Skip to content

feat!: Node.js 26 support#1990

Open
dianager wants to merge 13 commits into
restify:nodejs-26from
dianager:nodejs-26-support
Open

feat!: Node.js 26 support#1990
dianager wants to merge 13 commits into
restify:nodejs-26from
dianager:nodejs-26-support

Conversation

@dianager

@dianager dianager commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Pre-Submission Checklist

  • Opened an issue discussing these changes before opening the PR
  • Ran the linter and tests via make prepush
  • Included comprehensive and convincing tests for changes

Issues

Closes:

  • Issue #
  • Issue #
  • Issue #

Summarize the issues that discussed these changes

Changes

Upgrades restify to run on Node.js 22, 24, and 26. Resolves all deprecated and removed
Node.js APIs, drops a broken production dependency, and fixes two production security
vulnerabilities.

Breaking Changes

  • Minimum Node.js version is now 22. Versions 10–20 are all past end-of-life.
  • options.spdy is removed. Use options.http2 instead.
  • qs 6.15.2 changes array parsing. Bracket-notation arrays with more than 20
    items are returned as objects with numeric string keys (enforced arrayLimit).
    This is a consequence of CVE-2022-24999 fix, not an accidental regression.

Security

Scope Change Vulnerability Severity
Production qs upgraded ^6.7.0^6.15.2 CVE-2022-24999 — prototype pollution via crafted query string High (CVSS 7.5)
Production spdy removed Open CVEs with no upstream fix; package unmaintained since ~2020
Dev / Test HTTP/2 test TLS certificates renewed Expired 2011 certs using SHA-1 and 1024-bit keys, rejected by Node.js 24+

Why spdy was removed rather than upgraded

spdy fails to start on Node.js 22+ regardless of version because two of its
transitive dependencies (http-deceiver, handle-thing) call process.binding(),
a private C++ internal API removed in Node.js 22. This causes a hard crash at module
load time. No patched release exists. Combined with open CVEs and an abandoned
maintainer, removal was the only option. Use options.http2 as the replacement.

Deprecated API Fixes

All of the following APIs were removed in Node.js 24 or 26 and would throw at runtime.

API Removed in Affected files Replacement
url.parse() / url.resolve() Node 24 lib/request.js, lib/response.js WHATWG URL, new utils.parseRequestUrl() / utils.formatUrl()
request.connection Node 24 lib/request.js, lib/plugins/audit.js, lib/plugins/throttle.js request.socket
new Buffer() Node 26 lib/formatters/binary.js, lib/plugins/authorization.js, lib/plugins/bodyReader.js Buffer.from() / Buffer.alloc()
request.abort() Node 26 test/plugins/userAgent.test.js request.destroy()
module.parent Node 26 benchmark/benchmarks/*.js, test/lib/helper.js require.main === module

Other

  • CI matrix updated to Node.js 24 and 26; GitHub Actions upgraded to v4
  • engines.node set to >=22.0.0 (Node 22 is oldest version still in LTS)
  • Benchmark route handlers: added missing next() calls
  • ESLint .eslintrc.js: fixed dot-notation rule violations that broke the lint job

@dianager dianager marked this pull request as draft June 17, 2026 09:47
@dianager dianager force-pushed the nodejs-26-support branch from b3dd1d3 to 3f202ce Compare June 17, 2026 13:50
@dianager dianager changed the base branch from master to nodejs-26 June 17, 2026 18:07
@dianager dianager force-pushed the nodejs-26-support branch from 3f202ce to 56f6f8b Compare June 21, 2026 14:48
@dianager dianager marked this pull request as ready for review June 22, 2026 07:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dianager