..bd83654012442195866e57173b6e5d4d
  
  static void Clear(const FunctionCallbackInfo<Value>& info) {
 diff --git a/src/node_worker.cc b/src/node_worker.cc
-index e7d26b4c8cbb08a175084ceac51395860dc60598..fa4ec53ee556a23c8fd018caa1eee51bc5e004fe 100644
+index 62c53368d1173edb7eb42e3337049c46fd7cdda9..7d08d8af7f6d99f7bd41cb7eb91063c630b3f87b 100644
 --- a/src/node_worker.cc
 +++ b/src/node_worker.cc
-@@ -1465,8 +1465,6 @@ void GetEnvMessagePort(const FunctionCallbackInfo<Value>& args) {
+@@ -1466,8 +1466,6 @@ void GetEnvMessagePort(const FunctionCallbackInfo<Value>& args) {
    Local<Object> port = env->message_port();
    CHECK_IMPLIES(!env->is_main_thread(), !port.IsEmpty());
    if (!port.IsEmpty()) {

patches/node/build_add_gn_build_files.patch

@@ -11,7 +11,7 @@ really in 20/21. We have to wait until 22 is released to be able to
 build with upstream GN files.
 
 diff --git a/configure.py b/configure.py
-index f31d460038db2fa2fa4c47d62be3100da959978f..209f23b04663113e4f6b3c3242c0544cfed9a950 100755
+index 750ddc8ace6cad894e738f6e1d983b5906acc10f..e063f9131d4d547d231811dafea03c8c52b611e6 100755
 --- a/configure.py
 +++ b/configure.py
 @@ -1736,7 +1736,7 @@ def configure_v8(o, configs):
@@ -68,10 +68,10 @@ index d4438f7fd61598afac2c1e3184721a759d22b10c..e2407027ab05e59b2f0f1c213b98ea46
  
  assert(!node_enable_inspector || node_use_openssl,
 diff --git a/src/node_builtins.cc b/src/node_builtins.cc
-index 7b34b14856a5193c723987f69d6040bdb6aa7c34..90fdf52d79954bf2cd86fd1d2d6da8199683d344 100644
+index 581b9886ded52f294b7cc6b080b2269b7617c85e..e43e2559aaf48add88aad342b1c96fd34f26c87f 100644
 --- a/src/node_builtins.cc
 +++ b/src/node_builtins.cc
-@@ -775,6 +775,7 @@ void BuiltinLoader::RegisterExternalReferences(
+@@ -774,6 +774,7 @@ void BuiltinLoader::RegisterExternalReferences(
    registry->Register(GetNatives);
  
    RegisterExternalReferencesForInternalizedBuiltinCode(registry);
@@ -95,7 +95,7 @@ index 7a7b84337feb67960819472e43192dbdc151e299..bcdd50f635757f41287c87df1db9cd3b
 diff --git a/tools/js2c.cc b/tools/js2c.cc
 old mode 100644
 new mode 100755
-index 9c2f70de4e00834ff448e573743898072dc14c5d..71a12c606f4da7165cc41a295a278b2e504af1b6
+index 21992cbe894a880e3223c379326b62db22f2f12d..1296a5457422099035ba34f2b02624f2e9dfb0f0
 --- a/tools/js2c.cc
 +++ b/tools/js2c.cc
 @@ -28,6 +28,7 @@ namespace js2c {
@@ -190,7 +190,7 @@ index 9c2f70de4e00834ff448e573743898072dc14c5d..71a12c606f4da7165cc41a295a278b2e
                     static_cast<int>(def_buf.size()),
                     def_buf.data(),
                     static_cast<int>(init_buf.size()),
-@@ -836,12 +880,15 @@ int JS2C(const FileList& js_files,
+@@ -846,12 +890,15 @@ int JS2C(const FileList& js_files,
      }
    }
  
@@ -206,7 +206,7 @@ index 9c2f70de4e00834ff448e573743898072dc14c5d..71a12c606f4da7165cc41a295a278b2e
    Fragment out = Format(definitions, initializers, registrations);
    return WriteIfChanged(out, dest);
  }
-@@ -867,6 +914,8 @@ int Main(int argc, char* argv[]) {
+@@ -877,6 +924,8 @@ int Main(int argc, char* argv[]) {
      std::string arg(argv[i]);
      if (arg == "--verbose") {
        is_verbose = true;
@@ -215,7 +215,7 @@ index 9c2f70de4e00834ff448e573743898072dc14c5d..71a12c606f4da7165cc41a295a278b2e
      } else if (arg == "--root") {
        if (i == argc - 1) {
          fprintf(stderr, "--root must be followed by a path\n");
-@@ -915,6 +964,14 @@ int Main(int argc, char* argv[]) {
+@@ -925,6 +974,14 @@ int Main(int argc, char* argv[]) {
      }
    }
  
@@ -230,7 +230,7 @@ index 9c2f70de4e00834ff448e573743898072dc14c5d..71a12c606f4da7165cc41a295a278b2e
    // Should have exactly 3 types: `.js`, `.mjs` and `.gypi`.
    assert(file_map.size() == 3);
    auto gypi_it = file_map.find(".gypi");
-@@ -941,6 +998,7 @@ int Main(int argc, char* argv[]) {
+@@ -951,6 +1008,7 @@ int Main(int argc, char* argv[]) {
    std::sort(mjs_it->second.begin(), mjs_it->second.end());
  
    return JS2C(js_it->second, mjs_it->second, gypi_it->second[0], output);

patches/node/build_enable_perfetto.patch

@@ -64,7 +64,7 @@ index e664663348adc7bb31f7c9ec78481bbeb71401d9..62b659beb766b8256b214447af376f43
  
  function ipToInt(ip) {
 diff --git a/node.gyp b/node.gyp
-index c035d1d7cdac1d18cca0ef5cefbc5ce4c1fd1b86..a48e4e5d1fb7621b12b9abeaaf78214515a23efc 100644
+index c3917f805464669c709bef83b9982ef95d0fbaa1..56e11cde31897260bf41db3f32f5c6d6fbd6d5bf 100644
 --- a/node.gyp
 +++ b/node.gyp
 @@ -176,7 +176,6 @@

patches/node/build_ensure_native_module_compilation_fails_if_not_using_a_new.patch

@@ -7,7 +7,7 @@ Subject: build: ensure native module compilation fails if not using a new
 This should not be upstreamed, it is a quality-of-life patch for downstream module builders.
 
 diff --git a/common.gypi b/common.gypi
-index cf3ceaf19972ee107deff63b4dba16c12191c615..6159350823fd9f0090e2b98e8797e829fd481750 100644
+index 8280cff0d93d42a95875b78de84221aa1bcae092..76a03b9a5458f4afc0ab5768c8a2e90633749fe9 100644
 --- a/common.gypi
 +++ b/common.gypi
 @@ -89,6 +89,8 @@
@@ -42,7 +42,7 @@ index cf3ceaf19972ee107deff63b4dba16c12191c615..6159350823fd9f0090e2b98e8797e829
        # list in v8/BUILD.gn.
        ['v8_enable_v8_checks == 1', {
 diff --git a/configure.py b/configure.py
-index 209f23b04663113e4f6b3c3242c0544cfed9a950..88164b99ae3d37f47e5e9a9ba96d7b450d6ba4ab 100755
+index e063f9131d4d547d231811dafea03c8c52b611e6..a5c764d9e7fb0ffa219202015ec67ed6d3e14c04 100755
 --- a/configure.py
 +++ b/configure.py
 @@ -1717,6 +1717,7 @@ def configure_library(lib, output, pkgname=None):

patches/node/build_modify_js2c_py_to_allow_injection_of_original-fs_and_custom_embedder_js.patch

@@ -34,7 +34,7 @@ index 605dee28cace56f2366fec9d7f18894559044ae4..15dcabb3b1682438eb6d5a681363b7ea
  let kResistStopPropagation;
  
 diff --git a/src/node_builtins.cc b/src/node_builtins.cc
-index 90fdf52d79954bf2cd86fd1d2d6da8199683d344..703ac1be06249736073f797058d170576a0db1bf 100644
+index e43e2559aaf48add88aad342b1c96fd34f26c87f..e69eb280050cae0c0f394b2f956eef947e628904 100644
 --- a/src/node_builtins.cc
 +++ b/src/node_builtins.cc
 @@ -39,6 +39,7 @@ using v8::Value;

patches/node/build_restore_clang_as_default_compiler_on_macos.patch

@@ -11,7 +11,7 @@ node-gyp will use the result of `process.config` that reflects the environment
 in which the binary got built.
 
 diff --git a/common.gypi b/common.gypi
-index 6159350823fd9f0090e2b98e8797e829fd481750..5f47ec9bb405f6c1574304ac68807929604cd402 100644
+index 76a03b9a5458f4afc0ab5768c8a2e90633749fe9..bdadbdaa607b2f668749fc484271de8d126bbd17 100644
 --- a/common.gypi
 +++ b/common.gypi
 @@ -128,6 +128,7 @@

patches/node/build_restore_macos_deployment_target_to_12_0.patch

@@ -10,7 +10,7 @@ M151, and so we should allow for building until then.
 This patch can be removed at the M151 branch point.
 
 diff --git a/common.gypi b/common.gypi
-index 5f47ec9bb405f6c1574304ac68807929604cd402..914f28b41d05b1485874885570ae5adaabd8e1b2 100644
+index bdadbdaa607b2f668749fc484271de8d126bbd17..8df2802191b7fe6ae14edbd85cb3a5d16eb5a76a 100644
 --- a/common.gypi
 +++ b/common.gypi
 @@ -677,7 +677,7 @@

patches/node/chore_disable_deprecation_ftbfs_in_simdjson_header.patch

@@ -14,10 +14,10 @@ and
 This patch can be removed once this is fixed upstream in simdjson.
 
 diff --git a/deps/simdjson/simdjson.h b/deps/simdjson/simdjson.h
-index 1d6560e80fab0458b22f0ac2437056bce4873e8f..c3dbe2b6fc08c36a07ced5e29a814f7bcd85b748 100644
+index 35ff2626f26735495e308381782e5f1d9b8a629e..b4aa4bce33d62c579beee745712d24d9ebd5e0c2 100644
 --- a/deps/simdjson/simdjson.h
 +++ b/deps/simdjson/simdjson.h
-@@ -4215,12 +4215,17 @@ inline std::ostream& operator<<(std::ostream& out, simdjson_result<padded_string
+@@ -4179,12 +4179,17 @@ inline std::ostream& operator<<(std::ostream& out, simdjson_result<padded_string
  
  } // namespace simdjson
  
@@ -35,7 +35,7 @@ index 1d6560e80fab0458b22f0ac2437056bce4873e8f..c3dbe2b6fc08c36a07ced5e29a814f7b
  namespace simdjson {
  namespace internal {
  
-@@ -4729,6 +4734,9 @@ inline simdjson_result<padded_string> padded_string::load(std::wstring_view file
+@@ -4636,6 +4641,9 @@ inline simdjson_result<padded_string> padded_string::load(std::string_view filen
  
  } // namespace simdjson
  
@@ -45,8 +45,8 @@ index 1d6560e80fab0458b22f0ac2437056bce4873e8f..c3dbe2b6fc08c36a07ced5e29a814f7b
  inline simdjson::padded_string operator ""_padded(const char *str, size_t len) {
    return simdjson::padded_string(str, len);
  }
-@@ -4737,6 +4745,8 @@ inline simdjson::padded_string operator ""_padded(const char8_t *str, size_t len
-   return simdjson::padded_string(reinterpret_cast<const char *>(str), len);
+@@ -4644,6 +4652,8 @@ inline simdjson::padded_string operator ""_padded(const char8_t *str, size_t len
+   return simdjson::padded_string(reinterpret_cast<const char8_t *>(str), len);
  }
  #endif
 +#pragma clang diagnostic pop
@@ -54,7 +54,7 @@ index 1d6560e80fab0458b22f0ac2437056bce4873e8f..c3dbe2b6fc08c36a07ced5e29a814f7b
  #endif // SIMDJSON_PADDED_STRING_INL_H
  /* end file simdjson/padded_string-inl.h */
  /* skipped duplicate #include "simdjson/padded_string_view.h" */
-@@ -44745,12 +44755,16 @@ simdjson_inline simdjson_warn_unused std::unique_ptr<ondemand::parser>& parser::
+@@ -43674,12 +43684,16 @@ simdjson_inline simdjson_warn_unused std::unique_ptr<ondemand::parser>& parser::
    return parser_instance;
  }
  
@@ -71,7 +71,7 @@ index 1d6560e80fab0458b22f0ac2437056bce4873e8f..c3dbe2b6fc08c36a07ced5e29a814f7b
  
  } // namespace ondemand
  } // namespace arm64
-@@ -59221,12 +59235,16 @@ simdjson_inline simdjson_warn_unused std::unique_ptr<ondemand::parser>& parser::
+@@ -57923,12 +57937,16 @@ simdjson_inline simdjson_warn_unused std::unique_ptr<ondemand::parser>& parser::
    return parser_instance;
  }
  

patches/node/expose_get_builtin_module_function.patch

@@ -9,7 +9,7 @@ modules to sandboxed renderers.
 TODO(codebytere): remove and replace with a public facing API.
 
 diff --git a/src/node_binding.cc b/src/node_binding.cc
-index 3b284583d6ccc9b2d0273d678335b9ab0a6fa81c..fbbdc26b8d1428084709ab113f102c42424842b0 100644
+index 5bd07e5253ae64b02ae1874226ab70c1972cf9e0..768d81a63a42d9016a42b7cdce7b6be86c59afdf 100644
 --- a/src/node_binding.cc
 +++ b/src/node_binding.cc
 @@ -655,6 +655,10 @@ void GetInternalBinding(const FunctionCallbackInfo<Value>& args) {

patches/node/feat_disable_js_source_phase_imports_by_default.patch

@@ -18,7 +18,7 @@ Stage 3.
 Upstreamed in https://github.com/nodejs/node/pull/60364
 
 diff --git a/src/node.cc b/src/node.cc
-index ae082f2d0498e0e694e427da71078ca19086e275..f9630a5cd9bed1535a7839517313a2d47d403b1f 100644
+index d77735f4f5686e914811c0576975b57e6c631398..d8e1c809df6e96ed561c73c0e8de0cf9736e4aaa 100644
 --- a/src/node.cc
 +++ b/src/node.cc
 @@ -782,7 +782,7 @@ static ExitCode ProcessGlobalArgsInternal(std::vector<std::string>* args,

patches/node/fix_add_default_values_for_variables_in_common_gypi.patch

@@ -7,7 +7,7 @@ common.gypi is a file that's included in the node header bundle, despite
 the fact that we do not build node with gyp.
 
 diff --git a/common.gypi b/common.gypi
-index 5adfd888711ae46a3ba157853359145c4409169b..cf3ceaf19972ee107deff63b4dba16c12191c615 100644
+index db1625378697d9e6d7685d57acbdc212e8f25ec0..8280cff0d93d42a95875b78de84221aa1bcae092 100644
 --- a/common.gypi
 +++ b/common.gypi
 @@ -91,6 +91,23 @@

patches/node/fix_allow_disabling_fetch_in_renderer_and_worker_processes.patch

@@ -9,10 +9,10 @@ conflict with Blink's in renderer and worker processes.
 We should try to upstream some version of this.
 
 diff --git a/doc/api/cli.md b/doc/api/cli.md
-index d94226df8d90d791c3c5fdb7cab7357b0e2555b0..7512ec43ea10d9b0e167125040bc8136f7ad568a 100644
+index 667603438cc41701820d6aaa734d21ac35bcc8d1..6611face009797f9d540be4478df80d05888893a 100644
 --- a/doc/api/cli.md
 +++ b/doc/api/cli.md
-@@ -1814,6 +1814,14 @@ changes:
+@@ -1798,6 +1798,14 @@ changes:
  
  Disable using [syntax detection][] to determine module type.
  
@@ -27,7 +27,7 @@ index d94226df8d90d791c3c5fdb7cab7357b0e2555b0..7512ec43ea10d9b0e167125040bc8136
  ### `--no-experimental-global-navigator`
  
  <!-- YAML
-@@ -3493,6 +3501,7 @@ one is included in the list below.
+@@ -3476,6 +3484,7 @@ one is included in the list below.
  * `--no-addons`
  * `--no-async-context-frame`
  * `--no-deprecation`
@@ -79,7 +79,7 @@ index 9a99ff6d44320c0e28f4a787d24ea98ae1c96196..8f5810267d1ba430bae02be141f087f2
  function setupWebsocket() {
    if (getOptionValue('--no-experimental-websocket')) {
 diff --git a/src/node_options.cc b/src/node_options.cc
-index f6f81f50c8bd91a72ca96093dc64c183bd58039b..aa18dab6e4171d8a7f0af4b7db1b8c2c07191859 100644
+index 342bffb00fd355f7f1c5d0d83133bd5561be91e1..41f268195c281689339e98ceb98e8034ecd28b63 100644
 --- a/src/node_options.cc
 +++ b/src/node_options.cc
 @@ -545,7 +545,11 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {

patches/node/fix_allow_passing_fileexists_fn_to_legacymainresolve.patch

@@ -11,7 +11,7 @@ We can fix this by allowing the C++ implementation of legacyMainResolve to use
 a fileExists function that does take Asar into account.
 
 diff --git a/lib/internal/modules/esm/resolve.js b/lib/internal/modules/esm/resolve.js
-index 8dc8bbfe8d73e2d11edc261d6fe9f37aaa81e4cd..9c965f21918b8170ca2c2d6efee067b52537698e 100644
+index 72cc9444ca93ef7a1526e23314693aeaf5f173b0..79684dd7e8d1629b19be01ebf97e43e503dec581 100644
 --- a/lib/internal/modules/esm/resolve.js
 +++ b/lib/internal/modules/esm/resolve.js
 @@ -28,14 +28,13 @@ const { BuiltinModule } = require('internal/bootstrap/realm');
@@ -31,7 +31,7 @@ index 8dc8bbfe8d73e2d11edc261d6fe9f37aaa81e4cd..9c965f21918b8170ca2c2d6efee067b5
  const {
    ERR_INPUT_TYPE_NOT_ALLOWED,
    ERR_INVALID_ARG_TYPE,
-@@ -184,6 +183,11 @@ const legacyMainResolveExtensionsIndexes = {
+@@ -183,6 +182,11 @@ const legacyMainResolveExtensionsIndexes = {
    kResolvedByPackageAndNode: 9,
  };
  
@@ -43,7 +43,7 @@ index 8dc8bbfe8d73e2d11edc261d6fe9f37aaa81e4cd..9c965f21918b8170ca2c2d6efee067b5
  /**
   * Legacy CommonJS main resolution:
   * 1. let M = pkg_url + (json main field)
-@@ -202,7 +206,7 @@ function legacyMainResolve(packageJSONUrl, packageConfig, base) {
+@@ -201,7 +205,7 @@ function legacyMainResolve(packageJSONUrl, packageConfig, base) {
  
    const baseStringified = isURL(base) ? base.href : base;
  
@@ -53,10 +53,10 @@ index 8dc8bbfe8d73e2d11edc261d6fe9f37aaa81e4cd..9c965f21918b8170ca2c2d6efee067b5
    const maybeMain = resolvedOption <= legacyMainResolveExtensionsIndexes.kResolvedByMainIndexNode ?
      packageConfig.main || './' : '';
 diff --git a/src/node_file.cc b/src/node_file.cc
-index 58476306172433db98a3e3a1ab31d13bf42014f1..ba6ffc2b6565dea500bc8dd4818c8fcb7648694a 100644
+index 88fdca1eb85a49468e787d50f1cee6b8561841d6..7dfb7a486040e0188eb53ee7a65f91a99e713a3a 100644
 --- a/src/node_file.cc
 +++ b/src/node_file.cc
-@@ -3592,13 +3592,25 @@ static void CpSyncCopyDir(const FunctionCallbackInfo<Value>& args) {
+@@ -3583,13 +3583,25 @@ static void CpSyncCopyDir(const FunctionCallbackInfo<Value>& args) {
  }
  
  BindingData::FilePathIsFileReturnType BindingData::FilePathIsFile(
@@ -83,7 +83,7 @@ index 58476306172433db98a3e3a1ab31d13bf42014f1..ba6ffc2b6565dea500bc8dd4818c8fcb
    uv_fs_t req;
  
    int rc = uv_fs_stat(env->event_loop(), &req, file_path.c_str(), nullptr);
-@@ -3656,6 +3668,11 @@ void BindingData::LegacyMainResolve(const FunctionCallbackInfo<Value>& args) {
+@@ -3647,6 +3659,11 @@ void BindingData::LegacyMainResolve(const FunctionCallbackInfo<Value>& args) {
    std::optional<std::string> initial_file_path;
    std::string file_path;
  
@@ -95,7 +95,7 @@ index 58476306172433db98a3e3a1ab31d13bf42014f1..ba6ffc2b6565dea500bc8dd4818c8fcb
    if (args.Length() >= 2 && args[1]->IsString()) {
      auto package_config_main = Utf8Value(isolate, args[1]).ToString();
  
-@@ -3676,7 +3693,7 @@ void BindingData::LegacyMainResolve(const FunctionCallbackInfo<Value>& args) {
+@@ -3667,7 +3684,7 @@ void BindingData::LegacyMainResolve(const FunctionCallbackInfo<Value>& args) {
        BufferValue buff_file_path(isolate, local_file_path);
        ToNamespacedPath(env, &buff_file_path);
  
@@ -104,7 +104,7 @@ index 58476306172433db98a3e3a1ab31d13bf42014f1..ba6ffc2b6565dea500bc8dd4818c8fcb
          case BindingData::FilePathIsFileReturnType::kIsFile:
            return args.GetReturnValue().Set(i);
          case BindingData::FilePathIsFileReturnType::kIsNotFile:
-@@ -3713,7 +3730,7 @@ void BindingData::LegacyMainResolve(const FunctionCallbackInfo<Value>& args) {
+@@ -3704,7 +3721,7 @@ void BindingData::LegacyMainResolve(const FunctionCallbackInfo<Value>& args) {
      BufferValue buff_file_path(isolate, local_file_path);
      ToNamespacedPath(env, &buff_file_path);
  

patches/node/fix_array_out-of-bounds_read_in_boyer-moore_search.patch

@@ -0,0 +1,127 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Shelley Vohr <shelley.vohr@gmail.com>
+Date: Thu, 10 Jul 2025 08:36:12 +0000
+Subject: fix: array out-of-bounds read in Boyer-Moore search
+
+Refs https://chromium-review.googlesource.com/c/chromium/src/+/6703757
+
+The above CL enabled array bounds sanitization, which triggered a crash in a Node.js
+test which exposed an issue in Node.js implementation of Boyer-Moore string search.
+
+Some Boyer-Moore search impl functions were using "biased pointer" arithmetic to
+create array pointers that point outside the actual array bounds.
+
+When start_ is large this creates pointers far outside the valid memory range.
+While this worked by accident in practice, it's undefined behavior that the CL
+correctly prohibits.
+
+diff --git a/deps/nbytes/include/nbytes.h b/deps/nbytes/include/nbytes.h
+index b012729c6cca8e42c94fd9b6a9c72301b4370de4..bb2e2e5fd2781f9e3db7f0b0699e1b0513e6782d 100644
+--- a/deps/nbytes/include/nbytes.h
++++ b/deps/nbytes/include/nbytes.h
+@@ -4,6 +4,7 @@
+ #include <cmath>
+ #include <cstddef>
+ #include <cstdint>
++#include <cstdlib>
+ #include <cstring>
+ #include <string>
+ 
+@@ -548,7 +549,11 @@ size_t StringSearch<Char>::BoyerMooreSearch(Vector subject,
+   size_t start = start_;
+ 
+   int *bad_char_occurrence = bad_char_shift_table_;
+-  int *good_suffix_shift = good_suffix_shift_table_ - start_;
++
++  auto good_suffix_get = [&](size_t idx) -> int {
++    if (idx < start || idx - start > kBMMaxShift) return 0;
++    return good_suffix_shift_table_[idx - start];
++  };
+ 
+   Char last_char = pattern_[pattern_length - 1];
+   size_t index = start_index;
+@@ -575,7 +580,7 @@ size_t StringSearch<Char>::BoyerMooreSearch(Vector subject,
+       index +=
+           pattern_length - 1 - CharOccurrence(bad_char_occurrence, last_char);
+     } else {
+-      int gs_shift = good_suffix_shift[j + 1];
++      int gs_shift = good_suffix_get(j + 1);
+       int bc_occ = CharOccurrence(bad_char_occurrence, c);
+       int shift = j - bc_occ;
+       if (gs_shift > shift) {
+@@ -596,17 +601,22 @@ void StringSearch<Char>::PopulateBoyerMooreTable() {
+   const size_t start = start_;
+   const size_t length = pattern_length - start;
+ 
+-  // Biased tables so that we can use pattern indices as table indices,
+-  // even if we only cover the part of the pattern from offset start.
+-  int *shift_table = good_suffix_shift_table_ - start_;
+-  int *suffix_table = suffix_table_ - start_;
++  auto shift_get = [&](size_t idx) -> int& {
++    if (idx < start) abort();
++    return good_suffix_shift_table_[idx - start];
++  };
++
++  auto suffix_get = [&](size_t idx) -> int& {
++    if (idx < start) abort();
++    return suffix_table_[idx - start];
++  };
+ 
+   // Initialize table.
+   for (size_t i = start; i < pattern_length; i++) {
+-    shift_table[i] = length;
++    shift_get(i) = length;
+   }
+-  shift_table[pattern_length] = 1;
+-  suffix_table[pattern_length] = pattern_length + 1;
++  shift_get(pattern_length) = 1;
++  suffix_get(pattern_length) = pattern_length + 1;
+ 
+   if (pattern_length <= start) {
+     return;
+@@ -620,22 +630,22 @@ void StringSearch<Char>::PopulateBoyerMooreTable() {
+     while (i > start) {
+       Char c = pattern_[i - 1];
+       while (suffix <= pattern_length && c != pattern_[suffix - 1]) {
+-        if (static_cast<size_t>(shift_table[suffix]) == length) {
+-          shift_table[suffix] = suffix - i;
++        if (static_cast<size_t>(shift_get(suffix)) == length) {
++          shift_get(suffix) = suffix - i;
+         }
+-        suffix = suffix_table[suffix];
++        suffix = suffix_get(suffix);
+       }
+-      suffix_table[--i] = --suffix;
++      suffix_get(--i) = --suffix;
+       if (suffix == pattern_length) {
+         // No suffix to extend, so we check against last_char only.
+         while ((i > start) && (pattern_[i - 1] != last_char)) {
+-          if (static_cast<size_t>(shift_table[pattern_length]) == length) {
+-            shift_table[pattern_length] = pattern_length - i;
++          if (static_cast<size_t>(shift_get(pattern_length)) == length) {
++            shift_get(pattern_length) = pattern_length - i;
+           }
+-          suffix_table[--i] = pattern_length;
++          suffix_get(--i) = pattern_length;
+         }
+         if (i > start) {
+-          suffix_table[--i] = --suffix;
++          suffix_get(--i) = --suffix;
+         }
+       }
+     }
+@@ -643,11 +653,11 @@ void StringSearch<Char>::PopulateBoyerMooreTable() {
+   // Build shift table using suffixes.
+   if (suffix < pattern_length) {
+     for (size_t i = start; i <= pattern_length; i++) {
+-      if (static_cast<size_t>(shift_table[i]) == length) {
+-        shift_table[i] = suffix - start;
++      if (static_cast<size_t>(shift_get(i)) == length) {
++        shift_get(i) = suffix - start;
+       }
+       if (i == suffix) {
+-        suffix = suffix_table[suffix];
++        suffix = suffix_get(suffix);
+       }
+     }
+   }

patches/node/fix_avoid_external_memory_leak_on_invalid_tls_protocol_versions.patch

@@ -19,10 +19,10 @@ only allocate the native SecureContext on success.
 
 This should be upstreamed to Node.js.
 
-diff --git a/lib/internal/tls/common.js b/lib/internal/tls/common.js
+diff --git a/lib/_tls_common.js b/lib/_tls_common.js
 index 66331d2d9999e93e59cbce9e153affb942b79946..0f7fd0747ea779f76a9e64ed37d195bd735ea2a8 100644
---- a/lib/internal/tls/common.js
-+++ b/lib/internal/tls/common.js
+--- a/lib/_tls_common.js
++++ b/lib/_tls_common.js
 @@ -82,10 +82,11 @@ function SecureContext(secureProtocol, secureOptions, minVersion, maxVersion) {
        throw new ERR_TLS_PROTOCOL_VERSION_CONFLICT(maxVersion, secureProtocol);
    }
@@ -39,10 +39,10 @@ index 66331d2d9999e93e59cbce9e153affb942b79946..0f7fd0747ea779f76a9e64ed37d195bd
    if (secureOptions) {
      validateInteger(secureOptions, 'secureOptions');
 diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
-index ca62d3001bf51193d78caac0cccd93c188a8410c..d6af2460c3745901415d4e785cf210da8a730a8d 100644
+index 12ad6e6ddbda2cc679e733f7a9c6b9e4cf9623dd..fc6d295a401d5283ba19dd5c95b748c83b7055a9 100644
 --- a/src/crypto/crypto_context.cc
 +++ b/src/crypto/crypto_context.cc
-@@ -1377,10 +1377,8 @@ SecureContext::SecureContext(Environment* env, Local<Object> wrap)
+@@ -1354,10 +1354,8 @@ SecureContext::SecureContext(Environment* env, Local<Object> wrap)
  }
  
  inline void SecureContext::Reset() {

patches/node/fix_cppgc_initializing_twice.patch

@@ -12,7 +12,7 @@ This can be removed/refactored once Node.js upgrades to a version of V8
 containing the above CL.
 
 diff --git a/src/node.cc b/src/node.cc
-index 8791119956ff93d65163d2ef424a8d821ebbdfad..ae082f2d0498e0e694e427da71078ca19086e275 100644
+index 31439d0cc1199d0e0c94c9d616d957610279e01b..d77735f4f5686e914811c0576975b57e6c631398 100644
 --- a/src/node.cc
 +++ b/src/node.cc
 @@ -1248,7 +1248,7 @@ InitializeOncePerProcessInternal(const std::vector<std::string>& args,

patches/node/fix_crypto_tests_to_run_with_bssl.patch

@@ -10,18 +10,6 @@ This should be upstreamed in some form, though it may need to be tweaked
 before it's acceptable to upstream, as this patch comments out a couple
 of tests that upstream probably cares about.
 
-diff --git a/test/fixtures/crypto/rsa_pss.js b/test/fixtures/crypto/rsa_pss.js
-index 423f2c4d77bfc98bfbdab93c09aff8012c678cbd..fa0bcceb5697486930a9530732f9a9ab6e1bb5b0 100644
---- a/test/fixtures/crypto/rsa_pss.js
-+++ b/test/fixtures/crypto/rsa_pss.js
-@@ -1,6 +1,6 @@
- 'use strict';
- 
--module.exports = function() {
-+module.exports = function () {
-   const pkcs8 = Buffer.from(
-     '308204bf020100300d06092a864886f70d0101010500048204a9308204a5020100028' +
-     '2010100d3576092e62957364544e7e4233b7bdb293db2085122c479328546f9f0f712' +
 diff --git a/test/parallel/test-crypto-async-sign-verify.js b/test/parallel/test-crypto-async-sign-verify.js
 index 9876c4bb6ecd2e5b8879f153811cd0a0a22997aa..2c4bf03452eb10fec52c38a361b6aad93169f08d 100644
 --- a/test/parallel/test-crypto-async-sign-verify.js
@@ -53,6 +41,102 @@ index 9876c4bb6ecd2e5b8879f153811cd0a0a22997aa..2c4bf03452eb10fec52c38a361b6aad9
  
  // Test Parallel Execution w/ KeyObject is threadsafe in openssl3
  {
+diff --git a/test/parallel/test-crypto-authenticated.js b/test/parallel/test-crypto-authenticated.js
+index e8fedf2d5d5072e00afd493ac2ac44748212b02e..6fcbe244871d25b2151d39160149aaa50dc96012 100644
+--- a/test/parallel/test-crypto-authenticated.js
++++ b/test/parallel/test-crypto-authenticated.js
+@@ -627,21 +627,25 @@ for (const test of TEST_CASES) {
+ {
+   // CCM cipher without data should not crash, see https://github.com/nodejs/node/issues/38035.
+   const algo = 'aes-128-ccm';
+-  const key = Buffer.alloc(16);
+-  const iv = Buffer.alloc(12);
+-  const opts = { authTagLength: 10 };
++  if (!ciphers.includes(algo)) {
++    common.printSkipMessage(`unsupported ${algo} test`);
++  } else {
++    const key = Buffer.alloc(16);
++    const iv = Buffer.alloc(12);
++    const opts = { authTagLength: 10 };
+ 
+-  const cipher = crypto.createCipheriv(algo, key, iv, opts);
+-  assert.throws(() => {
+-    cipher.final();
+-  }, hasOpenSSL3 ? {
+-    code: 'ERR_OSSL_TAG_NOT_SET'
+-  } : {
+-    message: /Unsupported state/
+-  });
++    const cipher = crypto.createCipheriv(algo, key, iv, opts);
++    assert.throws(() => {
++      cipher.final();
++    }, hasOpenSSL3 ? {
++      code: 'ERR_OSSL_TAG_NOT_SET'
++    } : {
++      message: /Unsupported state/
++    });
++  }
+ }
+ 
+-{
++if (!process.features.openssl_is_boringssl) {
+   const key = Buffer.alloc(32);
+   const iv = Buffer.alloc(12);
+ 
+@@ -653,11 +657,13 @@ for (const test of TEST_CASES) {
+       message: errMessages.authTagLength
+     });
+   }
++} else {
++  common.printSkipMessage('Skipping unsupported chacha20-poly1305 test');
+ }
+ 
+ // ChaCha20-Poly1305 should respect the authTagLength option and should not
+ // require the authentication tag before calls to update() during decryption.
+-{
++if (!process.features.openssl_is_boringssl) {
+   const key = Buffer.alloc(32);
+   const iv = Buffer.alloc(12);
+ 
+@@ -697,6 +703,8 @@ for (const test of TEST_CASES) {
+       }
+     }
+   }
++} else {
++  common.printSkipMessage('Skipping unsupported chacha20-poly1305 test');
+ }
+ 
+ // ChaCha20-Poly1305 should default to an authTagLength of 16. When encrypting,
+@@ -706,7 +714,7 @@ for (const test of TEST_CASES) {
+ // shorter tags as long as their length was valid according to NIST SP 800-38D.
+ // For ChaCha20-Poly1305, we intentionally deviate from that because there are
+ // no recommended or approved authentication tag lengths below 16 bytes.
+-{
++if (!process.features.openssl_is_boringssl) {
+   const rfcTestCases = TEST_CASES.filter(({ algo, tampered }) => {
+     return algo === 'chacha20-poly1305' && tampered === false;
+   });
+@@ -740,10 +748,12 @@ for (const test of TEST_CASES) {
+ 
+     assert.strictEqual(plaintext.toString('hex'), testCase.plain);
+   }
++} else {
++  common.printSkipMessage('Skipping unsupported chacha20-poly1305 test');
+ }
+ 
+ // https://github.com/nodejs/node/issues/45874
+-{
++if (!process.features.openssl_is_boringssl) {
+   const rfcTestCases = TEST_CASES.filter(({ algo, tampered }) => {
+     return algo === 'chacha20-poly1305' && tampered === false;
+   });
+@@ -771,4 +781,6 @@ for (const test of TEST_CASES) {
+   assert.throws(() => {
+     decipher.final();
+   }, /Unsupported state or unable to authenticate data/);
++} else {
++  common.printSkipMessage('Skipping unsupported chacha20-poly1305 test');
+ }
 diff --git a/test/parallel/test-crypto-cipheriv-decipheriv.js b/test/parallel/test-crypto-cipheriv-decipheriv.js
 index 6742722f9e90914b4dc8c079426d10040d476f72..8801ddfe7023fd0f7d5657b86a9164d75765322e 100644
 --- a/test/parallel/test-crypto-cipheriv-decipheriv.js
@@ -68,6 +152,21 @@ index 6742722f9e90914b4dc8c079426d10040d476f72..8801ddfe7023fd0f7d5657b86a9164d7
    // Test encryption and decryption with explicit key and iv.
    // AES Key Wrap test vector comes from RFC3394
    const plaintext = Buffer.from('00112233445566778899AABBCCDDEEFF', 'hex');
+diff --git a/test/parallel/test-crypto-default-shake-lengths-oneshot.js b/test/parallel/test-crypto-default-shake-lengths-oneshot.js
+index 247e58d93c4303ffde132e49fb25cf88d76fae7c..de1648d97c2189c2eb8a6509b19b0c462c203453 100644
+--- a/test/parallel/test-crypto-default-shake-lengths-oneshot.js
++++ b/test/parallel/test-crypto-default-shake-lengths-oneshot.js
+@@ -5,6 +5,10 @@ const common = require('../common');
+ if (!common.hasCrypto)
+   common.skip('missing crypto');
+ 
++if (process.features.openssl_is_boringssl) {
++  common.skip('Skipping unsupported shake128 digest method test');
++}
++
+ const { hash } = require('crypto');
+ 
+ common.expectWarning({
 diff --git a/test/parallel/test-crypto-dh-curves.js b/test/parallel/test-crypto-dh-curves.js
 index 81a469c226c261564dee1e0b06b6571b18a41f1f..58b66045dba4201b7ebedd78b129420ffc316051 100644
 --- a/test/parallel/test-crypto-dh-curves.js
@@ -82,18 +181,71 @@ index 81a469c226c261564dee1e0b06b6571b18a41f1f..58b66045dba4201b7ebedd78b129420f
  
  const availableCurves = new Set(crypto.getCurves());
 diff --git a/test/parallel/test-crypto-dh-errors.js b/test/parallel/test-crypto-dh-errors.js
-index d7527d82617efccd931f0fc2f700ab876872c1e6..b14b4bbf88b902b6de916b92e3d48335c01df911 100644
+index d7527d82617efccd931f0fc2f700ab876872c1e6..5474d094c7af1bec1e9d144e04663a41def9df3c 100644
 --- a/test/parallel/test-crypto-dh-errors.js
 +++ b/test/parallel/test-crypto-dh-errors.js
-@@ -27,7 +27,7 @@ assert.throws(() => crypto.createDiffieHellman('abcdef', 13.37), {
+@@ -27,13 +27,13 @@ assert.throws(() => crypto.createDiffieHellman('abcdef', 13.37), {
  for (const bits of [-1, 0, 1]) {
    if (hasOpenSSL3) {
      assert.throws(() => crypto.createDiffieHellman(bits), {
 -      code: 'ERR_OSSL_DH_MODULUS_TOO_SMALL',
-+      code: 'ERR_OSSL_BN_BITS_TOO_SMALL',
++      code: /ERR_OSSL_(BN_BITS|DH_MODULUS)_TOO_SMALL/,
        name: 'Error',
        message: /modulus too small/,
      });
+   } else {
+     assert.throws(() => crypto.createDiffieHellman(bits), {
+-      code: 'ERR_OSSL_BN_BITS_TOO_SMALL',
++      code: /ERR_OSSL_(BN_BITS|DH_MODULUS)_TOO_SMALL/,
+       name: 'Error',
+       message: /bits[\s_]too[\s_]small/i,
+     });
+diff --git a/test/parallel/test-crypto-dh-group-setters.js b/test/parallel/test-crypto-dh-group-setters.js
+index 7c774111952eada92c62d45674c0845667ead1bf..37d0a44d0e1e102e5a9893cd8e48967050407c76 100644
+--- a/test/parallel/test-crypto-dh-group-setters.js
++++ b/test/parallel/test-crypto-dh-group-setters.js
+@@ -6,6 +6,10 @@ if (!common.hasCrypto)
+ const assert = require('assert');
+ const crypto = require('crypto');
+ 
++if (process.features.openssl_is_boringssl) {
++  common.skip('Skipping unsupported Diffie-Hellman tests');
++}
++
+ // Unlike DiffieHellman, DiffieHellmanGroup does not have any setters.
+ const dhg = crypto.getDiffieHellman('modp1');
+ assert.strictEqual(dhg.constructor, crypto.DiffieHellmanGroup);
+diff --git a/test/parallel/test-crypto-dh-modp2-views.js b/test/parallel/test-crypto-dh-modp2-views.js
+index 8d01731af79394cb33477a1ba4bb13561604e5e5..a28e615b7f35c7f4fc6ec6f7b065505336e6f832 100644
+--- a/test/parallel/test-crypto-dh-modp2-views.js
++++ b/test/parallel/test-crypto-dh-modp2-views.js
+@@ -7,6 +7,10 @@ const assert = require('assert');
+ const crypto = require('crypto');
+ const { modp2buf } = require('../common/crypto');
+ 
++if (process.features.openssl_is_boringssl) {
++  common.skip('Skipping unsupported Diffie-Hellman tests');
++}
++
+ const modp2 = crypto.createDiffieHellmanGroup('modp2');
+ 
+ const views = common.getArrayBufferViews(modp2buf);
+diff --git a/test/parallel/test-crypto-dh-modp2.js b/test/parallel/test-crypto-dh-modp2.js
+index 19767d26f4e5fbd1d82b5bfa6ebe0afddc412c3e..eb262f235ff30bf5dc988c1b34052c9856f4d186 100644
+--- a/test/parallel/test-crypto-dh-modp2.js
++++ b/test/parallel/test-crypto-dh-modp2.js
+@@ -6,6 +6,11 @@ if (!common.hasCrypto)
+ const assert = require('assert');
+ const crypto = require('crypto');
+ const { modp2buf } = require('../common/crypto');
++
++if (process.features.openssl_is_boringssl) {
++  common.skip('Skipping unsupported Diffie-Hellman tests');
++}
++
+ const modp2 = crypto.createDiffieHellmanGroup('modp2');
+ 
+ {
 diff --git a/test/parallel/test-crypto-dh.js b/test/parallel/test-crypto-dh.js
 index 3c00a5fc73bb9f86f944df74f29d6b5225bc2f0e..b4e7002d862907d2af3b4f8e985700bd03300809 100644
 --- a/test/parallel/test-crypto-dh.js
@@ -146,6 +298,234 @@ index d22281abbd5c3cab3aaa3ac494301fa6b4a8a968..5f0c6a4aed2e868a1a1049212edf2187
  
  s.pipe(h).on('data', common.mustCall(function(c) {
    assert.strictEqual(c, expect);
+diff --git a/test/parallel/test-crypto-key-objects-to-crypto-key.js b/test/parallel/test-crypto-key-objects-to-crypto-key.js
+index 141e51d1ab74a4fc3b176b303807fb1cf2a58ce1..7ea6643fe5c8cc0e7613782419e1d465f99314cd 100644
+--- a/test/parallel/test-crypto-key-objects-to-crypto-key.js
++++ b/test/parallel/test-crypto-key-objects-to-crypto-key.js
+@@ -26,9 +26,14 @@ function assertCryptoKey(cryptoKey, keyObject, algorithm, extractable, usages) {
+ {
+   for (const length of [128, 192, 256]) {
+     const key = createSecretKey(randomBytes(length >> 3));
+-    const algorithms = ['AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW'];
++    let algorithms = ['AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW'];
+     if (length === 256)
+       algorithms.push('ChaCha20-Poly1305');
++
++    if (process.features.openssl_is_boringssl) {
++      algorithms = algorithms.filter((a) => a !== 'AES-KW' && a !== 'ChaCha20-Poly1305');
++    }
++
+     for (const algorithm of algorithms) {
+       const usages = algorithm === 'AES-KW' ? ['wrapKey', 'unwrapKey'] : ['encrypt', 'decrypt'];
+       for (const extractable of [true, false]) {
+@@ -97,7 +102,14 @@ function assertCryptoKey(cryptoKey, keyObject, algorithm, extractable, usages) {
+ }
+ 
+ {
+-  for (const algorithm of ['Ed25519', 'Ed448', 'X25519', 'X448']) {
++  const algorithms = ['Ed25519', 'X25519'];
++
++  if (!process.features.openssl_is_boringssl) {
++    algorithms.push('X448', 'Ed448');
++  }
++
++  for (const algorithm of algorithms) {
++   console.log(algorithm);
+     const { publicKey, privateKey } = generateKeyPairSync(algorithm.toLowerCase());
+     assert.throws(() => {
+       publicKey.toCryptoKey(algorithm === 'Ed25519' ? 'X25519' : 'Ed25519', true, []);
+diff --git a/test/parallel/test-crypto-key-objects.js b/test/parallel/test-crypto-key-objects.js
+index e8359ed6d0362c6e8da8be08b0fd42245fa7ae47..bd8211d98261a1acc928e849bf713578c85ff877 100644
+--- a/test/parallel/test-crypto-key-objects.js
++++ b/test/parallel/test-crypto-key-objects.js
+@@ -302,11 +302,11 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
+   }, hasOpenSSL3 ? {
+     message: 'error:1E08010C:DECODER routines::unsupported',
+   } : {
+-    message: 'error:0909006C:PEM routines:get_name:no start line',
++    message: /no.start.line/i,
+     code: 'ERR_OSSL_PEM_NO_START_LINE',
+-    reason: 'no start line',
++    reason: /no.start.line/i,
+     library: 'PEM routines',
+-    function: 'get_name',
++    function: /get_name|OPENSSL_internal/,
+   });
+ 
+   // This should not abort either: https://github.com/nodejs/node/issues/29904
+@@ -329,12 +329,12 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
+     message: /error:1E08010C:DECODER routines::unsupported/,
+     library: 'DECODER routines'
+   } : {
+-    message: /asn1 encoding/,
+-    library: 'asn1 encoding routines'
++    message: /asn1 encoding|public key routines/,
++    library: /asn1 encoding routines|public key routines/
+   });
+ }
+ 
+-[
++const infos = [
+   { private: fixtures.readKey('ed25519_private.pem', 'ascii'),
+     public: fixtures.readKey('ed25519_public.pem', 'ascii'),
+     keyType: 'ed25519',
+@@ -344,17 +344,6 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
+       d: 'wVK6M3SMhQh3NK-7GRrSV-BVWQx1FO5pW8hhQeu_NdA',
+       kty: 'OKP'
+     } },
+-  { private: fixtures.readKey('ed448_private.pem', 'ascii'),
+-    public: fixtures.readKey('ed448_public.pem', 'ascii'),
+-    keyType: 'ed448',
+-    jwk: {
+-      crv: 'Ed448',
+-      x: 'oX_ee5-jlcU53-BbGRsGIzly0V-SZtJ_oGXY0udf84q2hTW2RdstLktvwpkVJOoNb7o' +
+-         'Dgc2V5ZUA',
+-      d: '060Ke71sN0GpIc01nnGgMDkp0sFNQ09woVo4AM1ffax1-mjnakK0-p-S7-Xf859QewX' +
+-         'jcR9mxppY',
+-      kty: 'OKP'
+-    } },
+   { private: fixtures.readKey('x25519_private.pem', 'ascii'),
+     public: fixtures.readKey('x25519_public.pem', 'ascii'),
+     keyType: 'x25519',
+@@ -364,18 +353,37 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
+       d: 'mL_IWm55RrALUGRfJYzw40gEYWMvtRkesP9mj8o8Omc',
+       kty: 'OKP'
+     } },
+-  { private: fixtures.readKey('x448_private.pem', 'ascii'),
++]
++
++if (!process.features.openssl_is_boringssl) {
++  infos.push({
++    private: fixtures.readKey('ed448_private.pem', 'ascii'),
++    public: fixtures.readKey('ed448_public.pem', 'ascii'),
++    keyType: 'ed448',
++    jwk: {
++      crv: 'Ed448',
++      x: 'oX_ee5-jlcU53-BbGRsGIzly0V-SZtJ_oGXY0udf84q2hTW2RdstLktvwpkVJOoNb7o' +
++        'Dgc2V5ZUA',
++      d: '060Ke71sN0GpIc01nnGgMDkp0sFNQ09woVo4AM1ffax1-mjnakK0-p-S7-Xf859QewX' +
++        'jcR9mxppY',
++      kty: 'OKP'
++    }
++  }, {
++    private: fixtures.readKey('x448_private.pem', 'ascii'),
+     public: fixtures.readKey('x448_public.pem', 'ascii'),
+     keyType: 'x448',
+     jwk: {
+       crv: 'X448',
+       x: 'ioHSHVpTs6hMvghosEJDIR7ceFiE3-Xccxati64oOVJ7NWjfozE7ae31PXIUFq6cVYg' +
+-         'vSKsDFPA',
++        'vSKsDFPA',
+       d: 'tMNtrO_q8dlY6Y4NDeSTxNQ5CACkHiPvmukidPnNIuX_EkcryLEXt_7i6j6YZMKsrWy' +
+-         'S0jlSYJk',
++        'S0jlSYJk',
+       kty: 'OKP'
+-    } },
+-].forEach((info) => {
++    }
++  });
++}
++
++infos.forEach((info) => {
+   const keyType = info.keyType;
+ 
+   {
+@@ -417,7 +425,7 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
+   }
+ });
+ 
+-[
++const ecInfos = [
+   { private: fixtures.readKey('ec_p256_private.pem', 'ascii'),
+     public: fixtures.readKey('ec_p256_public.pem', 'ascii'),
+     keyType: 'ec',
+@@ -429,17 +437,6 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
+       x: 'X0mMYR_uleZSIPjNztIkAS3_ud5LhNpbiIFp6fNf2Gs',
+       y: 'UbJuPy2Xi0lW7UYTBxPK3yGgDu9EAKYIecjkHX5s2lI'
+     } },
+-  { private: fixtures.readKey('ec_secp256k1_private.pem', 'ascii'),
+-    public: fixtures.readKey('ec_secp256k1_public.pem', 'ascii'),
+-    keyType: 'ec',
+-    namedCurve: 'secp256k1',
+-    jwk: {
+-      crv: 'secp256k1',
+-      d: 'c34ocwTwpFa9NZZh3l88qXyrkoYSxvC0FEsU5v1v4IM',
+-      kty: 'EC',
+-      x: 'cOzhFSpWxhalCbWNdP2H_yUkdC81C9T2deDpfxK7owA',
+-      y: '-A3DAZTk9IPppN-f03JydgHaFvL1fAHaoXf4SX4NXyo'
+-    } },
+   { private: fixtures.readKey('ec_p384_private.pem', 'ascii'),
+     public: fixtures.readKey('ec_p384_public.pem', 'ascii'),
+     keyType: 'ec',
+@@ -465,7 +462,25 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
+       y: 'Ad3flexBeAfXceNzRBH128kFbOWD6W41NjwKRqqIF26vmgW_8COldGKZjFkOSEASxPB' +
+          'cvA2iFJRUyQ3whC00j0Np'
+     } },
+-].forEach((info) => {
++]
++
++if (!process.features.openssl_is_boringssl) {
++  ecInfos.push({
++    private: fixtures.readKey('ec_secp256k1_private.pem', 'ascii'),
++    public: fixtures.readKey('ec_secp256k1_public.pem', 'ascii'),
++    keyType: 'ec',
++    namedCurve: 'secp256k1',
++    jwk: {
++      crv: 'secp256k1',
++      d: 'c34ocwTwpFa9NZZh3l88qXyrkoYSxvC0FEsU5v1v4IM',
++      kty: 'EC',
++      x: 'cOzhFSpWxhalCbWNdP2H_yUkdC81C9T2deDpfxK7owA',
++      y: '-A3DAZTk9IPppN-f03JydgHaFvL1fAHaoXf4SX4NXyo'
++    }
++  });
++}
++
++ecInfos.forEach((info) => {
+   const { keyType, namedCurve } = info;
+ 
+   {
+@@ -540,7 +555,7 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
+     format: 'pem',
+     passphrase: Buffer.alloc(1024, 'a')
+   }), {
+-    message: /bad decrypt/
++    message: /bad.decrypt/i
+   });
+ 
+   const publicKey = createPublicKey(publicDsa);
+@@ -566,7 +581,7 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
+ 
+ {
+   // Test RSA-PSS.
+-  {
++  if (!process.features.openssl_is_boringssl) {
+     // This key pair does not restrict the message digest algorithm or salt
+     // length.
+     const publicPem = fixtures.readKey('rsa_pss_public_2048.pem');
+@@ -625,6 +640,8 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
+     }, {
+       code: 'ERR_CRYPTO_INCOMPATIBLE_KEY_OPTIONS'
+     });
++  } else {
++    common.skip('Skipping unsupported RSA-PSS key test');
+   }
+ 
+   {
+diff --git a/test/parallel/test-crypto-keygen-deprecation.js b/test/parallel/test-crypto-keygen-deprecation.js
+index 926dfbbc4ae987217ab404ec25a3ca0a2ef2edcf..df0b379c1b1e982b96ea97c9814f38991d734ce4 100644
+--- a/test/parallel/test-crypto-keygen-deprecation.js
++++ b/test/parallel/test-crypto-keygen-deprecation.js
+@@ -4,6 +4,10 @@ const common = require('../common');
+ if (!common.hasCrypto)
+   common.skip('missing crypto');
+ 
++if (process.features.openssl_is_boringssl) {
++  common.skip('Skipping unsupported RSA-PSS key tests');
++}
++
+ const DeprecationWarning = [];
+ DeprecationWarning.push([
+   '"options.hash" is deprecated, use "options.hashAlgorithm" instead.',
 diff --git a/test/parallel/test-crypto-oneshot-hash-xof.js b/test/parallel/test-crypto-oneshot-hash-xof.js
 index 75cb4800ff1bd51fedd7bc4e2d7e6af6f4f48346..b4363c31592763235116d970a5f45d4cf63de373 100644
 --- a/test/parallel/test-crypto-oneshot-hash-xof.js
@@ -162,7 +542,7 @@ index 75cb4800ff1bd51fedd7bc4e2d7e6af6f4f48346..b4363c31592763235116d970a5f45d4c
  {
    // Default outputLengths.
 diff --git a/test/parallel/test-crypto-rsa-dsa.js b/test/parallel/test-crypto-rsa-dsa.js
-index 119bc3c2d20ea7d681f0b579f9d91ad46cdc3634..8d13b105fa426015a873c411ad1d7f64b3d9580e 100644
+index 119bc3c2d20ea7d681f0b579f9d91ad46cdc3634..ad9cd4fd81aff32ec175f469176e1012b81872ac 100644
 --- a/test/parallel/test-crypto-rsa-dsa.js
 +++ b/test/parallel/test-crypto-rsa-dsa.js
 @@ -29,12 +29,11 @@ const dsaPkcs8KeyPem = fixtures.readKey('dsa_private_pkcs8.pem');
@@ -175,24 +555,29 @@ index 119bc3c2d20ea7d681f0b579f9d91ad46cdc3634..8d13b105fa426015a873c411ad1d7f64
 -  reason: 'bad decrypt',
 -  function: 'EVP_DecryptFinal_ex',
 -  library: 'digital envelope routines',
-+  message: /error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt|error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT/,
-+  code: /ERR_OSSL(_EVP)?_BAD_DECRYPT/,
-+  reason: /bad decrypt|BAD_DECRYPT/,
++  message: /bad decrypt|BAD_DECRYPT/i,
++  code: /ERR_OSSL_(EVP_)?BAD_DECRYPT/,
++  reason: /bad decrypt|BAD_DECRYPT/i,
 +  function: /EVP_DecryptFinal_ex|OPENSSL_internal/,
 +  library: /digital envelope routines|Cipher functions/,
  };
  
  const decryptError = hasOpenSSL3 ?
-@@ -223,7 +222,7 @@ function test_rsa(padding, encryptOaepHash, decryptOaepHash) {
-   }, bufferToEncrypt);
+@@ -325,9 +324,12 @@ function test_rsa(padding, encryptOaepHash, decryptOaepHash) {
+ }
  
+ test_rsa('RSA_NO_PADDING');
+-test_rsa('RSA_PKCS1_PADDING');
+ test_rsa('RSA_PKCS1_OAEP_PADDING');
  
--  if (padding === constants.RSA_PKCS1_PADDING) {
-+  if (!process.features.openssl_is_boringssl) {
-     if (!process.config.variables.node_shared_openssl) {
-       // TODO(richardlau) remove check and else branch after deps/openssl
-       // is upgraded.
-@@ -489,7 +488,7 @@ assert.throws(() => {
++if (!process.features.openssl_is_boringssl) {
++  test_rsa('RSA_PKCS1_PADDING');
++}
++
+ // Test OAEP with different hash functions.
+ test_rsa('RSA_PKCS1_OAEP_PADDING', undefined, 'sha1');
+ test_rsa('RSA_PKCS1_OAEP_PADDING', 'sha1', undefined);
+@@ -489,7 +491,7 @@ assert.throws(() => {
  //
  // Test DSA signing and verification
  //
@@ -201,6 +586,48 @@ index 119bc3c2d20ea7d681f0b579f9d91ad46cdc3634..8d13b105fa426015a873c411ad1d7f64
    const input = 'I AM THE WALRUS';
  
    // DSA signatures vary across runs so there is no static string to verify
+@@ -512,13 +514,15 @@ assert.throws(() => {
+   verify2.update(input);
+ 
+   assert.strictEqual(verify2.verify(dsaPubPem, signature2, 'hex'), true);
++} else {
++  common.printSkipMessage('Skipping unsupported DSA test case');
+ }
+ 
+ 
+ //
+ // Test DSA signing and verification with PKCS#8 private key
+ //
+-{
++if (!process.features.openssl_is_boringssl) {
+   const input = 'I AM THE WALRUS';
+ 
+   // DSA signatures vary across runs so there is no static string to verify
+@@ -531,6 +535,8 @@ assert.throws(() => {
+   verify.update(input);
+ 
+   assert.strictEqual(verify.verify(dsaPubPem, signature, 'hex'), true);
++} else {
++  common.printSkipMessage('Skipping unsupported DSA test case');
+ }
+ 
+ 
+@@ -547,7 +553,7 @@ const input = 'I AM THE WALRUS';
+   }, decryptPrivateKeyError);
+ }
+ 
+-{
++if (!process.features.openssl_is_boringssl) {
+   // DSA signatures vary across runs so there is no static string to verify
+   // against.
+   const sign = crypto.createSign('SHA1');
+@@ -559,4 +565,6 @@ const input = 'I AM THE WALRUS';
+   verify.update(input);
+ 
+   assert.strictEqual(verify.verify(dsaPubPem, signature, 'hex'), true);
++} else {
++  common.printSkipMessage('Skipping unsupported DSA test case');
+ }
 diff --git a/test/parallel/test-crypto-scrypt.js b/test/parallel/test-crypto-scrypt.js
 index eafdfe392bde8eb1fde1dc7e7e9ae51682c74b87..2907e0175379266c90acb9df829d10283bd46652 100644
 --- a/test/parallel/test-crypto-scrypt.js
@@ -273,7 +700,7 @@ index a66f0a94efd7c952c1d2320fbc7a39fe3a88a8a1..dc5846db0e3dcf8f7cb5f7efcdbc81c1
    for (const [file, length] of keys) {
      const privKey = fixtures.readKey(file);
 diff --git a/test/parallel/test-crypto.js b/test/parallel/test-crypto.js
-index d21a6bd3d98d6db26cc82896e62da2869cf22842..115a2046b4d4b2688eaf033b58514c903af7a4b5 100644
+index 84111740cd9ef6425b747e24e984e66e46b0b2ef..974ee53431ca853aeee1ffbd845e65504feef02e 100644
 --- a/test/parallel/test-crypto.js
 +++ b/test/parallel/test-crypto.js
 @@ -62,7 +62,7 @@ assert.throws(() => {
@@ -312,81 +739,297 @@ index d21a6bd3d98d6db26cc82896e62da2869cf22842..115a2046b4d4b2688eaf033b58514c90
  validateList(crypto.getHashes());
  // Make sure all of the hashes are supported by OpenSSL
  for (const algo of crypto.getHashes())
-@@ -197,6 +195,7 @@ assert.throws(
+@@ -197,61 +195,63 @@ assert.throws(
    }
  );
  
+-assert.throws(() => {
+-  const priv = [
+-    '-----BEGIN RSA PRIVATE KEY-----',
+-    'MIGrAgEAAiEA+3z+1QNF2/unumadiwEr+C5vfhezsb3hp4jAnCNRpPcCAwEAAQIgQNriSQK4',
+-    'EFwczDhMZp2dvbcz7OUUyt36z3S4usFPHSECEQD/41K7SujrstBfoCPzwC1xAhEA+5kt4BJy',
+-    'eKN7LggbF3Dk5wIQN6SL+fQ5H/+7NgARsVBp0QIRANxYRukavs4QvuyNhMx+vrkCEQCbf6j/',
+-    'Ig6/HueCK/0Jkmp+',
+-    '-----END RSA PRIVATE KEY-----',
+-    '',
+-  ].join('\n');
+-  crypto.createSign('SHA256').update('test').sign(priv);
+-}, (err) => {
+-  if (!hasOpenSSL3)
+-    assert.ok(!('opensslErrorStack' in err));
+-  assert.throws(() => { throw err; }, hasOpenSSL3 ? {
+-    name: 'Error',
+-    message: 'error:02000070:rsa routines::digest too big for rsa key',
+-    library: 'rsa routines',
+-  } : {
+-    name: 'Error',
+-    message: /routines:RSA_sign:digest too big for rsa key$/,
+-    library: /rsa routines/i,
+-    function: 'RSA_sign',
+-    reason: /digest[\s_]too[\s_]big[\s_]for[\s_]rsa[\s_]key/i,
+-    code: 'ERR_OSSL_RSA_DIGEST_TOO_BIG_FOR_RSA_KEY'
+-  });
+-  return true;
+-});
+-
+-if (!hasOpenSSL3) {
 +if (!process.features.openssl_is_boringssl) {
- assert.throws(() => {
-   const priv = [
-     '-----BEGIN RSA PRIVATE KEY-----',
-@@ -253,7 +252,7 @@ if (!hasOpenSSL3) {
+   assert.throws(() => {
+-    // The correct header inside `rsa_private_pkcs8_bad.pem` should have been
+-    // -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----
+-    // instead of
+-    // -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----
+-    const sha1_privateKey = fixtures.readKey('rsa_private_pkcs8_bad.pem',
+-                                             'ascii');
+-    // This would inject errors onto OpenSSL's error stack
+-    crypto.createSign('sha1').sign(sha1_privateKey);
++    const priv = [
++      '-----BEGIN RSA PRIVATE KEY-----',
++      'MIGrAgEAAiEA+3z+1QNF2/unumadiwEr+C5vfhezsb3hp4jAnCNRpPcCAwEAAQIgQNriSQK4',
++      'EFwczDhMZp2dvbcz7OUUyt36z3S4usFPHSECEQD/41K7SujrstBfoCPzwC1xAhEA+5kt4BJy',
++      'eKN7LggbF3Dk5wIQN6SL+fQ5H/+7NgARsVBp0QIRANxYRukavs4QvuyNhMx+vrkCEQCbf6j/',
++      'Ig6/HueCK/0Jkmp+',
++      '-----END RSA PRIVATE KEY-----',
++      '',
++    ].join('\n');
++    crypto.createSign('SHA256').update('test').sign(priv);
+   }, (err) => {
+-    // Do the standard checks, but then do some custom checks afterwards.
+-    assert.throws(() => { throw err; }, {
+-      message: 'error:0D0680A8:asn1 encoding routines:asn1_check_tlen:' +
+-               'wrong tag',
+-      library: 'asn1 encoding routines',
+-      function: 'asn1_check_tlen',
+-      reason: 'wrong tag',
+-      code: 'ERR_OSSL_ASN1_WRONG_TAG',
++    if (!hasOpenSSL3)
++      assert.ok(!('opensslErrorStack' in err));
++    assert.throws(() => { throw err; }, hasOpenSSL3 ? {
++      name: 'Error',
++      message: 'error:02000070:rsa routines::digest too big for rsa key',
++      library: 'rsa routines',
++    } : {
++      name: 'Error',
++      message: /routines:RSA_sign:digest too big for rsa key$/,
++      library: /rsa routines/i,
++      function: 'RSA_sign',
++      reason: /digest[\s_]too[\s_]big[\s_]for[\s_]rsa[\s_]key/i,
++      code: 'ERR_OSSL_RSA_DIGEST_TOO_BIG_FOR_RSA_KEY'
+     });
+-    // Throws crypto error, so there is an opensslErrorStack property.
+-    // The openSSL stack should have content.
+-    assert(Array.isArray(err.opensslErrorStack));
+-    assert(err.opensslErrorStack.length > 0);
      return true;
    });
++
++  if (!hasOpenSSL3) {
++    assert.throws(() => {
++      // The correct header inside `rsa_private_pkcs8_bad.pem` should have been
++      // -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----
++      // instead of
++      // -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----
++      const sha1_privateKey = fixtures.readKey('rsa_private_pkcs8_bad.pem',
++                                              'ascii');
++      // This would inject errors onto OpenSSL's error stack
++      crypto.createSign('sha1').sign(sha1_privateKey);
++    }, (err) => {
++      // Do the standard checks, but then do some custom checks afterwards.
++      assert.throws(() => { throw err; }, {
++        message: 'error:0D0680A8:asn1 encoding routines:asn1_check_tlen:' +
++                'wrong tag',
++        library: 'asn1 encoding routines',
++        function: 'asn1_check_tlen',
++        reason: 'wrong tag',
++        code: 'ERR_OSSL_ASN1_WRONG_TAG',
++      });
++      // Throws crypto error, so there is an opensslErrorStack property.
++      // The openSSL stack should have content.
++      assert(Array.isArray(err.opensslErrorStack));
++      assert(err.opensslErrorStack.length > 0);
++      return true;
++    });
++  }
  }
--
-+}
- // Make sure memory isn't released before being returned
- console.log(crypto.randomBytes(16));
  
+ // Make sure memory isn't released before being returned
+diff --git a/test/parallel/test-tls-client-auth.js b/test/parallel/test-tls-client-auth.js
+index b347c0a88df571296127985f8e7b70de66726cc0..66465783d344dab1330069e36577d41fc75db962 100644
+--- a/test/parallel/test-tls-client-auth.js
++++ b/test/parallel/test-tls-client-auth.js
+@@ -112,7 +112,7 @@ if (tls.DEFAULT_MAX_VERSION === 'TLSv1.3') connect({
+   // and sends a fatal Alert to the client that the client discovers there has
+   // been a fatal error.
+   pair.client.conn.once('error', common.mustCall((err) => {
+-    assert.strictEqual(err.code, 'ERR_SSL_TLSV13_ALERT_CERTIFICATE_REQUIRED');
++    //assert.strictEqual(err.code, 'ERR_SSL_TLSV13_ALERT_CERTIFICATE_REQUIRED');
+     cleanup();
+   }));
+ });
+diff --git a/test/parallel/test-tls-peer-certificate.js b/test/parallel/test-tls-peer-certificate.js
+index 41e3c883d950e074dffcdd6df888eaf47696039c..304724b564956ff3c38cb42793141ddcc57dfd75 100644
+--- a/test/parallel/test-tls-peer-certificate.js
++++ b/test/parallel/test-tls-peer-certificate.js
+@@ -55,7 +55,7 @@ connect({
+   assert.strictEqual(peerCert.ca, false);
+   assert.strictEqual(peerCert.issuerCertificate.ca, true);
+   assert.strictEqual(peerCert.subject.emailAddress, 'ry@tinyclouds.org');
+-  assert.strictEqual(peerCert.serialNumber, '147D36C1C2F74206DE9FAB5F2226D78ADB00A426');
++  assert.match(peerCert.serialNumber, /147D36C1C2F74206DE9FAB5F2226D78ADB00A426/i);
+   assert.strictEqual(peerCert.exponent, '0x10001');
+   assert.strictEqual(peerCert.bits, 2048);
+   // The conversion to bits is odd because modulus isn't a buffer, its a hex
+@@ -95,7 +95,7 @@ connect({
+ 
+   const issuer = peerCert.issuerCertificate;
+   assert.strictEqual(issuer.issuerCertificate, issuer);
+-  assert.strictEqual(issuer.serialNumber, '4AB16C8DFD6A7D0D2DFCABDF9C4B0E92C6AD0229');
++  assert.match(issuer.serialNumber, /4AB16C8DFD6A7D0D2DFCABDF9C4B0E92C6AD0229/i);
+ 
+   return cleanup();
+ });
+@@ -114,7 +114,7 @@ connect({
+ 
+   assert.ok(peerCert.issuerCertificate);
+   assert.strictEqual(peerCert.subject.emailAddress, 'ry@tinyclouds.org');
+-  assert.strictEqual(peerCert.serialNumber, '32E8197681DA33185867B52885F678BFDBA51727');
++  assert.match(peerCert.serialNumber, /32E8197681DA33185867B52885F678BFDBA51727/i);
+   assert.strictEqual(peerCert.exponent, undefined);
+   assert.strictEqual(peerCert.pubKey, undefined);
+   assert.strictEqual(peerCert.modulus, undefined);
+@@ -146,7 +146,6 @@ connect({
+ 
+   const issuer = peerCert.issuerCertificate;
+   assert.strictEqual(issuer.issuerCertificate, issuer);
+-  assert.strictEqual(issuer.serialNumber, '32E8197681DA33185867B52885F678BFDBA51727');
+-
++  assert.match(issuer.serialNumber, /32E8197681DA33185867B52885F678BFDBA51727/i);
+   return cleanup();
+ });
+diff --git a/test/parallel/test-tls-pfx-authorizationerror.js b/test/parallel/test-tls-pfx-authorizationerror.js
+index eb705d591ef23a90bd78d52797fd1a58bc84a7dd..da428f1320e9e7bd1683724806a7438ed5aa38cc 100644
+--- a/test/parallel/test-tls-pfx-authorizationerror.js
++++ b/test/parallel/test-tls-pfx-authorizationerror.js
+@@ -22,13 +22,13 @@ const server = tls
+       rejectUnauthorized: false
+     },
+     common.mustCall(function(c) {
+-      assert.strictEqual(c.getPeerCertificate().serialNumber,
+-                         '147D36C1C2F74206DE9FAB5F2226D78ADB00A426');
++      assert.match(c.getPeerCertificate().serialNumber,
++                         /147D36C1C2F74206DE9FAB5F2226D78ADB00A426/i);
+       assert.strictEqual(c.authorizationError, null);
+       c.end();
+     })
+   )
+-  .listen(0, function() {
++  .listen(0, common.mustCall(function() {
+     const client = tls.connect(
+       {
+         port: this.address().port,
+@@ -36,16 +36,16 @@ const server = tls
+         passphrase: 'sample',
+         rejectUnauthorized: false
+       },
+-      function() {
++      common.mustCall(() => {
+         for (let i = 0; i < 10; ++i) {
+           // Calling this repeatedly is a regression test that verifies
+           // that .getCertificate() does not accidentally decrease the
+           // reference count of the X509* certificate on the native side.
+-          assert.strictEqual(client.getCertificate().serialNumber,
+-                             '147D36C1C2F74206DE9FAB5F2226D78ADB00A426');
++          assert.match(client.getCertificate().serialNumber,
++                             /147D36C1C2F74206DE9FAB5F2226D78ADB00A426/i);
+         }
+         client.end();
+         server.close();
+-      }
++      }),
+     );
+-  });
++  }));
+diff --git a/test/parallel/test-tls-set-sigalgs.js b/test/parallel/test-tls-set-sigalgs.js
+index 985ca13ba2ac7d58f87c263c7654c4f4087efddf..21c199bdb12739f82a075c4e10e08faf8c587cf4 100644
+--- a/test/parallel/test-tls-set-sigalgs.js
++++ b/test/parallel/test-tls-set-sigalgs.js
+@@ -65,13 +65,14 @@ test('RSA-PSS+SHA256:RSA-PSS+SHA512:ECDSA+SHA256',
+      'RSA-PSS+SHA256:ECDSA+SHA256',
+      ['RSA-PSS+SHA256', 'ECDSA+SHA256']);
+ 
++const cerr = process.features.openssl_is_boringssl ?
++  'ERR_SSL_NO_COMMON_SIGNATURE_ALGORITHMS' : 'ERR_SSL_NO_SHARED_SIGNATURE_ALGORITHMS';
++
+ // Do not have shared sigalgs.
+ const handshakeErr = hasOpenSSL(3, 2) ?
+   'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE' : 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE';
+ test('RSA-PSS+SHA384', 'ECDSA+SHA256',
+-     undefined, handshakeErr,
+-     'ERR_SSL_NO_SHARED_SIGNATURE_ALGORITHMS');
++     undefined, handshakeErr, cerr);
+ 
+ test('RSA-PSS+SHA384:ECDSA+SHA256', 'ECDSA+SHA384:RSA-PSS+SHA256',
+-     undefined, handshakeErr,
+-     'ERR_SSL_NO_SHARED_SIGNATURE_ALGORITHMS');
++     undefined, handshakeErr, cerr);
+\ No newline at end of file
+diff --git a/test/parallel/test-webcrypto-export-import-cfrg.js b/test/parallel/test-webcrypto-export-import-cfrg.js
+index ae203e1005de0ab4370bd611f4f2ae64bb7a9a6a..216ce5fd14001183e7deb2abadc93178e7a18a58 100644
+--- a/test/parallel/test-webcrypto-export-import-cfrg.js
++++ b/test/parallel/test-webcrypto-export-import-cfrg.js
+@@ -411,7 +411,7 @@ async function testImportRaw({ name, publicUsages }) {
+   await Promise.all(tests);
+ })().then(common.mustCall());
+ 
+-{
++if (!process.features.openssl_is_boringssl) {
+   const rsaPublic = crypto.createPublicKey(
+     fixtures.readKey('rsa_public_2048.pem'));
+   const rsaPrivate = crypto.createPrivateKey(
+@@ -432,4 +432,6 @@ async function testImportRaw({ name, publicUsages }) {
+       { name },
+       true, privateUsages), { message: /Invalid key type/ }).then(common.mustCall());
+   }
++} else {
++  common.printSkipMessage('Skipping RSA key import tests');
+ }
 diff --git a/test/parallel/test-webcrypto-wrap-unwrap.js b/test/parallel/test-webcrypto-wrap-unwrap.js
-index bd788ec4ed88289d35798b8af8c9490a68e081a2..1a5477ba928bce93320f8056db02e1a7b8ddcdf3 100644
+index bd788ec4ed88289d35798b8af8c9490a68e081a2..c6a6f33490595faabaefc9b58afdd813f0887258 100644
 --- a/test/parallel/test-webcrypto-wrap-unwrap.js
 +++ b/test/parallel/test-webcrypto-wrap-unwrap.js
-@@ -20,14 +20,15 @@ const kWrappingData = {
-     wrap: { label: new Uint8Array(8) },
-     pair: true
-   },
--  'AES-CTR': {
-+  'AES-CBC': {
-     generate: { length: 128 },
--    wrap: { counter: new Uint8Array(16), length: 64 },
-+    wrap: { iv: new Uint8Array(16) },
-     pair: false
-   },
--  'AES-CBC': {
-+  /*
-+  'AES-CTR': {
-     generate: { length: 128 },
--    wrap: { iv: new Uint8Array(16) },
-+    wrap: { counter: new Uint8Array(16), length: 64 },
-     pair: false
-   },
-   'AES-GCM': {
-@@ -46,30 +47,9 @@ if (!process.features.openssl_is_boringssl) {
-     generate: { length: 128 },
-     wrap: { },
-     pair: false
--  };
--  kWrappingData['ChaCha20-Poly1305'] = {
--    wrap: {
--      iv: new Uint8Array(12),
--      additionalData: new Uint8Array(16),
--      tagLength: 128
+@@ -179,13 +179,6 @@ async function generateKeysToWrap() {
+       usages: ['encrypt', 'decrypt'],
+       pair: false,
+     },
+-    {
+-      algorithm: {
+-        name: 'ChaCha20-Poly1305'
+-      },
+-      usages: ['encrypt', 'decrypt'],
+-      pair: false,
 -    },
--    pair: false
--  };
--} else {
--  common.printSkipMessage('Skipping unsupported AES-KW test case');
--}
--
--if (hasOpenSSL(3)) {
--  kWrappingData['AES-OCB'] = {
--    generate: { length: 128 },
--    wrap: {
--      iv: new Uint8Array(15),
--      additionalData: new Uint8Array(16),
--      tagLength: 128
--    },
--    pair: false
--  };
--}
-+  }
-+  */
-+};
+     {
+       algorithm: {
+         name: 'HMAC',
+@@ -210,6 +203,18 @@ async function generateKeysToWrap() {
+     common.printSkipMessage('Skipping unsupported AES-KW test case');
+   }
  
- function generateWrappingKeys() {
-   return Promise.all(Object.keys(kWrappingData).map(async (name) => {
++  if (!process.features.openssl_is_boringssl) {
++    parameters.push({
++      algorithm: {
++        name: 'ChaCha20-Poly1305'
++      },
++      usages: ['encrypt', 'decrypt'],
++      pair: false,
++    });
++  } else {
++    common.printSkipMessage('Skipping unsupported ChaCha20-Poly1305 test case');
++  }
++
+   if (hasOpenSSL(3, 5)) {
+     for (const name of ['ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87']) {
+       parameters.push({
 diff --git a/test/parallel/test-x509-escaping.js b/test/parallel/test-x509-escaping.js
 index c8fc4abbb108a6d6849e8452d97d29187da2ebe6..825ba4c8dce775f401080a0522565bb7a087bcc3 100644
 --- a/test/parallel/test-x509-escaping.js

patches/node/fix_ensure_traverseparent_bails_on_resource_path_exit.patch

@@ -8,10 +8,10 @@ resource path. This commit ensures that the TraverseParent function
 bails out if the parent path is outside of the resource path.
 
 diff --git a/src/node_modules.cc b/src/node_modules.cc
-index 04ebecc5d924f6c2fddd9992462d1ff692e1cee5..5d9a9da3a068a68c13c5c0cacfe07eec3dad8bc3 100644
+index df9925404e77ec61900f89a5241c86a599e548c5..b5425122b54d91673e184ccfe88dd3a0ca2ff634 100644
 --- a/src/node_modules.cc
 +++ b/src/node_modules.cc
-@@ -345,8 +345,41 @@ const BindingData::PackageConfig* BindingData::TraverseParent(
+@@ -333,8 +333,41 @@ const BindingData::PackageConfig* BindingData::TraverseParent(
      Realm* realm, const std::filesystem::path& check_path) {
    std::filesystem::path current_path = check_path;
    auto env = realm->env();
@@ -53,7 +53,7 @@ index 04ebecc5d924f6c2fddd9992462d1ff692e1cee5..5d9a9da3a068a68c13c5c0cacfe07eec
    do {
      current_path = current_path.parent_path();
  
-@@ -366,6 +399,12 @@ const BindingData::PackageConfig* BindingData::TraverseParent(
+@@ -354,6 +387,12 @@ const BindingData::PackageConfig* BindingData::TraverseParent(
        }
      }
  

patches/node/fix_expose_readfilesync_override_for_modules.patch

@@ -20,7 +20,7 @@ index bb874fec74c73b5de0ef6d1e2a872ebceefb11ce..6fafe2a8029c535fa98276e2d73f04ee
    V(performance_entry_callback, v8::Function)                                  \
    V(prepare_stack_trace_callback, v8::Function)                                \
 diff --git a/src/node_modules.cc b/src/node_modules.cc
-index 95a7b8c32693c32ca9f57e01aff9ef06b84f78b2..cecdda74847801fd5821bc0afdf0dfc9f131c44a 100644
+index fa0aa90cf4d6a9fae3cde0b0bb743b88b47c07bb..d3907c3d063c7757cdd7ef99ed09bea1eb58a3fd 100644
 --- a/src/node_modules.cc
 +++ b/src/node_modules.cc
 @@ -23,12 +23,14 @@ namespace modules {
@@ -46,7 +46,7 @@ index 95a7b8c32693c32ca9f57e01aff9ef06b84f78b2..cecdda74847801fd5821bc0afdf0dfc9
    auto binding_data = realm->GetBindingData<BindingData>();
  
    auto cache_entry = binding_data->package_configs_.find(path.data());
-@@ -111,8 +114,48 @@ const BindingData::PackageConfig* BindingData::GetPackageJSON(
+@@ -103,8 +106,48 @@ const BindingData::PackageConfig* BindingData::GetPackageJSON(
  
    PackageConfig package_config{};
    package_config.file_path = path;
@@ -93,11 +93,11 @@ index 95a7b8c32693c32ca9f57e01aff9ef06b84f78b2..cecdda74847801fd5821bc0afdf0dfc9
 +    }
 +  }
 +  if (read_err < 0) {
-     // Add `nullopt` to the package config cache so that we don't
-     // need to open and attempt to read this path again
-     binding_data->package_configs_.insert({std::string(path), std::nullopt});
-@@ -254,6 +297,12 @@ const BindingData::PackageConfig* BindingData::GetPackageJSON(
-   return &*cached.first->second;
+     return nullptr;
+   }
+   simdjson::ondemand::document document;
+@@ -242,6 +285,12 @@ const BindingData::PackageConfig* BindingData::GetPackageJSON(
+   return &cached.first->second;
  }
  
 +void BindingData::OverrideReadFileSync(const FunctionCallbackInfo<Value>& args) {
@@ -109,7 +109,7 @@ index 95a7b8c32693c32ca9f57e01aff9ef06b84f78b2..cecdda74847801fd5821bc0afdf0dfc9
  void BindingData::ReadPackageJSON(const FunctionCallbackInfo<Value>& args) {
    CHECK_GE(args.Length(), 1);  // path, [is_esm, base, specifier]
    CHECK(args[0]->IsString());  // path
-@@ -672,6 +721,8 @@ void SaveCompileCacheEntry(const FunctionCallbackInfo<Value>& args) {
+@@ -635,6 +684,8 @@ void SaveCompileCacheEntry(const FunctionCallbackInfo<Value>& args) {
  void BindingData::CreatePerIsolateProperties(IsolateData* isolate_data,
                                               Local<ObjectTemplate> target) {
    Isolate* isolate = isolate_data->isolate();
@@ -118,7 +118,7 @@ index 95a7b8c32693c32ca9f57e01aff9ef06b84f78b2..cecdda74847801fd5821bc0afdf0dfc9
    SetMethod(isolate, target, "readPackageJSON", ReadPackageJSON);
    SetMethod(isolate,
              target,
-@@ -735,6 +786,8 @@ void BindingData::CreatePerContextProperties(Local<Object> target,
+@@ -694,6 +745,8 @@ void BindingData::CreatePerContextProperties(Local<Object> target,
  
  void BindingData::RegisterExternalReferences(
      ExternalReferenceRegistry* registry) {
@@ -126,9 +126,9 @@ index 95a7b8c32693c32ca9f57e01aff9ef06b84f78b2..cecdda74847801fd5821bc0afdf0dfc9
 +
    registry->Register(ReadPackageJSON);
    registry->Register(GetNearestParentPackageJSONType);
-   registry->Register(GetNearestParentPackageJSON);
+   registry->Register(GetPackageScopeConfig<false>);
 diff --git a/src/node_modules.h b/src/node_modules.h
-index d610306a3a3111327f111def823b07c3da04192f..5bb7245816822282977e62ce3b0e6c0b9c6ac32b 100644
+index e4ba6b75bc86d14deada835903ba68a4cb0eccc5..ae77f9ec81b358bd356993617cd07671d382e8ca 100644
 --- a/src/node_modules.h
 +++ b/src/node_modules.h
 @@ -54,6 +54,8 @@ class BindingData : public SnapshotableObject {
@@ -138,5 +138,5 @@ index d610306a3a3111327f111def823b07c3da04192f..5bb7245816822282977e62ce3b0e6c0b
 +  static void OverrideReadFileSync(
 +      const v8::FunctionCallbackInfo<v8::Value>& args);
    static void ReadPackageJSON(const v8::FunctionCallbackInfo<v8::Value>& args);
-   static void GetNearestParentPackageJSON(
+   static void GetNearestParentPackageJSONType(
        const v8::FunctionCallbackInfo<v8::Value>& args);

patches/node/fix_expose_the_built-in_electron_module_via_the_esm_loader.patch

@@ -64,7 +64,7 @@ index c284163fba86ec820af1996571fbd3d092d41d34..5f1921d15bc1d3a68c35990f85e36a0e
    }
  }
 diff --git a/lib/internal/modules/esm/loader.js b/lib/internal/modules/esm/loader.js
-index 22c1e9f1ae652b033903f56f394352806ddff754..961da666a233541203b5416909fd1ff0326e63e1 100644
+index abfe88c272dcc4aa1e95948bf754f55e1df74ddf..7a29cd391fdf050ebda50c5b2f263d27001ced74 100644
 --- a/lib/internal/modules/esm/loader.js
 +++ b/lib/internal/modules/esm/loader.js
 @@ -437,7 +437,7 @@ class ModuleLoader {
@@ -77,10 +77,10 @@ index 22c1e9f1ae652b033903f56f394352806ddff754..961da666a233541203b5416909fd1ff0
        if (cjsModule?.[kIsExecuting]) {
          const parentFilename = urlToFilename(parentURL);
 diff --git a/lib/internal/modules/esm/resolve.js b/lib/internal/modules/esm/resolve.js
-index c1d774b9c5c4049f7ecda4e3a1faaa59dad01764..4fd58b1cea557ec122bd860e1ebc15bd04c44f78 100644
+index c27ee4c6612c6a7ea0b6355f03563e8724fd0e40..5f03cf14e948d449d303b22ab6710b5508fb83b2 100644
 --- a/lib/internal/modules/esm/resolve.js
 +++ b/lib/internal/modules/esm/resolve.js
-@@ -752,6 +752,9 @@ function packageImportsResolve(name, base, conditions) {
+@@ -751,6 +751,9 @@ function packageImportsResolve(name, base, conditions) {
    throw importNotDefined(name, packageJSONUrl, base);
  }
  
@@ -90,7 +90,7 @@ index c1d774b9c5c4049f7ecda4e3a1faaa59dad01764..4fd58b1cea557ec122bd860e1ebc15bd
  
  /**
   * Resolves a package specifier to a URL.
-@@ -766,6 +769,11 @@ function packageResolve(specifier, base, conditions) {
+@@ -765,6 +768,11 @@ function packageResolve(specifier, base, conditions) {
      return new URL('node:' + specifier);
    }
  
@@ -129,10 +129,10 @@ index 1716328c7a98996a8933dbaa00a1c6c3156fb2ff..30f887663bbbd9913eff35f0e6e5b829
  // This translator function must be sync, as `require` is sync.
  translators.set('require-commonjs-typescript', (url, translateContext, parentURL) => {
 diff --git a/lib/internal/url.js b/lib/internal/url.js
-index 813208f39e6622a43ae27ba0cc5d11d1e0de55c1..1c1e6075ebabbdbc29d811fcb9f911ee29b28f9e 100644
+index a1473fdac8aba3be541df3b6688a05c0dfbe403f..0a87d997856ea227f8f21393909ffc4634043f24 100644
 --- a/lib/internal/url.js
 +++ b/lib/internal/url.js
-@@ -1604,6 +1604,8 @@ function fileURLToPath(path, options = kEmptyObject) {
+@@ -1609,6 +1609,8 @@ function fileURLToPath(path, options = kEmptyObject) {
      path = new URL(path);
    else if (!isURL(path))
      throw new ERR_INVALID_ARG_TYPE('path', ['string', 'URL'], path);

patches/node/fix_generate_config_gypi_needs_to_generate_valid_json.patch

@@ -1,34 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Shelley Vohr <shelley.vohr@gmail.com>
-Date: Tue, 10 Feb 2026 16:48:47 +0100
-Subject: fix: generate_config_gypi needs to generate valid JSON
-
-Node.js added new process.config.variables entries, which the GN generator
-emitted with Python repr (single quotes). This made the JSON parse blow
-up. Fix this by switching to json.dumps.
-
-This should be upstreamed.
-
-diff --git a/tools/generate_config_gypi.py b/tools/generate_config_gypi.py
-index abd11e1dbda8d400cb900343c6e8d2d6e84fe944..436767e633e1f492fa858645e25ce9b904a5fccb 100755
---- a/tools/generate_config_gypi.py
-+++ b/tools/generate_config_gypi.py
-@@ -58,7 +58,7 @@ def translate_config(out_dir, config, v8_config):
-       'llvm_version': 13,
-       'napi_build_version': config['napi_build_version'],
-       'node_builtin_shareable_builtins':
--          eval(config['node_builtin_shareable_builtins']),
-+          json.loads(config['node_builtin_shareable_builtins']),
-       'node_module_version': int(config['node_module_version']),
-       'node_use_openssl': config['node_use_openssl'],
-       'node_use_amaro': config['node_use_amaro'],
-@@ -102,7 +102,8 @@ def main():
- 
-   # Write output.
-   with open(args.target, 'w') as f:
--    f.write(repr(translate_config(args.out_dir, config, v8_config)))
-+    f.write(json.dumps(translate_config(args.out_dir, config, v8_config),
-+                       sort_keys=True))
- 
-   # Write depfile. Force regenerating config.gypi when GN configs change.
-   if args.dep_file:

patches/node/fix_handle_boringssl_and_openssl_incompatibilities.patch

@@ -107,7 +107,7 @@ index e2407027ab05e59b2f0f1c213b98ea469db7a91b..c64761b730e61edcdc0e46a48699f2fd
    # The location of simdutf - use the one from node's deps by default.
    node_simdutf_path = "//third_party/simdutf"
 diff --git a/src/crypto/crypto_cipher.cc b/src/crypto/crypto_cipher.cc
-index ed509e5c9fe79c5d545180fef0fea9ab6f1ba39b..9446314c95e57ea408568d107a9f6e76886650cb 100644
+index 5ed2f8b35a1e2f8348a0f3891f37944f49371256..bd453ae633b2833cc3c6e3e415b43792dc5bf2e5 100644
 --- a/src/crypto/crypto_cipher.cc
 +++ b/src/crypto/crypto_cipher.cc
 @@ -447,6 +447,7 @@ bool CipherBase::InitAuthenticated(const char* cipher_type,
@@ -151,7 +151,7 @@ index d005bf0ffb93445fa6611a1beb1b465764271ede..01770687bd191c61af02e76d7de24bba
        X509View ca(sk_X509_value(peer_certs.get(), i));
        if (!cert->view().isIssuedBy(ca)) continue;
 diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
-index 4e968477ebcc08fb0ccd6abd4d66240309cf76e8..2e3f31e1765024373c3fc2acd33fc3bfb352a906 100644
+index 03c0c6f42d84efaeba0cc3b997cd29f77648b00d..f3631d538a38dc3a93a47707ea8dab0462fa2140 100644
 --- a/src/crypto/crypto_context.cc
 +++ b/src/crypto/crypto_context.cc
 @@ -143,7 +143,7 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
@@ -163,7 +163,7 @@ index 4e968477ebcc08fb0ccd6abd4d66240309cf76e8..2e3f31e1765024373c3fc2acd33fc3bf
        X509* ca = sk_X509_value(extra_certs, i);
  
        // NOTE: Increments reference count on `ca`
-@@ -1855,11 +1855,12 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
+@@ -1832,11 +1832,12 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
    // If the user specified "auto" for dhparams, the JavaScript layer will pass
    // true to this function instead of the original string. Any other string
    // value will be interpreted as custom DH parameters below.
@@ -177,7 +177,7 @@ index 4e968477ebcc08fb0ccd6abd4d66240309cf76e8..2e3f31e1765024373c3fc2acd33fc3bf
    DHPointer dh;
    {
      BIOPointer bio(LoadBIO(env, args[0]));
-@@ -2085,7 +2086,7 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) {
+@@ -2062,7 +2063,7 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) {
    }
  
    // Add CA certs too
@@ -276,7 +276,7 @@ index 205e248e0f20f019e189a6c69d3c011a616b3939..12b0d804c6f1d4998b85160b0aac8eb7
  
  #define V(name) case ERR_LIB_##name: lib = #name "_"; break;
 diff --git a/src/env.h b/src/env.h
-index 3ab33341806ad6c0b06b982a30a57b7b5399e38f..754ddf7b331465c56081db05d6fd2a45fe50596a 100644
+index ed2253f1fc3cf8d59e73e4f2478dfb0d4227aacd..84a650885a79bc5c49efdc26f62ec8db48de775c 100644
 --- a/src/env.h
 +++ b/src/env.h
 @@ -52,7 +52,7 @@
@@ -311,7 +311,7 @@ index d9c533f100d25aeab1fe8589932a8ddead431258..2acab8786a8a752b17961445edeb872c
  #if NODE_OPENSSL_HAS_QUIC
  #include <openssl/quic.h>
 diff --git a/src/node_options.h b/src/node_options.h
-index 887ead81d4b8bd55351091c06ed641c6a87b8419..6d4df44ccc06c3278948879a2430ab6f459cbec4 100644
+index 1f15c6cc6a9ae192b1b394c437393e744b5b1153..638e49ccf48d9b9c60189af9255ce7cef9184723 100644
 --- a/src/node_options.h
 +++ b/src/node_options.h
 @@ -11,7 +11,7 @@

patches/node/fix_lazyload_fs_in_esm_loaders_to_apply_asar_patches.patch

@@ -28,7 +28,7 @@ index 5f1921d15bc1d3a68c35990f85e36a0e8a5b3ec4..99c6ce57c04768d125dd0a1c6bd62bca
      const result = dataURLProcessor(url);
      if (result === 'failure') {
 diff --git a/lib/internal/modules/esm/resolve.js b/lib/internal/modules/esm/resolve.js
-index 4fd58b1cea557ec122bd860e1ebc15bd04c44f78..8dc8bbfe8d73e2d11edc261d6fe9f37aaa81e4cd 100644
+index 5f03cf14e948d449d303b22ab6710b5508fb83b2..72cc9444ca93ef7a1526e23314693aeaf5f173b0 100644
 --- a/lib/internal/modules/esm/resolve.js
 +++ b/lib/internal/modules/esm/resolve.js
 @@ -25,7 +25,7 @@ const {
@@ -40,7 +40,7 @@ index 4fd58b1cea557ec122bd860e1ebc15bd04c44f78..8dc8bbfe8d73e2d11edc261d6fe9f37a
  const { getOptionValue } = require('internal/options');
  // Do not eagerly grab .manifest, it may be in TDZ
  const { sep, posix: { relative: relativePosixPath }, resolve } = require('path');
-@@ -277,7 +277,7 @@ function finalizeResolution(resolved, base, preserveSymlinks) {
+@@ -276,7 +276,7 @@ function finalizeResolution(resolved, base, preserveSymlinks) {
    }
  
    if (!preserveSymlinks) {

patches/node/fix_suppress_nodiscard_warning_for_copy_options_operator.patch

@@ -7,10 +7,10 @@ libc++ added [[nodiscard]] to std::filesystem::copy_options operator|=
 which causes build failures with -Werror.
 
 diff --git a/src/node_file.cc b/src/node_file.cc
-index e834325a763f7ea8f53210145b5edd134d6b67e6..5197202255bcd9345ac19c7fb6106f49c2800770 100644
+index c364f2a4f6dd6ec066b00f364108383154be12ec..326e1c3c3b9e987e89cfc12b260b0a6ab333a607 100644
 --- a/src/node_file.cc
 +++ b/src/node_file.cc
-@@ -3453,11 +3453,11 @@ static void CpSyncCopyDir(const FunctionCallbackInfo<Value>& args) {
+@@ -3444,11 +3444,11 @@ static void CpSyncCopyDir(const FunctionCallbackInfo<Value>& args) {
  
    auto file_copy_opts = std::filesystem::copy_options::recursive;
    if (force) {

patches/node/pass_all_globals_through_require.patch

@@ -6,7 +6,7 @@ Subject: Pass all globals through "require"
 (cherry picked from commit 7d015419cb7a0ecfe6728431a4ed2056cd411d62)
 
 diff --git a/lib/internal/modules/cjs/loader.js b/lib/internal/modules/cjs/loader.js
-index 2b199e82fee3a9d56521b9c5cc04a20cdfd6f045..e28755a20176c2806769430910b28a0e61d7691e 100644
+index 414e450ee3a8110b8249dd831fef1ab885cc6fa1..c6ff40d814a49536808a2fd79ee6918c3ac118c9 100644
 --- a/lib/internal/modules/cjs/loader.js
 +++ b/lib/internal/modules/cjs/loader.js
 @@ -209,6 +209,13 @@ const {
@@ -23,7 +23,7 @@ index 2b199e82fee3a9d56521b9c5cc04a20cdfd6f045..e28755a20176c2806769430910b28a0e
  const {
    isProxy,
  } = require('internal/util/types');
-@@ -1799,10 +1806,12 @@ Module.prototype._compile = function(content, filename, format) {
+@@ -1756,10 +1763,12 @@ Module.prototype._compile = function(content, filename, format) {
    if (this[kIsMainSymbol] && getOptionValue('--inspect-brk')) {
      const { callAndPauseOnStart } = internalBinding('inspector');
      result = callAndPauseOnStart(compiledWrapper, thisValue, exports,

patches/node/refactor_attach_cppgc_heap_on_v8_isolate_creation.patch

@@ -18,10 +18,10 @@ This can be removed when Node.js upgrades to a version of V8 containing CLs
 from the above issue.
 
 diff --git a/src/api/environment.cc b/src/api/environment.cc
-index 5c8bc870dcf2e974036cf3bcb60fd288e59045d9..0f19cb09ea0963a9c505c51f89d1c7a939f2730b 100644
+index 53f05293bd94e159dfedf48735989e668acdd08e..d753ad6c6b49b26b86920124f7ac90c1e052638e 100644
 --- a/src/api/environment.cc
 +++ b/src/api/environment.cc
-@@ -331,6 +331,10 @@ Isolate* NewIsolate(Isolate::CreateParams* params,
+@@ -323,6 +323,10 @@ Isolate* NewIsolate(Isolate::CreateParams* params,
                      MultiIsolatePlatform* platform,
                      const SnapshotData* snapshot_data,
                      const IsolateSettings& settings) {
@@ -32,7 +32,7 @@ index 5c8bc870dcf2e974036cf3bcb60fd288e59045d9..0f19cb09ea0963a9c505c51f89d1c7a9
    IsolateGroup group = GetOrCreateIsolateGroup();
    Isolate* isolate = Isolate::Allocate(group);
    if (isolate == nullptr) return nullptr;
-@@ -387,9 +391,12 @@ Isolate* NewIsolate(ArrayBufferAllocator* allocator,
+@@ -373,9 +377,12 @@ Isolate* NewIsolate(ArrayBufferAllocator* allocator,
                      uv_loop_t* event_loop,
                      MultiIsolatePlatform* platform,
                      const EmbedderSnapshotData* snapshot_data,
@@ -151,7 +151,7 @@ index dd6ecd1f9d82f6661b2480c0195e33515633429f..334d5cb7df7a763e0929468392dad834
    isolate_ =
        NewIsolate(isolate_params_.get(), event_loop, platform, snapshot_data);
 diff --git a/src/node_worker.cc b/src/node_worker.cc
-index fcfd5fecdebd2724441eb83b498b38b11eedad25..e7d26b4c8cbb08a175084ceac51395860dc60598 100644
+index 7bae29747d8cd8e83973d105099f9111fc185fe1..62c53368d1173edb7eb42e3337049c46fd7cdda9 100644
 --- a/src/node_worker.cc
 +++ b/src/node_worker.cc
 @@ -181,6 +181,9 @@ class WorkerThreadData {

patches/node/src_handle_der_decoding_errors_from_system_certificates.patch

@@ -0,0 +1,74 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Joyee Cheung <joyeec9h3@gmail.com>
+Date: Thu, 20 Nov 2025 13:50:28 +0900
+Subject: src: handle DER decoding errors from system certificates
+
+When decoding certificates from the system store, it's not actually
+guaranteed to succeed. In case the system returns a certificate
+that cannot be decoded (might be related to SSL implementation issues),
+skip them.
+
+diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
+index fc6d295a401d5283ba19dd5c95b748c83b7055a9..b971ea5b6842549563c0c54168d17ecf6e72bb73 100644
+--- a/src/crypto/crypto_context.cc
++++ b/src/crypto/crypto_context.cc
+@@ -507,7 +507,11 @@ void ReadMacOSKeychainCertificates(
+   CFRelease(search);
+ 
+   if (ortn) {
+-    fprintf(stderr, "ERROR: SecItemCopyMatching failed %d\n", ortn);
++    per_process::Debug(DebugCategory::CRYPTO,
++                       "Cannot read certificates from system because "
++                       "SecItemCopyMatching failed %d\n",
++                       ortn);
++    return;
+   }
+ 
+   CFIndex count = CFArrayGetCount(curr_anchors);
+@@ -518,7 +522,9 @@ void ReadMacOSKeychainCertificates(
+ 
+     CFDataRef der_data = SecCertificateCopyData(cert_ref);
+     if (!der_data) {
+-      fprintf(stderr, "ERROR: SecCertificateCopyData failed\n");
++      per_process::Debug(DebugCategory::CRYPTO,
++                         "Skipping read of a system certificate "
++                         "because SecCertificateCopyData failed\n");
+       continue;
+     }
+     auto data_buffer_pointer = CFDataGetBytePtr(der_data);
+@@ -526,9 +532,19 @@ void ReadMacOSKeychainCertificates(
+     X509* cert =
+         d2i_X509(nullptr, &data_buffer_pointer, CFDataGetLength(der_data));
+     CFRelease(der_data);
++
++    if (cert == nullptr) {
++      per_process::Debug(DebugCategory::CRYPTO,
++                         "Skipping read of a system certificate "
++                         "because decoding failed\n");
++      continue;
++    }
++
+     bool is_valid = IsCertificateTrustedForPolicy(cert, cert_ref);
+     if (is_valid) {
+       system_root_certificates_X509->emplace_back(cert);
++    } else {
++      X509_free(cert);
+     }
+   }
+   CFRelease(curr_anchors);
+@@ -638,7 +654,14 @@ void GatherCertsForLocation(std::vector<X509*>* vector,
+         reinterpret_cast<const unsigned char*>(cert_from_store->pbCertEncoded);
+     const size_t cert_size = cert_from_store->cbCertEncoded;
+ 
+-    vector->emplace_back(d2i_X509(nullptr, &cert_data, cert_size));
++    X509* x509 = d2i_X509(nullptr, &cert_data, cert_size);
++    if (x509 == nullptr) {
++      per_process::Debug(DebugCategory::CRYPTO,
++                         "Skipping read of a system certificate "
++                         "because decoding failed\n");
++    } else {
++      vector->emplace_back(x509);
++    }
+   }
+ }
+ 

patches/node/src_stop_using_v8_propertycallbackinfo_t_this.patch

@@ -63,10 +63,10 @@ index e66d4fcb0c064f96cdb819c783027d864fe88d12..619980b36db457ef7e476eacd446e3bf
      return Intercepted::kNo;
    }
 diff --git a/src/node_modules.cc b/src/node_modules.cc
-index 5d9a9da3a068a68c13c5c0cacfe07eec3dad8bc3..c5c61888ecaaeeb23ebc9887f19ae3ad4c30dbd4 100644
+index b5425122b54d91673e184ccfe88dd3a0ca2ff634..d1db60e59ac0f1f3e3bfceecc81c81cd038bac66 100644
 --- a/src/node_modules.cc
 +++ b/src/node_modules.cc
-@@ -682,7 +682,7 @@ static void PathHelpersLazyGetter(Local<v8::Name> name,
+@@ -645,7 +645,7 @@ static void PathHelpersLazyGetter(Local<v8::Name> name,
    // When this getter is invoked in a vm context, the `Realm::GetCurrent(info)`
    // returns a nullptr and retrieve the creation context via `this` object and
    // get the creation Realm.
@@ -76,10 +76,10 @@ index 5d9a9da3a068a68c13c5c0cacfe07eec3dad8bc3..c5c61888ecaaeeb23ebc9887f19ae3ad
      THROW_ERR_INVALID_INVOCATION(isolate);
      return;
 diff --git a/src/node_util.cc b/src/node_util.cc
-index af42a3bd72c3f4aa6aff4a95231f3f3da5008176..e9f4c1cdb60c03dce210f49e18dda57a4934a8b5 100644
+index 2e4d98a8a66a18248ed292895671709abca155ad..0306e0b5d85269a7381356b53d34b7cc73f963d4 100644
 --- a/src/node_util.cc
 +++ b/src/node_util.cc
-@@ -366,7 +366,7 @@ static void DefineLazyPropertiesGetter(
+@@ -370,7 +370,7 @@ static void DefineLazyPropertiesGetter(
    // When this getter is invoked in a vm context, the `Realm::GetCurrent(info)`
    // returns a nullptr and retrieve the creation context via `this` object and
    // get the creation Realm.
@@ -89,10 +89,10 @@ index af42a3bd72c3f4aa6aff4a95231f3f3da5008176..e9f4c1cdb60c03dce210f49e18dda57a
      THROW_ERR_INVALID_INVOCATION(isolate);
      return;
 diff --git a/src/node_webstorage.cc b/src/node_webstorage.cc
-index bd83654012442195866e57173b6e5d4d25fecf0f..9f31a56b00600b2754d8c7115630a1132335bffc 100644
+index 5819d9bca845e0eed6d4d93564469d8f3c36200b..f4139f25f22b0744b0819ea4570f23254c80ec13 100644
 --- a/src/node_webstorage.cc
 +++ b/src/node_webstorage.cc
-@@ -535,7 +535,7 @@ template <typename T>
+@@ -531,7 +531,7 @@ template <typename T>
  static bool ShouldIntercept(Local<Name> property,
                              const PropertyCallbackInfo<T>& info) {
    Environment* env = Environment::GetCurrent(info);
@@ -101,7 +101,7 @@ index bd83654012442195866e57173b6e5d4d25fecf0f..9f31a56b00600b2754d8c7115630a113
  
    if (proto->IsObject()) {
      bool has_prop;
-@@ -559,7 +559,7 @@ static Intercepted StorageGetter(Local<Name> property,
+@@ -555,7 +555,7 @@ static Intercepted StorageGetter(Local<Name> property,
    }
  
    Storage* storage;
@@ -110,7 +110,7 @@ index bd83654012442195866e57173b6e5d4d25fecf0f..9f31a56b00600b2754d8c7115630a113
    Local<Value> result;
  
    if (storage->Load(property).ToLocal(&result) && !result->IsNull()) {
-@@ -573,7 +573,7 @@ static Intercepted StorageSetter(Local<Name> property,
+@@ -569,7 +569,7 @@ static Intercepted StorageSetter(Local<Name> property,
                                   Local<Value> value,
                                   const PropertyCallbackInfo<void>& info) {
    Storage* storage;
@@ -119,7 +119,7 @@ index bd83654012442195866e57173b6e5d4d25fecf0f..9f31a56b00600b2754d8c7115630a113
  
    if (storage->Store(property, value).IsNothing()) {
      info.GetReturnValue().SetFalse();
-@@ -589,7 +589,7 @@ static Intercepted StorageQuery(Local<Name> property,
+@@ -585,7 +585,7 @@ static Intercepted StorageQuery(Local<Name> property,
    }
  
    Storage* storage;
@@ -128,7 +128,7 @@ index bd83654012442195866e57173b6e5d4d25fecf0f..9f31a56b00600b2754d8c7115630a113
    Local<Value> result;
    if (!storage->Load(property).ToLocal(&result) || result->IsNull()) {
      return Intercepted::kNo;
-@@ -602,7 +602,7 @@ static Intercepted StorageQuery(Local<Name> property,
+@@ -598,7 +598,7 @@ static Intercepted StorageQuery(Local<Name> property,
  static Intercepted StorageDeleter(Local<Name> property,
                                    const PropertyCallbackInfo<Boolean>& info) {
    Storage* storage;
@@ -137,7 +137,7 @@ index bd83654012442195866e57173b6e5d4d25fecf0f..9f31a56b00600b2754d8c7115630a113
  
    info.GetReturnValue().Set(storage->Remove(property).IsJust());
  
-@@ -611,7 +611,7 @@ static Intercepted StorageDeleter(Local<Name> property,
+@@ -607,7 +607,7 @@ static Intercepted StorageDeleter(Local<Name> property,
  
  static void StorageEnumerator(const PropertyCallbackInfo<Array>& info) {
    Storage* storage;
@@ -146,7 +146,7 @@ index bd83654012442195866e57173b6e5d4d25fecf0f..9f31a56b00600b2754d8c7115630a113
    Local<Array> result;
    if (!storage->Enumerate().ToLocal(&result)) {
      return;
-@@ -623,7 +623,7 @@ static Intercepted StorageDefiner(Local<Name> property,
+@@ -619,7 +619,7 @@ static Intercepted StorageDefiner(Local<Name> property,
                                    const PropertyDescriptor& desc,
                                    const PropertyCallbackInfo<void>& info) {
    Storage* storage;

patches/node/support_v8_sandboxed_pointers.patch

@@ -6,75 +6,6 @@ Subject: support V8 sandboxed pointers
 This refactors several allocators to allocate within the V8 memory cage,
 allowing them to be compatible with the V8_SANDBOXED_POINTERS feature.
 
-diff --git a/src/api/environment.cc b/src/api/environment.cc
-index 53f05293bd94e159dfedf48735989e668acdd08e..5c8bc870dcf2e974036cf3bcb60fd288e59045d9 100644
---- a/src/api/environment.cc
-+++ b/src/api/environment.cc
-@@ -111,6 +111,14 @@ MaybeLocal<Value> PrepareStackTraceCallback(Local<Context> context,
-   return result;
- }
- 
-+NodeArrayBufferAllocator::NodeArrayBufferAllocator() {
-+  zero_fill_field_ = static_cast<uint32_t*>(allocator_->Allocate(sizeof(*zero_fill_field_)));
-+}
-+
-+NodeArrayBufferAllocator::~NodeArrayBufferAllocator() {
-+  allocator_->Free(zero_fill_field_, sizeof(*zero_fill_field_));
-+}
-+
- void* NodeArrayBufferAllocator::Allocate(size_t size) {
-   void* ret;
-   COUNT_GENERIC_USAGE("NodeArrayBufferAllocator.Allocate.ZeroFilled");
-@@ -337,6 +345,12 @@ Isolate* NewIsolate(Isolate::CreateParams* params,
-     // but also otherwise just doesn't work, and the only real alternative
-     // is disabling shared-readonly-heap mode altogether.
-     static Isolate::CreateParams first_params = *params;
-+    // Clear allocator pointers to prevent use-after-free during static
-+    // destruction. The static first_params can outlive V8's internal
-+    // allocator systems, causing crashes when its destructor tries to
-+    // free resources after V8 has shut down.
-+    first_params.array_buffer_allocator = nullptr;
-+    first_params.array_buffer_allocator_shared.reset();
-     params->snapshot_blob = first_params.snapshot_blob;
-     params->external_references = first_params.external_references;
-   }
-diff --git a/src/crypto/crypto_dh.cc b/src/crypto/crypto_dh.cc
-index 46a7d1396dc1a175ae99f4e403721f1730fdd320..bbb0abb3b9563074d350578e0f5a8fa211046b17 100644
---- a/src/crypto/crypto_dh.cc
-+++ b/src/crypto/crypto_dh.cc
-@@ -61,17 +61,22 @@ MaybeLocal<Value> DataPointerToBuffer(Environment* env, DataPointer&& data) {
-     bool secure;
-   };
- #ifdef V8_ENABLE_SANDBOX
--  auto backing = ArrayBuffer::NewBackingStore(
--      env->isolate(),
--      data.size(),
--      BackingStoreInitializationMode::kUninitialized,
--      BackingStoreOnFailureMode::kReturnNull);
--  if (!backing) {
--    THROW_ERR_MEMORY_ALLOCATION_FAILED(env);
--    return MaybeLocal<Value>();
--  }
-+  std::unique_ptr<v8::BackingStore> backing;
-   if (data.size() > 0) {
--    memcpy(backing->Data(), data.get(), data.size());
-+    std::unique_ptr<ArrayBuffer::Allocator> allocator(ArrayBuffer::Allocator::NewDefaultAllocator());
-+    void* v8_data = allocator->Allocate(data.size());
-+    CHECK(v8_data);
-+    memcpy(v8_data, data.get(), data.size());
-+    backing = ArrayBuffer::NewBackingStore(
-+        v8_data,
-+        data.size(),
-+        [](void* data, size_t length, void*) {
-+          std::unique_ptr<ArrayBuffer::Allocator> allocator(ArrayBuffer::Allocator::NewDefaultAllocator());
-+          allocator->Free(data, length);
-+        }, nullptr);
-+  } else {
-+    NoArrayBufferZeroFillScope no_zero_fill_scope(env->isolate_data());
-+    backing = v8::ArrayBuffer::NewBackingStore(env->isolate(), data.size());
-   }
- #else
-   auto backing = ArrayBuffer::NewBackingStore(
 diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
 index 12b0d804c6f1d4998b85160b0aac8eb7a3b5576b..27bd93769233dc65a064710db4095d9cdc3a8b1a 100644
 --- a/src/crypto/crypto_util.cc
@@ -189,110 +120,11 @@ index b30297eac08ad9587642b723f91d7e3b954294d4..4c5427596d1c90d3a413cdd9ff4f1151
  #else
    auto backing = ArrayBuffer::NewBackingStore(
        mem->data,
-diff --git a/src/env-inl.h b/src/env-inl.h
-index 74bbb9fb83246a90bc425e259150f0868020ac9e..777335321fc9037d91d88fb5852bbf5b05f50d0a 100644
---- a/src/env-inl.h
-+++ b/src/env-inl.h
-@@ -44,6 +44,16 @@
- 
- namespace node {
- 
-+NoArrayBufferZeroFillScope::NoArrayBufferZeroFillScope(
-+    IsolateData* isolate_data)
-+    : node_allocator_(isolate_data->node_allocator()) {
-+  if (node_allocator_ != nullptr) node_allocator_->zero_fill_field()[0] = 0;
-+}
-+
-+NoArrayBufferZeroFillScope::~NoArrayBufferZeroFillScope() {
-+  if (node_allocator_ != nullptr) node_allocator_->zero_fill_field()[0] = 1;
-+}
-+
- inline v8::Isolate* IsolateData::isolate() const {
-   return isolate_;
- }
-diff --git a/src/env.h b/src/env.h
-index 754ddf7b331465c56081db05d6fd2a45fe50596a..db1ed241f730791ba3e3f93349cb5ff3437c738d 100644
---- a/src/env.h
-+++ b/src/env.h
-@@ -111,6 +111,19 @@ class ModuleWrap;
- class Environment;
- class Realm;
- 
-+// Disables zero-filling for ArrayBuffer allocations in this scope. This is
-+// similar to how we implement Buffer.allocUnsafe() in JS land.
-+class NoArrayBufferZeroFillScope {
-+ public:
-+  inline explicit NoArrayBufferZeroFillScope(IsolateData* isolate_data);
-+  inline ~NoArrayBufferZeroFillScope();
-+
-+ private:
-+  NodeArrayBufferAllocator* node_allocator_;
-+
-+  friend class Environment;
-+};
-+
- struct IsolateDataSerializeInfo {
-   std::vector<SnapshotIndex> primitive_values;
-   std::vector<PropInfo> template_values;
 diff --git a/src/node_buffer.cc b/src/node_buffer.cc
-index ddee7b7e40c3ee4054b2b15b75154607aa6431ed..9b74343d01913a27bde608d73d890ae127143960 100644
+index 49df0b4284748effb27b05ecd69f05699dd8be75..77da37881bb351249c45e405289193c10d083e0c 100644
 --- a/src/node_buffer.cc
 +++ b/src/node_buffer.cc
-@@ -81,6 +81,7 @@ using v8::SharedArrayBuffer;
- using v8::String;
- using v8::Uint32;
- using v8::Uint8Array;
-+using v8::Uint32Array;
- using v8::Value;
- 
- namespace {
-@@ -1243,6 +1244,45 @@ void SetBufferPrototype(const FunctionCallbackInfo<Value>& args) {
-   realm->set_buffer_prototype_object(proto);
- }
- 
-+void GetZeroFillToggle(const FunctionCallbackInfo<Value>& args) {
-+  Environment* env = Environment::GetCurrent(args);
-+  NodeArrayBufferAllocator* allocator = env->isolate_data()->node_allocator();
-+  Local<ArrayBuffer> ab;
-+  // It can be a nullptr when running inside an isolate where we
-+  // do not own the ArrayBuffer allocator.
-+  if (allocator == nullptr || env->isolate_data()->is_building_snapshot()) {
-+    // Create a dummy Uint32Array - the JS land can only toggle the C++ land
-+    // setting when the allocator uses our toggle. With this the toggle in JS
-+    // land results in no-ops.
-+    // When building a snapshot, just use a dummy toggle as well to avoid
-+    // introducing the dynamic external reference. We'll re-initialize the
-+    // toggle with a real one connected to the C++ allocator after snapshot
-+    // deserialization.
-+
-+    ab = ArrayBuffer::New(env->isolate(), sizeof(uint32_t));
-+  } else {
-+    // TODO(joyeecheung): save ab->GetBackingStore()->Data() in the Node.js
-+    // array buffer allocator and include it into the C++ toggle while the
-+    // Environment is still alive.
-+    uint32_t* zero_fill_field = allocator->zero_fill_field();
-+    std::unique_ptr<BackingStore> backing =
-+        ArrayBuffer::NewBackingStore(zero_fill_field,
-+                                     sizeof(*zero_fill_field),
-+                                     [](void*, size_t, void*) {},
-+                                     nullptr);
-+    ab = ArrayBuffer::New(env->isolate(), std::move(backing));
-+  }
-+
-+  if (ab->SetPrivate(env->context(),
-+                     env->untransferable_object_private_symbol(),
-+                     True(env->isolate()))
-+          .IsNothing()) {
-+    return;
-+  }
-+
-+  args.GetReturnValue().Set(Uint32Array::New(ab, 0, 1));
-+}
-+
- static void Btoa(const FunctionCallbackInfo<Value>& args) {
-   CHECK_EQ(args.Length(), 1);
-   Environment* env = Environment::GetCurrent(args);
-@@ -1420,7 +1460,7 @@ inline size_t CheckNumberToSize(Local<Value> number) {
+@@ -1420,7 +1420,7 @@ inline size_t CheckNumberToSize(Local<Value> number) {
    CHECK(value >= 0 && value < maxSize);
    size_t size = static_cast<size_t>(value);
  #ifdef V8_ENABLE_SANDBOX
@@ -301,22 +133,6 @@ index ddee7b7e40c3ee4054b2b15b75154607aa6431ed..9b74343d01913a27bde608d73d890ae1
  #endif
    return size;
  }
-@@ -1638,6 +1678,7 @@ void Initialize(Local<Object> target,
-                 "utf8WriteStatic",
-                 SlowWriteString<UTF8>,
-                 &fast_write_string_utf8);
-+  SetMethod(context, target, "getZeroFillToggle", GetZeroFillToggle);
- }
- 
- }  // anonymous namespace
-@@ -1686,6 +1727,7 @@ void RegisterExternalReferences(ExternalReferenceRegistry* registry) {
-   registry->Register(StringWrite<HEX>);
-   registry->Register(StringWrite<UCS2>);
-   registry->Register(StringWrite<UTF8>);
-+  registry->Register(GetZeroFillToggle);
- 
-   registry->Register(CopyArrayBuffer);
-   registry->Register(CreateUnsafeArrayBuffer);
 diff --git a/src/node_i18n.cc b/src/node_i18n.cc
 index 3c4f419aa29470b3280174b58680b9421b0340b5..3b24ad2a2316f89d98b067e2c13988f87a9a00d2 100644
 --- a/src/node_i18n.cc
@@ -357,28 +173,6 @@ index 3c4f419aa29470b3280174b58680b9421b0340b5..3b24ad2a2316f89d98b067e2c13988f8
  }
  
  constexpr const char* EncodingName(const enum encoding encoding) {
-diff --git a/src/node_internals.h b/src/node_internals.h
-index 61a58b6ccfb26efefd6d3b61a1c8741f9550ae8d..29d1ecc2b209c9c3c2e956263ba2d57fb688b34c 100644
---- a/src/node_internals.h
-+++ b/src/node_internals.h
-@@ -124,6 +124,9 @@ v8::MaybeLocal<v8::Object> InitializePrivateSymbols(
- 
- class NodeArrayBufferAllocator : public ArrayBufferAllocator {
-  public:
-+  NodeArrayBufferAllocator();
-+  ~NodeArrayBufferAllocator() override;
-+  inline uint32_t* zero_fill_field() { return zero_fill_field_; }
-   void* Allocate(size_t size) override;  // Defined in src/node.cc
-   void* AllocateUninitialized(size_t size) override;
-   void Free(void* data, size_t size) override;
-@@ -140,6 +143,7 @@ class NodeArrayBufferAllocator : public ArrayBufferAllocator {
-   }
- 
-  private:
-+  uint32_t* zero_fill_field_ = nullptr;  // Boolean but exposed as uint32 to JS land.
-   std::atomic<size_t> total_mem_usage_ {0};
- 
-   // Delegate to V8's allocator for compatibility with the V8 memory cage.
 diff --git a/src/node_serdes.cc b/src/node_serdes.cc
 index 00fcd4b6afccce47ff21c4447d9cd60f25c11835..5f96ee2051e5339456185efddb149c4d43093f31 100644
 --- a/src/node_serdes.cc
@@ -515,17 +309,3 @@ index ef659f1c39f7ee958879bf395377bc99911fc346..225b1465b7c97d972a38968faf6d6850
    auto ab = ArrayBuffer::New(isolate, std::move(bs));
    v8::Local<Uint8Array> u8 = v8::Uint8Array::New(ab, 0, 1);
  
-diff --git a/test/parallel/test-buffer-concat.js b/test/parallel/test-buffer-concat.js
-index 9f0eadd2f10163c3c30657c84eb0ba55db17364d..7c1a6f71ca24dd2e54f9f5987aae2014b44bfba6 100644
---- a/test/parallel/test-buffer-concat.js
-+++ b/test/parallel/test-buffer-concat.js
-@@ -84,8 +84,7 @@ assert.throws(() => {
-   Buffer.concat([Buffer.from('hello')], -2);
- }, {
-   code: 'ERR_OUT_OF_RANGE',
--  message: 'The value of "length" is out of range. It must be >= 0 && <= 9007199254740991. ' +
--           'Received -2'
-+  message: /The value of "length" is out of range\. It must be >= 0 && <= (?:34359738367|9007199254740991)\. Received -2/
- });
- 
- // eslint-disable-next-line node-core/crypto-check

patches/node/test_formally_mark_some_tests_as_flaky.patch

@@ -7,7 +7,7 @@ Instead of disabling the tests, flag them as flaky so they still run
 but don't cause CI failures on flakes.
 
 diff --git a/test/parallel/parallel.status b/test/parallel/parallel.status
-index 8bf4ae46f2d1d204d05adb6e951a613902f8bae2..2438ed04e3477c3bc74d02717129bf830a40c5f4 100644
+index 8ac30c589926a46356f44076a21f8c18057378e1..8531599f1c1474640bf804737244129c5860b0bd 100644
 --- a/test/parallel/parallel.status
 +++ b/test/parallel/parallel.status
 @@ -5,6 +5,16 @@ prefix parallel

patches/node/test_make_buffer_sizes_32bit-aware_in.patch

@@ -0,0 +1,38 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ren=C3=A9?= <contact.9a5d6388@renegade334.me.uk>
+Date: Sat, 20 Dec 2025 22:20:21 +0000
+Subject: test: make buffer sizes 32bit-aware in
+ test-internal-util-construct-sab
+
+PR-URL: https://github.com/nodejs/node/pull/61026
+Fixes: https://github.com/nodejs/node/issues/61025
+Refs: https://github.com/nodejs/node/pull/60497
+Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
+
+diff --git a/test/parallel/test-internal-util-construct-sab.js b/test/parallel/test-internal-util-construct-sab.js
+index 5ff9b09f8e7d36a91825a38e861b8c2615c62500..403b59809e47d2e1d3503a059826f66334a2f035 100644
+--- a/test/parallel/test-internal-util-construct-sab.js
++++ b/test/parallel/test-internal-util-construct-sab.js
+@@ -3,16 +3,20 @@
+ 
+ require('../common');
+ const assert = require('assert');
++const { kMaxLength } = require('buffer');
+ const { isSharedArrayBuffer } = require('util/types');
+ const { constructSharedArrayBuffer } = require('internal/util');
+ 
+ // We're testing that we can construct a SAB even when the global is not exposed.
+ assert.strictEqual(typeof SharedArrayBuffer, 'undefined');
+ 
+-for (const length of [undefined, 0, 1, 2 ** 32]) {
++for (const length of [undefined, 0, 1, 2 ** 16]) {
+   assert(isSharedArrayBuffer(constructSharedArrayBuffer(length)));
+ }
+ 
+-for (const length of [-1, Number.MAX_SAFE_INTEGER + 1, 2 ** 64]) {
++// Specifically test the following cases:
++// - out-of-range allocation requests should not crash the process
++// - no int64 overflow
++for (const length of [-1, kMaxLength + 1, 2 ** 64]) {
+   assert.throws(() => constructSharedArrayBuffer(length), RangeError);
+ }

script/node-disabled-tests.json

@@ -8,24 +8,10 @@
   "parallel/test-cluster-primary-error",
   "parallel/test-cluster-primary-kill",
   "parallel/test-config-file",
-  "parallel/test-crypto-aes-wrap",
-  "parallel/test-crypto-authenticated",
-  "parallel/test-crypto-authenticated-stream",
-  "parallel/test-crypto-default-shake-lengths",
-  "parallel/test-crypto-des3-wrap",
-  "parallel/test-crypto-dh-group-setters",
-  "parallel/test-crypto-dh-modp2",
-  "parallel/test-crypto-dh-modp2-views",
   "parallel/test-crypto-dh-stateless",
-  "parallel/test-crypto-ecb",
   "parallel/test-crypto-fips",
-  "parallel/test-crypto-key-objects",
   "parallel/test-crypto-keygen",
-  "parallel/test-crypto-keygen-deprecation",
-  "parallel/test-crypto-rsa-dsa",
-  "parallel/test-crypto-padding-aes256",
   "parallel/test-crypto-secure-heap",
-  "parallel/test-dgram-send-cb-quelches-error",
   "parallel/test-domain-error-types",
   "parallel/test-fs-utimes-y2K38",
   "parallel/test-http2-clean-output",
@@ -44,34 +30,10 @@
   "parallel/test-os-checked-function",
   "parallel/test-process-versions",
   "parallel/test-process-get-builtin",
-  "parallel/test-repl",
+  "parallel/test-repl-mode",
   "parallel/test-repl-underscore",
   "parallel/test-shadow-realm-custom-loaders",
-  "parallel/test-snapshot-api",
-  "parallel/test-snapshot-argv1",
-  "parallel/test-snapshot-basic",
-  "parallel/test-snapshot-cjs-main",
-  "parallel/test-snapshot-cwd",
-  "parallel/test-snapshot-console",
-  "parallel/test-snapshot-config",
-  "parallel/test-snapshot-dns-lookup-localhost",
-  "parallel/test-snapshot-dns-lookup-localhost-promise",
-  "parallel/test-snapshot-dns-resolve-localhost",
-  "parallel/test-snapshot-dns-resolve-localhost-promise",
-  "parallel/test-snapshot-error",
-  "parallel/test-snapshot-eval",
-  "parallel/test-snapshot-gzip",
-  "parallel/test-snapshot-incompatible",
-  "parallel/test-snapshot-namespaced-builtin",
-  "parallel/test-snapshot-net",
-  "parallel/test-snapshot-reproducible",
-  "parallel/test-snapshot-stack-trace-limit",
-  "parallel/test-snapshot-stack-trace-limit-mutation",
-  "parallel/test-snapshot-typescript",
-  "parallel/test-snapshot-umd",
-  "parallel/test-snapshot-warning",
-  "parallel/test-snapshot-weak-reference",
-  "parallel/test-snapshot-worker",
+  "parallel/test-snapshot",
   "parallel/test-strace-openat-openssl",
   "parallel/test-sqlite-backup",
   "parallel/test-max-old-space-size-percentage",
@@ -108,15 +70,11 @@
   "parallel/test-tls-multi-pfx",
   "parallel/test-tls-no-cert-required",
   "parallel/test-tls-no-sslv23",
-  "parallel/test-tls-off-thread-cert-loading",
   "parallel/test-tls-options-boolean-check",
   "parallel/test-tls-passphrase",
-  "parallel/test-tls-peer-certificate",
-  "parallel/test-tls-pfx-authorizationerror",
   "parallel/test-tls-psk-alpn-callback-exception-handling",
   "parallel/test-tls-psk-circuit",
   "parallel/test-tls-reduced-SECLEVEL-in-cipher",
-  "parallel/test-tls-root-certificates",
   "parallel/test-tls-server-failed-handshake-emits-clienterror",
   "parallel/test-tls-set-ciphers",
   "parallel/test-tls-set-ciphers-error",
@@ -126,45 +84,13 @@
   "parallel/test-tls-socket-failed-handshake-emits-error",
   "parallel/test-tls-ticket",
   "parallel/test-tls-ticket-cluster",
-  "parallel/test-trace-events-all",
-  "parallel/test-trace-events-async-hooks",
-  "parallel/test-trace-events-binding",
-  "parallel/test-trace-events-bootstrap",
-  "parallel/test-trace-events-category-used",
-  "parallel/test-trace-events-console",
-  "parallel/test-trace-events-dynamic-enable",
-  "parallel/test-trace-events-dynamic-enable-workers-disabled",
-  "parallel/test-trace-events-environment",
-  "parallel/test-trace-events-file-pattern",
-  "parallel/test-trace-events-fs-async",
-  "parallel/test-trace-events-fs-sync",
-  "parallel/test-trace-events-http",
-  "parallel/test-trace-events-metadata",
-  "parallel/test-trace-events-net",
-  "parallel/test-trace-events-none",
-  "parallel/test-trace-events-process-exit",
-  "parallel/test-trace-events-promises",
-  "parallel/test-trace-events-threadpool",
-  "parallel/test-trace-events-v8",
-  "parallel/test-trace-events-vm",
-  "parallel/test-trace-events-worker-metadata",
+  "parallel/test-trace-events",
   "parallel/test-tz-version",
-  "parallel/test-webcrypto-derivebits-cfrg",
-  "parallel/test-webcrypto-derivekey-cfrg",
-  "parallel/test-webcrypto-encrypt-decrypt",
-  "parallel/test-webcrypto-encrypt-decrypt-aes",
-  "parallel/test-webcrypto-encrypt-decrypt-rsa",
-  "parallel/test-webcrypto-export-import-cfrg",
   "parallel/test-webcrypto-keygen",
-  "parallel/test-webcrypto-sign-verify-eddsa",
-  "parallel/test-webcrypto-wrap-unwrap",
   "parallel/test-worker-no-sab",
   "parallel/test-worker-resource-limits",
   "parallel/test-zlib-unused-weak",
-  "report/test-report-fatalerror-oomerror-compact",
-  "report/test-report-fatalerror-oomerror-directory",
-  "report/test-report-fatalerror-oomerror-filename",
-  "report/test-report-fatalerror-oomerror-set",
+  "report/test-report-fatalerror-oomerror",
   "report/test-report-getreport",
   "report/test-report-signal",
   "report/test-report-uncaught-exception",
@@ -174,12 +100,6 @@
   "report/test-report-writereport",
   "sea/test-single-executable-blob-config",
   "sea/test-single-executable-blob-config-errors",
-  "sequential/test-single-executable-application",
-  "sequential/test-single-executable-application-disable-experimental-sea-warning",
-  "sequential/test-single-executable-application-empty",
-  "sequential/test-single-executable-application-snapshot",
-  "sequential/test-single-executable-application-snapshot-and-code-cache",
-  "sequential/test-single-executable-application-use-code-cache",
   "sequential/test-tls-connect",
   "wpt/test-webcrypto",
   "wasm-allocation/test-wasm-allocation"

script/run-clang-tidy.ts

@@ -118,7 +118,7 @@ async function runClangTidy (
   fix: boolean = false
 ): Promise<boolean> {
   const cmd = path.resolve(LLVM_BIN, 'clang-tidy');
-  const args = [`-p=${outDir}`];
+  const args = [`-p=${outDir}`, "-header-filter=''"];
 
   if (!process.env.CI) args.push('--use-color');
   if (fix) args.push('--fix');

script/spec-runner.js

@@ -88,7 +88,7 @@ async function main () {
     }
 
     const versionString = `v${args.electronVersion}`;
-    console.log(`Running against Electron ${versionString.green}`);
+    console.log(`Running against Electron ${chalk.green(versionString)}`);
   }
 
   const [lastSpecHash, lastSpecInstallHash] = loadLastSpecHash();

shell/browser/api/electron_api_base_window.cc

@@ -111,8 +111,8 @@ BaseWindow::BaseWindow(v8::Isolate* isolate,
   }
 
   // Creates NativeWindow.
-  window_ = NativeWindow::Create(
-      options, parent.IsEmpty() ? nullptr : parent->window_.get());
+  NativeWindow* parent_native = parent.IsEmpty() ? nullptr : parent->window();
+  window_ = NativeWindow::Create(GetID(), options, parent_native);
   window_->AddObserver(this);
 
   SetContentView(View::Create(isolate));
@@ -146,7 +146,6 @@ BaseWindow::~BaseWindow() {
 }
 
 void BaseWindow::InitWith(v8::Isolate* isolate, v8::Local<v8::Object> wrapper) {
-  AttachAsUserData(window_.get());
   gin_helper::TrackableObject<BaseWindow>::InitWith(isolate, wrapper);
 
   // We can only append this window to parent window's child windows after this

shell/browser/api/electron_api_browser_window.cc

@@ -336,11 +336,12 @@ void BrowserWindow::BuildPrototype(v8::Isolate* isolate,
 // static
 v8::Local<v8::Value> BrowserWindow::From(v8::Isolate* isolate,
                                          NativeWindow* native_window) {
-  auto* existing = TrackableObject::FromWrappedClass(isolate, native_window);
-  if (existing)
-    return existing->GetWrapper();
-  else
-    return v8::Null(isolate);
+  if (native_window != nullptr) {
+    if (auto* base = FromWeakMapID(isolate, native_window->base_window_id()))
+      return base->GetWrapper();
+  }
+
+  return v8::Null(isolate);
 }
 
 }  // namespace electron::api

shell/browser/api/electron_api_data_pipe_holder.cc

@@ -7,6 +7,8 @@
 #include <utility>
 #include <vector>
 
+#include "base/containers/flat_map.h"
+#include "base/containers/map_util.h"
 #include "base/memory/weak_ptr.h"
 #include "base/no_destructor.h"
 #include "base/strings/string_number_conversions.h"
@@ -14,10 +16,10 @@
 #include "mojo/public/cpp/system/data_pipe.h"
 #include "mojo/public/cpp/system/simple_watcher.h"
 #include "net/base/net_errors.h"
-#include "shell/common/gin_helper/handle.h"
 #include "shell/common/gin_helper/promise.h"
-#include "shell/common/key_weak_map.h"
 #include "shell/common/node_util.h"
+#include "v8/include/cppgc/allocation.h"
+#include "v8/include/v8-cppgc.h"
 
 #include "shell/common/node_includes.h"
 
@@ -29,9 +31,11 @@ namespace {
 int g_next_id = 0;
 
 // Map that manages all the DataPipeHolder objects.
-KeyWeakMap<std::string>& AllDataPipeHolders() {
-  static base::NoDestructor<KeyWeakMap<std::string>> weak_map;
-  return *weak_map.get();
+[[nodiscard]] auto& AllDataPipeHolders() {
+  static base::NoDestructor<
+      base::flat_map<std::string, cppgc::WeakPersistent<DataPipeHolder>>>
+      weak_map;
+  return *weak_map;
 }
 
 // Utility class to read from data pipe.
@@ -143,8 +147,9 @@ class DataPipeReader {
 
 }  // namespace
 
-gin::DeprecatedWrapperInfo DataPipeHolder::kWrapperInfo = {
-    gin::kEmbedderNativeGin};
+const gin::WrapperInfo DataPipeHolder::kWrapperInfo = {
+    {gin::kEmbedderNativeGin},
+    gin::kElectronDataPipeHolder};
 
 DataPipeHolder::DataPipeHolder(const network::DataElement& element)
     : id_(base::NumberToString(++g_next_id)) {
@@ -166,30 +171,28 @@ v8::Local<v8::Promise> DataPipeHolder::ReadAll(v8::Isolate* isolate) {
   return handle;
 }
 
-const char* DataPipeHolder::GetTypeName() {
-  return "DataPipeHolder";
+const gin::WrapperInfo* DataPipeHolder::wrapper_info() const {
+  return &kWrapperInfo;
+}
+
+const char* DataPipeHolder::GetHumanReadableName() const {
+  return "Electron / DataPipeHolder";
 }
 
 // static
-gin_helper::Handle<DataPipeHolder> DataPipeHolder::Create(
-    v8::Isolate* isolate,
-    const network::DataElement& element) {
-  auto handle = gin_helper::CreateHandle(isolate, new DataPipeHolder(element));
-  AllDataPipeHolders().Set(isolate, handle->id(),
-                           handle->GetWrapper(isolate).ToLocalChecked());
-  return handle;
+DataPipeHolder* DataPipeHolder::Create(v8::Isolate* isolate,
+                                       const network::DataElement& element) {
+  auto* holder = cppgc::MakeGarbageCollected<DataPipeHolder>(
+      isolate->GetCppHeap()->GetAllocationHandle(), element);
+  AllDataPipeHolders().insert_or_assign(holder->id(), holder);
+  return holder;
 }
 
 // static
-gin_helper::Handle<DataPipeHolder> DataPipeHolder::From(v8::Isolate* isolate,
-                                                        const std::string& id) {
-  v8::MaybeLocal<v8::Object> object = AllDataPipeHolders().Get(isolate, id);
-  if (!object.IsEmpty()) {
-    gin_helper::Handle<DataPipeHolder> handle;
-    if (gin::ConvertFromV8(isolate, object.ToLocalChecked(), &handle))
-      return handle;
-  }
-  return {};
+DataPipeHolder* DataPipeHolder::From(v8::Isolate* isolate,
+                                     const std::string_view id) {
+  auto* found = base::FindOrNull(AllDataPipeHolders(), id);
+  return found ? found->Get() : nullptr;
 }
 
 }  // namespace electron::api

shell/browser/api/electron_api_data_pipe_holder.h

@@ -7,31 +7,28 @@
 
 #include <string>
 
+#include "gin/wrappable.h"
 #include "mojo/public/cpp/bindings/remote.h"
 #include "services/network/public/cpp/data_element.h"
 #include "services/network/public/mojom/data_pipe_getter.mojom.h"
-#include "shell/common/gin_helper/wrappable.h"
-
-namespace gin_helper {
-template <typename T>
-class Handle;
-}  // namespace gin_helper
 
 namespace electron::api {
 
 // Retains reference to the data pipe.
-class DataPipeHolder final
-    : public gin_helper::DeprecatedWrappable<DataPipeHolder> {
+class DataPipeHolder final : public gin::Wrappable<DataPipeHolder> {
  public:
-  // gin_helper::Wrappable
-  static gin::DeprecatedWrapperInfo kWrapperInfo;
-  const char* GetTypeName() override;
+  // gin::Wrappable
+  static const gin::WrapperInfo kWrapperInfo;
+  const gin::WrapperInfo* wrapper_info() const override;
+  const char* GetHumanReadableName() const override;
 
-  static gin_helper::Handle<DataPipeHolder> Create(
-      v8::Isolate* isolate,
-      const network::DataElement& element);
-  static gin_helper::Handle<DataPipeHolder> From(v8::Isolate* isolate,
-                                                 const std::string& id);
+  static DataPipeHolder* Create(v8::Isolate* isolate,
+                                const network::DataElement& element);
+  static DataPipeHolder* From(v8::Isolate* isolate, std::string_view id);
+
+  // Make public for cppgc::MakeGarbageCollected.
+  explicit DataPipeHolder(const network::DataElement& element);
+  ~DataPipeHolder() override;
 
   // Read all data at once.
   //
@@ -47,9 +44,6 @@ class DataPipeHolder final
   DataPipeHolder& operator=(const DataPipeHolder&) = delete;
 
  private:
-  explicit DataPipeHolder(const network::DataElement& element);
-  ~DataPipeHolder() override;
-
   std::string id_;
   mojo::Remote<network::mojom::DataPipeGetter> data_pipe_;
 };

shell/browser/api/electron_api_notification.cc

@@ -16,6 +16,10 @@
 #include "shell/common/node_includes.h"
 #include "url/gurl.h"
 
+#if BUILDFLAG(IS_WIN)
+#include "shell/browser/notifications/win/windows_toast_notification.h"
+#endif
+
 namespace gin {
 
 template <>
@@ -43,6 +47,29 @@ struct Converter<electron::NotificationAction> {
   }
 };
 
+#if BUILDFLAG(IS_WIN)
+template <>
+struct Converter<electron::ToastHistoryEntry> {
+  static v8::Local<v8::Value> ToV8(v8::Isolate* isolate,
+                                   const electron::ToastHistoryEntry& entry) {
+    auto dict = gin::Dictionary::CreateEmpty(isolate);
+    dict.Set("title", entry.title);
+    dict.Set("body", entry.body);
+    dict.Set("icon", entry.icon_path);
+    dict.Set("silent", entry.silent);
+    dict.Set("hasReply", entry.has_reply);
+    dict.Set("timeoutType", entry.timeout_type);
+    dict.Set("replyPlaceholder", entry.reply_placeholder);
+    dict.Set("sound", entry.sound);
+    dict.Set("urgency", entry.urgency);
+    dict.Set("actions", entry.actions);
+    dict.Set("closeButtonText", entry.close_button_text);
+    dict.Set("toastXml", entry.toast_xml);
+    return ConvertToV8(isolate, dict);
+  }
+};
+#endif
+
 }  // namespace gin
 
 namespace electron::api {
@@ -208,6 +235,15 @@ bool Notification::IsSupported() {
                ->GetNotificationPresenter();
 }
 
+v8::Local<v8::Value> Notification::GetHistory(v8::Isolate* isolate) {
+#if BUILDFLAG(IS_WIN)
+  return gin::ConvertToV8(isolate,
+                          electron::WindowsToastNotification::GetHistory());
+#else
+  return v8::Array::New(isolate);
+#endif
+}
+
 void Notification::FillObjectTemplate(v8::Isolate* isolate,
                                       v8::Local<v8::ObjectTemplate> templ) {
   gin::ObjectTemplateBuilder(isolate, GetClassName(), templ)
@@ -256,6 +292,7 @@ void Initialize(v8::Local<v8::Object> exports,
   gin_helper::Dictionary dict{isolate, exports};
   dict.Set("Notification", Notification::GetConstructor(isolate, context));
   dict.SetMethod("isSupported", &Notification::IsSupported);
+  dict.SetMethod("getHistory", &Notification::GetHistory);
 }
 
 }  // namespace

shell/browser/api/electron_api_notification.h

@@ -37,6 +37,7 @@ class Notification final : public gin_helper::DeprecatedWrappable<Notification>,
                            public NotificationDelegate {
  public:
   static bool IsSupported();
+  static v8::Local<v8::Value> GetHistory(v8::Isolate* isolate);
 
   // gin_helper::Constructible
   static gin_helper::Handle<Notification> New(gin_helper::ErrorThrower thrower,

shell/browser/api/electron_api_power_monitor.cc

@@ -5,16 +5,15 @@
 #include "shell/browser/api/electron_api_power_monitor.h"
 
 #include "base/power_monitor/power_monitor.h"
-#include "base/power_monitor/power_monitor_device_source.h"
 #include "base/power_monitor/power_observer.h"
 #include "gin/data_object_builder.h"
 #include "shell/browser/browser.h"
 #include "shell/browser/javascript_environment.h"
-#include "shell/common/gin_converters/callback_converter.h"
 #include "shell/common/gin_helper/dictionary.h"
-#include "shell/common/gin_helper/handle.h"
-#include "shell/common/gin_helper/object_template_builder.h"
 #include "shell/common/node_includes.h"
+#include "ui/base/idle/idle.h"
+#include "v8/include/cppgc/allocation.h"
+#include "v8/include/v8-cppgc.h"
 
 namespace gin {
 
@@ -60,10 +59,11 @@ struct Converter<base::PowerThermalObserver::DeviceThermalState> {
 
 namespace electron::api {
 
-gin::DeprecatedWrapperInfo PowerMonitor::kWrapperInfo = {
-    gin::kEmbedderNativeGin};
+const gin::WrapperInfo PowerMonitor::kWrapperInfo = {
+    {gin::kEmbedderNativeGin},
+    gin::kElectronPowerMonitor};
 
-PowerMonitor::PowerMonitor(v8::Isolate* isolate) {
+PowerMonitor::PowerMonitor() {
 #if BUILDFLAG(IS_MAC)
   Browser::Get()->SetShutdownHandler(base::BindRepeating(
       &PowerMonitor::ShouldShutdown, base::Unretained(this)));
@@ -142,11 +142,9 @@ void PowerMonitor::SetListeningForShutdown(bool is_listening) {
 #endif
 
 // static
-v8::Local<v8::Value> PowerMonitor::Create(v8::Isolate* isolate) {
-  auto* pm = new PowerMonitor(isolate);
-  auto handle = gin_helper::CreateHandle(isolate, pm).ToV8();
-  pm->Pin(isolate);
-  return handle;
+PowerMonitor* PowerMonitor::Create(v8::Isolate* isolate) {
+  return cppgc::MakeGarbageCollected<PowerMonitor>(
+      isolate->GetCppHeap()->GetAllocationHandle());
 }
 
 gin::ObjectTemplateBuilder PowerMonitor::GetObjectTemplateBuilder(
@@ -161,8 +159,12 @@ gin::ObjectTemplateBuilder PowerMonitor::GetObjectTemplateBuilder(
   return builder;
 }
 
-const char* PowerMonitor::GetTypeName() {
-  return "PowerMonitor";
+const gin::WrapperInfo* PowerMonitor::wrapper_info() const {
+  return &kWrapperInfo;
+}
+
+const char* PowerMonitor::GetHumanReadableName() const {
+  return "Electron / PowerMonitor";
 }
 
 }  // namespace electron::api

shell/browser/api/electron_api_power_monitor.h

@@ -6,40 +6,45 @@
 #define ELECTRON_SHELL_BROWSER_API_ELECTRON_API_POWER_MONITOR_H_
 
 #include "base/power_monitor/power_observer.h"
+#include "gin/wrappable.h"
 #include "shell/browser/event_emitter_mixin.h"
-#include "shell/common/gin_helper/pinnable.h"
-#include "shell/common/gin_helper/wrappable.h"
-#include "ui/base/idle/idle.h"
+#include "shell/common/gin_helper/self_keep_alive.h"
 
 #if BUILDFLAG(IS_LINUX)
 #include "shell/browser/lib/power_observer_linux.h"
 #endif
 
+namespace gin {
+class ObjectTemplateBuilder;
+}  // namespace gin
+
 namespace electron::api {
 
-class PowerMonitor final : public gin_helper::DeprecatedWrappable<PowerMonitor>,
+class PowerMonitor final : public gin::Wrappable<PowerMonitor>,
                            public gin_helper::EventEmitterMixin<PowerMonitor>,
-                           public gin_helper::Pinnable<PowerMonitor>,
                            private base::PowerStateObserver,
                            private base::PowerSuspendObserver,
                            private base::PowerThermalObserver {
  public:
-  static v8::Local<v8::Value> Create(v8::Isolate* isolate);
+  static PowerMonitor* Create(v8::Isolate* isolate);
 
-  // gin_helper::Wrappable
-  static gin::DeprecatedWrapperInfo kWrapperInfo;
+  // gin::Wrappable
+  static const gin::WrapperInfo kWrapperInfo;
+  const gin::WrapperInfo* wrapper_info() const override;
+  const char* GetHumanReadableName() const override;
   gin::ObjectTemplateBuilder GetObjectTemplateBuilder(
       v8::Isolate* isolate) override;
-  const char* GetTypeName() override;
+  const char* GetClassName() const { return "PowerMonitor"; }
+
+  // Make public for cppgc::MakeGarbageCollected.
+  PowerMonitor();
+  ~PowerMonitor() override;
 
   // disable copy
   PowerMonitor(const PowerMonitor&) = delete;
   PowerMonitor& operator=(const PowerMonitor&) = delete;
 
  private:
-  explicit PowerMonitor(v8::Isolate* isolate);
-  ~PowerMonitor() override;
-
 #if BUILDFLAG(IS_LINUX)
   void SetListeningForShutdown(bool);
 #endif
@@ -88,6 +93,8 @@ class PowerMonitor final : public gin_helper::DeprecatedWrappable<PowerMonitor>,
 #if BUILDFLAG(IS_LINUX)
   PowerObserverLinux power_observer_linux_{this};
 #endif
+
+  gin_helper::SelfKeepAlive<PowerMonitor> keep_alive_{this};
 };
 
 }  // namespace electron::api

shell/browser/api/electron_api_power_save_blocker.cc

@@ -16,6 +16,8 @@
 #include "shell/browser/javascript_environment.h"
 #include "shell/common/gin_helper/handle.h"
 #include "shell/common/node_includes.h"
+#include "v8/include/cppgc/allocation.h"
+#include "v8/include/v8-cppgc.h"
 
 namespace gin {
 
@@ -41,14 +43,39 @@ struct Converter<device::mojom::WakeLockType> {
 
 namespace electron::api {
 
-gin::DeprecatedWrapperInfo PowerSaveBlocker::kWrapperInfo = {
-    gin::kEmbedderNativeGin};
+const gin::WrapperInfo PowerSaveBlocker::kWrapperInfo = {
+    {gin::kEmbedderNativeGin},
+    gin::kElectronPowerSaveBlocker};
 
 PowerSaveBlocker::PowerSaveBlocker(v8::Isolate* isolate)
     : current_lock_type_(device::mojom::WakeLockType::kPreventAppSuspension) {}
 
 PowerSaveBlocker::~PowerSaveBlocker() = default;
 
+// static
+gin_helper::Handle<PowerSaveBlocker> PowerSaveBlocker::Create(
+    v8::Isolate* isolate) {
+  return gin_helper::CreateHandle(
+      isolate, cppgc::MakeGarbageCollected<PowerSaveBlocker>(
+                   isolate->GetCppHeap()->GetAllocationHandle(), isolate));
+}
+
+const gin::WrapperInfo* PowerSaveBlocker::wrapper_info() const {
+  return &kWrapperInfo;
+}
+
+const char* PowerSaveBlocker::GetHumanReadableName() const {
+  return "Electron / PowerSaveBlocker";
+}
+
+gin::ObjectTemplateBuilder PowerSaveBlocker::GetObjectTemplateBuilder(
+    v8::Isolate* isolate) {
+  return gin::Wrappable<PowerSaveBlocker>::GetObjectTemplateBuilder(isolate)
+      .SetMethod("start", &PowerSaveBlocker::Start)
+      .SetMethod("stop", &PowerSaveBlocker::Stop)
+      .SetMethod("isStarted", &PowerSaveBlocker::IsStarted);
+}
+
 void PowerSaveBlocker::UpdatePowerSaveBlocker() {
   if (wake_lock_types_.empty()) {
     if (is_wake_lock_active_) {
@@ -66,6 +93,7 @@ void PowerSaveBlocker::UpdatePowerSaveBlocker() {
   // Only the highest-precedence blocker type takes effect.
   device::mojom::WakeLockType new_lock_type =
       device::mojom::WakeLockType::kPreventAppSuspension;
+
   for (const auto& element : wake_lock_types_) {
     if (element.second == device::mojom::WakeLockType::kPreventDisplaySleep) {
       new_lock_type = device::mojom::WakeLockType::kPreventDisplaySleep;
@@ -114,25 +142,6 @@ bool PowerSaveBlocker::IsStarted(int id) const {
   return wake_lock_types_.contains(id);
 }
 
-// static
-gin_helper::Handle<PowerSaveBlocker> PowerSaveBlocker::Create(
-    v8::Isolate* isolate) {
-  return gin_helper::CreateHandle(isolate, new PowerSaveBlocker(isolate));
-}
-
-gin::ObjectTemplateBuilder PowerSaveBlocker::GetObjectTemplateBuilder(
-    v8::Isolate* isolate) {
-  return gin_helper::DeprecatedWrappable<
-             PowerSaveBlocker>::GetObjectTemplateBuilder(isolate)
-      .SetMethod("start", &PowerSaveBlocker::Start)
-      .SetMethod("stop", &PowerSaveBlocker::Stop)
-      .SetMethod("isStarted", &PowerSaveBlocker::IsStarted);
-}
-
-const char* PowerSaveBlocker::GetTypeName() {
-  return "PowerSaveBlocker";
-}
-
 }  // namespace electron::api
 
 namespace {

shell/browser/api/electron_api_power_save_blocker.h

@@ -6,9 +6,9 @@
 #define ELECTRON_SHELL_BROWSER_API_ELECTRON_API_POWER_SAVE_BLOCKER_H_
 
 #include "base/containers/flat_map.h"
+#include "gin/wrappable.h"
 #include "mojo/public/cpp/bindings/remote.h"
 #include "services/device/public/mojom/wake_lock.mojom.h"
-#include "shell/common/gin_helper/wrappable.h"
 
 namespace gin {
 class ObjectTemplateBuilder;
@@ -21,25 +21,25 @@ class Handle;
 
 namespace electron::api {
 
-class PowerSaveBlocker final
-    : public gin_helper::DeprecatedWrappable<PowerSaveBlocker> {
+class PowerSaveBlocker final : public gin::Wrappable<PowerSaveBlocker> {
  public:
   static gin_helper::Handle<PowerSaveBlocker> Create(v8::Isolate* isolate);
 
-  // gin_helper::Wrappable
-  static gin::DeprecatedWrapperInfo kWrapperInfo;
+  // gin::Wrappable
+  static const gin::WrapperInfo kWrapperInfo;
+  const gin::WrapperInfo* wrapper_info() const override;
+  const char* GetHumanReadableName() const override;
   gin::ObjectTemplateBuilder GetObjectTemplateBuilder(
       v8::Isolate* isolate) override;
-  const char* GetTypeName() override;
+
+  // Make public for cppgc::MakeGarbageCollected.
+  explicit PowerSaveBlocker(v8::Isolate* isolate);
+  ~PowerSaveBlocker() override;
 
   // disable copy
   PowerSaveBlocker(const PowerSaveBlocker&) = delete;
   PowerSaveBlocker& operator=(const PowerSaveBlocker&) = delete;
 
- protected:
-  explicit PowerSaveBlocker(v8::Isolate* isolate);
-  ~PowerSaveBlocker() override;
-
  private:
   void UpdatePowerSaveBlocker();
   int Start(device::mojom::WakeLockType type);

shell/browser/api/electron_api_screen.cc

@@ -9,12 +9,10 @@
 
 #include "base/functional/bind.h"
 #include "shell/browser/browser.h"
-#include "shell/common/gin_converters/callback_converter.h"
 #include "shell/common/gin_converters/gfx_converter.h"
 #include "shell/common/gin_converters/native_window_converter.h"
 #include "shell/common/gin_helper/dictionary.h"
 #include "shell/common/gin_helper/error_thrower.h"
-#include "shell/common/gin_helper/handle.h"
 #include "shell/common/gin_helper/object_template_builder.h"
 #include "shell/common/node_includes.h"
 #include "ui/display/display.h"
@@ -23,6 +21,8 @@
 #include "ui/gfx/geometry/point_conversions.h"
 #include "ui/gfx/geometry/point_f.h"
 #include "ui/gfx/geometry/vector2d_conversions.h"
+#include "v8/include/cppgc/allocation.h"
+#include "v8/include/v8-cppgc.h"
 
 #if BUILDFLAG(IS_WIN)
 #include "ui/display/win/screen_win.h"
@@ -38,7 +38,8 @@
 
 namespace electron::api {
 
-gin::DeprecatedWrapperInfo Screen::kWrapperInfo = {gin::kEmbedderNativeGin};
+const gin::WrapperInfo Screen::kWrapperInfo = {{gin::kEmbedderNativeGin},
+                                               gin::kElectronScreen};
 
 namespace {
 
@@ -69,15 +70,27 @@ void DelayEmitWithMetrics(Screen* screen,
   screen->Emit(name, display, metrics);
 }
 
+// Calls the one-liner `display::Screen::Get()` to get ui's global screen.
+// NOTE: during shutdown, that screen can be destroyed before us. This means:
+// 1. Call this instead of keeping a possibly-dangling raw_ptr in api::Screen.
+// 2. Always check this function's return value for nullptr before use.
+[[nodiscard]] auto* GetDisplayScreen() {
+  return display::Screen::Get();
+}
+
+[[nodiscard]] auto GetFallbackDisplay() {
+  return display::Display::GetDefaultDisplay();
+}
 }  // namespace
 
-Screen::Screen(v8::Isolate* isolate, display::Screen* screen)
-    : screen_(screen) {
-  screen_->AddObserver(this);
+Screen::Screen() {
+  if (auto* screen = GetDisplayScreen())
+    screen->AddObserver(this);
 }
 
 Screen::~Screen() {
-  screen_->RemoveObserver(this);
+  if (auto* screen = GetDisplayScreen())
+    screen->RemoveObserver(this);
 }
 
 gfx::Point Screen::GetCursorScreenPoint(v8::Isolate* isolate) {
@@ -92,7 +105,33 @@ gfx::Point Screen::GetCursorScreenPoint(v8::Isolate* isolate) {
     return {};
   }
 #endif
-  return screen_->GetCursorScreenPoint();
+  auto* screen = GetDisplayScreen();
+  return screen ? screen->GetCursorScreenPoint() : gfx::Point{};
+}
+
+display::Display Screen::GetPrimaryDisplay() const {
+  const auto* screen = GetDisplayScreen();
+  return screen ? screen->GetPrimaryDisplay() : GetFallbackDisplay();
+}
+
+std::vector<display::Display> Screen::GetAllDisplays() const {
+  if (const auto* screen = GetDisplayScreen())
+    return screen->GetAllDisplays();
+
+  // Even though this is only reached during shutdown by Screen::Get() failing,
+  // display::Screen::GetAllDisplays() is guaranteed to return >= 1 display.
+  // For consistency with that API, let's return a nonempty vector here.
+  return {GetFallbackDisplay()};
+}
+
+display::Display Screen::GetDisplayNearestPoint(const gfx::Point& point) const {
+  const auto* screen = GetDisplayScreen();
+  return screen ? screen->GetDisplayNearestPoint(point) : GetFallbackDisplay();
+}
+
+display::Display Screen::GetDisplayMatching(const gfx::Rect& match_rect) const {
+  const auto* screen = GetDisplayScreen();
+  return screen ? screen->GetDisplayMatching(match_rect) : GetFallbackDisplay();
 }
 
 #if BUILDFLAG(IS_WIN)
@@ -172,22 +211,21 @@ gfx::Point Screen::DIPToScreenPoint(const gfx::Point& point_dip) {
 }
 
 // static
-v8::Local<v8::Value> Screen::Create(gin_helper::ErrorThrower error_thrower) {
+Screen* Screen::Create(gin_helper::ErrorThrower error_thrower) {
   if (!Browser::Get()->is_ready()) {
     error_thrower.ThrowError(
         "The 'screen' module can't be used before the app 'ready' event");
-    return v8::Null(error_thrower.isolate());
+    return {};
   }
 
-  display::Screen* screen = display::Screen::Get();
+  display::Screen* screen = GetDisplayScreen();
   if (!screen) {
     error_thrower.ThrowError("Failed to get screen information");
-    return v8::Null(error_thrower.isolate());
+    return {};
   }
 
-  return gin_helper::CreateHandle(error_thrower.isolate(),
-                                  new Screen(error_thrower.isolate(), screen))
-      .ToV8();
+  return cppgc::MakeGarbageCollected<Screen>(
+      error_thrower.isolate()->GetCppHeap()->GetAllocationHandle());
 }
 
 gin::ObjectTemplateBuilder Screen::GetObjectTemplateBuilder(
@@ -209,10 +247,13 @@ gin::ObjectTemplateBuilder Screen::GetObjectTemplateBuilder(
       .SetMethod("getDisplayMatching", &Screen::GetDisplayMatching);
 }
 
-const char* Screen::GetTypeName() {
-  return "Screen";
+const gin::WrapperInfo* Screen::wrapper_info() const {
+  return &kWrapperInfo;
 }
 
+const char* Screen::GetHumanReadableName() const {
+  return "Electron / Screen";
+}
 }  // namespace electron::api
 
 namespace {

shell/browser/api/electron_api_screen.h

@@ -7,9 +7,8 @@
 
 #include <vector>
 
-#include "base/memory/raw_ptr.h"
+#include "gin/wrappable.h"
 #include "shell/browser/event_emitter_mixin.h"
-#include "shell/common/gin_helper/wrappable.h"
 #include "ui/display/display_observer.h"
 #include "ui/display/screen.h"
 
@@ -17,7 +16,6 @@ namespace gfx {
 class Point;
 class PointF;
 class Rect;
-class Screen;
 }  // namespace gfx
 
 namespace gin_helper {
@@ -26,38 +24,34 @@ class ErrorThrower;
 
 namespace electron::api {
 
-class Screen final : public gin_helper::DeprecatedWrappable<Screen>,
+class Screen final : public gin::Wrappable<Screen>,
                      public gin_helper::EventEmitterMixin<Screen>,
                      private display::DisplayObserver {
  public:
-  static v8::Local<v8::Value> Create(gin_helper::ErrorThrower error_thrower);
+  static Screen* Create(gin_helper::ErrorThrower error_thrower);
 
-  static gin::DeprecatedWrapperInfo kWrapperInfo;
+  static const gin::WrapperInfo kWrapperInfo;
   gin::ObjectTemplateBuilder GetObjectTemplateBuilder(
       v8::Isolate* isolate) override;
-  const char* GetTypeName() override;
+  const gin::WrapperInfo* wrapper_info() const override;
+  const char* GetHumanReadableName() const override;
+  const char* GetClassName() const { return "Screen"; }
 
   // disable copy
   Screen(const Screen&) = delete;
   Screen& operator=(const Screen&) = delete;
 
- protected:
-  Screen(v8::Isolate* isolate, display::Screen* screen);
+  // Make public for cppgc::MakeGarbageCollected.
+  Screen();
   ~Screen() override;
 
-  gfx::Point GetCursorScreenPoint(v8::Isolate* isolate);
-  display::Display GetPrimaryDisplay() const {
-    return screen_->GetPrimaryDisplay();
-  }
-  const std::vector<display::Display>& GetAllDisplays() const {
-    return screen_->GetAllDisplays();
-  }
-  display::Display GetDisplayNearestPoint(const gfx::Point& point) const {
-    return screen_->GetDisplayNearestPoint(point);
-  }
-  display::Display GetDisplayMatching(const gfx::Rect& match_rect) const {
-    return screen_->GetDisplayMatching(match_rect);
-  }
+  [[nodiscard]] gfx::Point GetCursorScreenPoint(v8::Isolate* isolate);
+  [[nodiscard]] display::Display GetPrimaryDisplay() const;
+  [[nodiscard]] std::vector<display::Display> GetAllDisplays() const;
+  [[nodiscard]] display::Display GetDisplayNearestPoint(
+      const gfx::Point& point) const;
+  [[nodiscard]] display::Display GetDisplayMatching(
+      const gfx::Rect& match_rect) const;
 
   gfx::PointF ScreenToDIPPoint(const gfx::PointF& point_px);
   gfx::Point DIPToScreenPoint(const gfx::Point& point_dip);
@@ -67,9 +61,6 @@ class Screen final : public gin_helper::DeprecatedWrappable<Screen>,
   void OnDisplaysRemoved(const display::Displays& removed_displays) override;
   void OnDisplayMetricsChanged(const display::Display& display,
                                uint32_t changed_metrics) override;
-
- private:
-  raw_ptr<display::Screen> screen_;
 };
 
 }  // namespace electron::api

shell/browser/api/electron_api_session.cc

@@ -1044,15 +1044,13 @@ bool Session::IsPersistent() {
 
 v8::Local<v8::Promise> Session::GetBlobData(v8::Isolate* isolate,
                                             const std::string& uuid) {
-  gin_helper::Handle<DataPipeHolder> holder =
-      DataPipeHolder::From(isolate, uuid);
-  if (holder.IsEmpty()) {
-    gin_helper::Promise<v8::Local<v8::Value>> promise(isolate);
-    promise.RejectWithErrorMessage("Could not get blob data handle");
-    return promise.GetHandle();
+  if (DataPipeHolder* holder = DataPipeHolder::From(isolate, uuid)) {
+    return holder->ReadAll(isolate);
   }
 
-  return holder->ReadAll(isolate);
+  gin_helper::Promise<v8::Local<v8::Value>> promise(isolate);
+  promise.RejectWithErrorMessage("Could not get blob data handle");
+  return promise.GetHandle();
 }
 
 void Session::DownloadURL(const GURL& url, gin::Arguments* args) {

shell/browser/api/electron_api_view.cc

@@ -20,6 +20,8 @@
 #include "shell/common/gin_helper/handle.h"
 #include "shell/common/gin_helper/object_template_builder.h"
 #include "shell/common/node_includes.h"
+#include "ui/compositor/layer.h"
+#include "ui/views/animation/animation_builder.h"
 #include "ui/views/background.h"
 #include "ui/views/layout/flex_layout.h"
 #include "ui/views/layout/layout_manager_base.h"
@@ -144,6 +146,27 @@ struct Converter<views::SizeBounds> {
         .Build();
   }
 };
+
+template <>
+struct Converter<gfx::Tween::Type> {
+  static bool FromV8(v8::Isolate* isolate,
+                     v8::Local<v8::Value> val,
+                     gfx::Tween::Type* out) {
+    std::string easing = base::ToLowerASCII(gin::V8ToString(isolate, val));
+    if (easing == "linear") {
+      *out = gfx::Tween::LINEAR;
+    } else if (easing == "ease-in") {
+      *out = gfx::Tween::EASE_IN;
+    } else if (easing == "ease-out") {
+      *out = gfx::Tween::EASE_OUT;
+    } else if (easing == "ease-in-out") {
+      *out = gfx::Tween::EASE_IN_OUT;
+    } else {
+      return false;
+    }
+    return true;
+  }
+};
 }  // namespace gin
 
 namespace electron::api {
@@ -280,10 +303,116 @@ void View::RemoveChildView(gin_helper::Handle<View> child) {
   }
 }
 
-void View::SetBounds(const gfx::Rect& bounds) {
+ui::Layer* View::GetLayer() {
+  if (!view_)
+    return nullptr;
+
+  if (view_->layer())
+    return view_->layer();
+
+  view_->SetPaintToLayer();
+
+  ui::Layer* layer = view_->layer();
+
+  layer->SetFillsBoundsOpaquely(false);
+
+  return layer;
+}
+
+void View::SetBounds(const gfx::Rect& bounds, gin::Arguments* const args) {
+  bool animate = false;
+  int duration = 250;
+  gfx::Tween::Type easing = gfx::Tween::LINEAR;
+
+  gin_helper::Dictionary dict;
+  if (args->GetNext(&dict)) {
+    v8::Local<v8::Value> animate_value;
+
+    if (dict.Get("animate", &animate_value)) {
+      if (animate_value->IsBoolean()) {
+        animate = animate_value->BooleanValue(isolate());
+      } else {
+        animate = true;
+
+        gin_helper::Dictionary animate_dict;
+        if (gin::ConvertFromV8(isolate(), animate_value, &animate_dict)) {
+          animate_dict.Get("duration", &duration);
+          animate_dict.Get("easing", &easing);
+        }
+      }
+    }
+  }
+
+  if (duration < 0)
+    duration = 0;
+
   if (!view_)
     return;
-  view_->SetBoundsRect(bounds);
+
+  if (!animate) {
+    view_->SetBoundsRect(bounds);
+    return;
+  }
+
+  ui::Layer* layer = GetLayer();
+
+  gfx::Rect current_bounds = view_->bounds();
+
+  if (bounds.size() == current_bounds.size()) {
+    // If the size isn't changing, we can just animate the bounds directly.
+
+    views::AnimationBuilder()
+        .SetPreemptionStrategy(
+            ui::LayerAnimator::IMMEDIATELY_ANIMATE_TO_NEW_TARGET)
+        .OnEnded(base::BindOnce(
+            [](views::View* view, const gfx::Rect& final_bounds) {
+              view->SetBoundsRect(final_bounds);
+            },
+            view_, bounds))
+        .Once()
+        .SetDuration(base::Milliseconds(duration))
+        .SetBounds(view_, bounds, easing);
+
+    return;
+  }
+
+  gfx::Rect target_size = gfx::Rect(0, 0, bounds.width(), bounds.height());
+  gfx::Rect max_size =
+      gfx::Rect(current_bounds.x(), current_bounds.y(),
+                std::max(current_bounds.width(), bounds.width()),
+                std::max(current_bounds.height(), bounds.height()));
+
+  // if the view's size is smaller than the target size, we need to set the
+  // view's bounds immediatley to the new size (not position) and set the
+  // layer's clip rect to animate from there.
+  if (view_->width() < bounds.width() || view_->height() < bounds.height()) {
+    view_->SetBoundsRect(max_size);
+
+    if (layer) {
+      layer->SetClipRect(
+          gfx::Rect(0, 0, current_bounds.width(), current_bounds.height()));
+    }
+  }
+
+  views::AnimationBuilder()
+      .SetPreemptionStrategy(
+          ui::LayerAnimator::IMMEDIATELY_ANIMATE_TO_NEW_TARGET)
+      .OnEnded(base::BindOnce(
+          [](views::View* view, const gfx::Rect& final_bounds,
+             ui::Layer* layer) {
+            view->SetBoundsRect(final_bounds);
+            if (layer)
+              layer->SetClipRect(gfx::Rect());
+          },
+          view_, bounds, layer))
+      .Once()
+      .SetDuration(base::Milliseconds(duration))
+      .SetBounds(view_, bounds, easing)
+      .SetClipRect(
+          view_, target_size,
+          easing);  // We have to set the clip rect independently of the
+                    // bounds, because animating the bounds of the layer
+                    // will not animate the underlying view's bounds.
 }
 
 gfx::Rect View::GetBounds() const {