Bumps [mozilla-actions/sccache-action](https://github.com/mozilla-actions/sccache-action) from 0.0.5 to 0.0.6.
- [Release notes](https://github.com/mozilla-actions/sccache-action/releases)
- [Commits](Mozilla-Actions/sccache-action@89e9040...9e326eb)

---
updated-dependencies:
- dependency-name: mozilla-actions/sccache-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
PR-URL: nodejs#55225
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>

Specify the initial default value of `autoSelectFamily`
in description of `net.setDefaultAutoSelectFamily()`
as specified in description of `net.getDefaultAutoSelectFamily()`.

PR-URL: nodejs#55245
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com>

PR-URL: nodejs#55231
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>

PR-URL: nodejs#55304
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: LiviaMedeiros <livia@cirno.name>

PR-URL: nodejs#55172
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>

PR-URL: nodejs#55284
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>

PR-URL: nodejs#55300
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>

PR-URL: nodejs#55144
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com>

Syntax detection has been unflagged so it's no longer meaningful
to toggle the detection based on CLI flags. It was also previously
benchmarking cached module imports which isn't very meaningful
for subsequent loads. This patch updates the benchmark to toggle
the detection based on the presence of type field in the package.json,
and generates fixtures to benchmark fresh module loads.

PR-URL: nodejs#55238
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>

Fixes: nodejs#55053
PR-URL: nodejs#55331
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>

This reverts commit 7ddbfe8.

PR-URL: nodejs#55344
Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com>
Reviewed-By: Chemi Atlow <chemi@atlow.co.il>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

PR-URL: nodejs#55344
Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com>
Reviewed-By: Chemi Atlow <chemi@atlow.co.il>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

PR-URL: nodejs#55329
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Matthew Aitken <maitken033380023@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>

This should make easier to read on benchmark/compare
and when generating graphs

PR-URL: nodejs#55254
Reviewed-By: Vinícius Lourenço Claro Cardoso <contact@viniciusl.com.br>

Use rclone to upload assets to Cloudflare as it is more reliable.

Refs: nodejs/build#3508
PR-URL: nodejs#55617
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>

PR-URL: nodejs#54853
Backport-PR-URL: nodejs#55264
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

PR-URL: nodejs#55318
Backport-PR-URL: nodejs#55264
Reviewed-By: Michaël Zasso <targos@protonmail.com>

Notable changes:

doc:
  * add abmusse to collaborators (Abdirahim Musse) nodejs#55086

PR-URL: nodejs#55879

PR-URL: nodejs#55879

Without this patch, on Windows, normalizing a relative path might result
in a path that Windows considers absolute. In rare cases, this might
lead to path traversal vulnerabilities in user code.

We attempt to detect those cases and return a relative path instead.

PR-URL: nodejs-private/node-private#555
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2025-23084

Previously this PR it was expected that InternalWorker
usage doesn't require the --allow-worker when the permission
model is enabled. This, however, exposes a vulnerability
whenever the instance gets accessed by the user. For example
through diagnostics_channel.subscribe('worker_threads')

PR-URL: nodejs-private/node-private#652
Refs: https://hackerone.com/reports/2575105
CVE-ID: CVE-2025-23083

Signed-off-by: Matteo Collina <hello@matteocollina.com>
PR-URL: nodejs-private/node-private#663
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2025-22150

This commit fixes a memory leak when the socket is
suddenly closed by the peer (without GOAWAY notification)
and when invalid header (by nghttp2) is identified and the
connection is terminated by peer.

Refs: https://hackerone.com/reports/2841362

This is a security release.

Notable changes:

* CVE-2025-23083 - throw on InternalWorker use when permission model is enabled (High)
* CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium)
* CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)
* CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)

PR-URL: nodejs-private/node-private#664

PR-URL: nodejs-private/node-private#664

Fixes: nodejs#55208
PR-URL: nodejs#55249
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>

The actual implementation returns `outgoingMessage` itself, but not
exactly `http.ServerResponse`.

Refs: https://github.com/nodejs/node/blob/20d8b85d3493bec944de541a896e0165dd356345/lib/_http_outgoing.js#L712-L751
PR-URL: nodejs#55290
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Qingyu Deng <i@ayase-lab.com>

PR-URL: nodejs#55334
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.9.1 to 2.10.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@5c7944e...91182cc)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
PR-URL: nodejs#55220
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

PR-URL: nodejs#55780
Fixes: nodejs#55340
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Jason Zhang <xzha4350@gmail.com>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>

This action reminds collaborators of the upcoming
major release date. In the future, this action can
also update and create the branches (that's why the
action name is generic).

PR-URL: nodejs#56199
Refs: nodejs#55732
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>

PR-URL: nodejs#56256
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>

PR-URL: nodejs#56251
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>

PR-URL: nodejs#56255
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

PR-URL: nodejs#56205
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>

PR-URL: nodejs#56266
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

Signed-off-by: 吴小白 <296015668@qq.com>
PR-URL: nodejs#56271
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>

Attributes are being highlighted as #f00 on a background of #f2f2f2.
That's a color contrast of 3.98:1, failing to meet the 4.5:1 requirement
of WCAG 2.1 AA. This changes the attribute color to #d00, which has a
color contrast of 5.09:1 meeting the 4.5:1 requirement.

PR-URL: nodejs#56272
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Claudio Wunder <cwunder@gnome.org>

Original commit message:

    [import-attributes] Deprecate 'assert' for removal in 12.6

    See https://groups.google.com/a/chromium.org/g/blink-dev/c/ZHvzLaJZRvo/m/FgNDBjrtBQAJ

    Bug: v8:10958
    Change-Id: I4d21c9f7aad1024b198b4a1cdfb4792a011da464
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5055681
    Reviewed-by: Rezvan Mahdavi Hezaveh <rezvan@chromium.org>
    Auto-Submit: Shu-yu Guo <syg@chromium.org>
    Commit-Queue: Shu-yu Guo <syg@chromium.org>
    Cr-Commit-Position: refs/heads/main@{#92044}

Refs: v8/v8@ae5a4db
Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com>
PR-URL: nodejs#55961
Reviewed-By: Jacob Smith <jacob@frende.me>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>

Original commit message:

    [import-attributes] Deprecate 'assert' for dynamic import as well

    Bug: v8:10958
    Change-Id: I7847bdb5d2c79f057f4e1df99f8f5889788f09cb
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5249778
    Commit-Queue: Shu-yu Guo <syg@chromium.org>
    Reviewed-by: Leszek Swirski <leszeks@chromium.org>
    Cr-Commit-Position: refs/heads/main@{#92123}

Refs: v8/v8@26fd1df
PR-URL: nodejs#55961
Reviewed-By: Jacob Smith <jacob@frende.me>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>

The two proposals reached stage 4 at the October 2024 meeting.

PR-URL: nodejs#55333
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Backport-PR-URL: nodejs#55961

PR-URL: nodejs#55855
Refs: nodejs#55333
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Jacob Smith <jacob@frende.me>
Backport-PR-URL: nodejs#55961

PR-URL: nodejs#56706
Backport-PR-URL: nodejs#56721
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>

PR-URL: nodejs#56707
Backport-PR-URL: nodejs#56724
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>

Since the last security release, the resource check has been
flaky on Windows. This commit temporarily disables those checks
to unblock the next regular release.

PR-URL: nodejs#56789
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>

This has been flaking the CI for more than 2 years with various
attempts to fix without success. It has still been flaking the
CI (failed 19 out of 100 recent testing CI runs). It's time to
mark it as flaky.

PR-URL: nodejs#56503
Refs: nodejs#43465
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com>

PR-URL: nodejs#56727
Refs: nodejs#56726
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>

Notable changes:

crypto:
  * update root certificates to NSS 3.104 (Richard Lau) nodejs#55681
doc:
  * add LJHarb to collaborators (Jordan Harband) nodejs#56132
  * enforce strict policy to semver-major releases (Rafael Gonzaga) nodejs#55732
  * add jazelly to collaborators (Jason Zhang) nodejs#55531
esm:
  * mark import attributes and JSON module as stable (Nicolò Ribaudo) nodejs#55333
tools:
  * fix root certificate updater (Richard Lau) nodejs#55681

PR-URL: nodejs#56699

…-compression, and exposing of utils so our fiber elimination utils can continue to work

trying to add fibers building