diff --git a/0003-downstream-update-nghttp2-to-1.68.1.patch b/0003-downstream-update-nghttp2-to-1.68.1.patch new file mode 100644 index 0000000..e445f8f --- /dev/null +++ b/0003-downstream-update-nghttp2-to-1.68.1.patch @@ -0,0 +1,530 @@ +From 205baae16ff43539500a6f168d0d27e226bfc4f2 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 25 Mar 2026 15:36:44 +0100 +Subject: [PATCH] downstream: update nghttp2 to 1.68.1 + +This is done out of sync with upstream node, +in order to address CVE-2026-27135 in a timely manner. + +Should be dropped once upstream addresses the CVE in their own way. + +Signed-off-by: rpm-build +--- + .../nghttp2/lib/includes/nghttp2/nghttp2ver.h | 4 +- + deps/nghttp2/lib/nghttp2_frame.c | 10 + + deps/nghttp2/lib/nghttp2_int.h | 6 +- + deps/nghttp2/lib/nghttp2_session.c | 206 ++++++++++-------- + 4 files changed, 135 insertions(+), 91 deletions(-) + +diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h +index 8dfe536..95acef2 100644 +--- a/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h ++++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h +@@ -29,7 +29,7 @@ + * @macro + * Version number of the nghttp2 library release + */ +-#define NGHTTP2_VERSION "1.68.0" ++#define NGHTTP2_VERSION "1.68.1" + + /** + * @macro +@@ -37,6 +37,6 @@ + * release. This is a 24 bit number with 8 bits for major number, 8 bits + * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203. + */ +-#define NGHTTP2_VERSION_NUM 0x014400 ++#define NGHTTP2_VERSION_NUM 0x014401 + + #endif /* NGHTTP2VER_H */ +diff --git a/deps/nghttp2/lib/nghttp2_frame.c b/deps/nghttp2/lib/nghttp2_frame.c +index edc2aaa..264ae9d 100644 +--- a/deps/nghttp2/lib/nghttp2_frame.c ++++ b/deps/nghttp2/lib/nghttp2_frame.c +@@ -750,6 +750,16 @@ void nghttp2_frame_unpack_altsvc_payload(nghttp2_extension *frame, + uint8_t *p; + + altsvc = frame->payload; ++ ++ if (payloadlen == 0) { ++ altsvc->origin = NULL; ++ altsvc->origin_len = 0; ++ altsvc->field_value = NULL; ++ altsvc->field_value_len = 0; ++ ++ return; ++ } ++ + p = payload; + + altsvc->origin = p; +diff --git a/deps/nghttp2/lib/nghttp2_int.h b/deps/nghttp2/lib/nghttp2_int.h +index 4e3b268..d89cf15 100644 +--- a/deps/nghttp2/lib/nghttp2_int.h ++++ b/deps/nghttp2/lib/nghttp2_int.h +@@ -52,7 +52,11 @@ typedef enum { + * Unlike NGHTTP2_ERR_IGN_HTTP_HEADER, this does not invoke + * nghttp2_on_invalid_header_callback. + */ +- NGHTTP2_ERR_REMOVE_HTTP_HEADER = -106 ++ NGHTTP2_ERR_REMOVE_HTTP_HEADER = -106, ++ /* ++ * Cancel pushed stream. ++ */ ++ NGHTTP2_ERR_PUSH_CANCEL = -107, + } nghttp2_internal_error; + + #endif /* !defined(NGHTTP2_INT_H) */ +diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c +index 97d7fda..0fbcc93 100644 +--- a/deps/nghttp2/lib/nghttp2_session.c ++++ b/deps/nghttp2/lib/nghttp2_session.c +@@ -3272,7 +3272,9 @@ static int session_call_on_invalid_header(nghttp2_session *session, + session, frame, nv->name->base, nv->name->len, nv->value->base, + nv->value->len, nv->flags, session->user_data); + } else { +- return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; ++ /* If both callbacks are not set, the invalid field nv is ++ ignored. */ ++ return 0; + } + + if (rv == NGHTTP2_ERR_PAUSE || rv == NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE) { +@@ -3357,6 +3359,10 @@ static uint32_t get_error_code_from_lib_error_code(int lib_error_code) { + case NGHTTP2_ERR_HTTP_HEADER: + case NGHTTP2_ERR_HTTP_MESSAGING: + return NGHTTP2_PROTOCOL_ERROR; ++ case NGHTTP2_ERR_INTERNAL: ++ return NGHTTP2_INTERNAL_ERROR; ++ case NGHTTP2_ERR_PUSH_CANCEL: ++ return NGHTTP2_CANCEL; + default: + return NGHTTP2_INTERNAL_ERROR; + } +@@ -3408,7 +3414,7 @@ static int session_handle_invalid_stream2(nghttp2_session *session, + if (rv != 0) { + return rv; + } +- if (session->callbacks.on_invalid_frame_recv_callback) { ++ if (frame && session->callbacks.on_invalid_frame_recv_callback) { + if (session->callbacks.on_invalid_frame_recv_callback( + session, frame, lib_error_code, session->user_data) != 0) { + return NGHTTP2_ERR_CALLBACK_FAILURE; +@@ -3563,7 +3569,29 @@ static int inflate_header_block(nghttp2_session *session, nghttp2_frame *frame, + + rv2 = session_call_on_invalid_header(session, frame, &nv); + if (rv2 == NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE) { +- rv = NGHTTP2_ERR_HTTP_HEADER; ++ DEBUGF("recv: HTTP error: type=%u, id=%d, header %.*s: %.*s\n", ++ frame->hd.type, frame->hd.stream_id, (int)nv.name->len, ++ nv.name->base, (int)nv.value->len, nv.value->base); ++ ++ rv = session_call_error_callback( ++ session, NGHTTP2_ERR_HTTP_HEADER, ++ "Invalid HTTP header field was received: frame type: " ++ "%u, stream: %d, name: [%.*s], value: [%.*s]", ++ frame->hd.type, frame->hd.stream_id, (int)nv.name->len, ++ nv.name->base, (int)nv.value->len, nv.value->base); ++ ++ if (nghttp2_is_fatal(rv)) { ++ return rv; ++ } ++ ++ rv = session_handle_invalid_stream2( ++ session, subject_stream->stream_id, frame, ++ NGHTTP2_ERR_HTTP_HEADER); ++ if (nghttp2_is_fatal(rv)) { ++ return rv; ++ } ++ ++ return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; + } else { + if (rv2 != 0) { + return rv2; +@@ -3603,13 +3631,8 @@ static int inflate_header_block(nghttp2_session *session, nghttp2_frame *frame, + return rv; + } + +- rv = +- session_handle_invalid_stream2(session, subject_stream->stream_id, +- frame, NGHTTP2_ERR_HTTP_HEADER); +- if (nghttp2_is_fatal(rv)) { +- return rv; +- } +- return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE; ++ return nghttp2_session_terminate_session(session, ++ NGHTTP2_PROTOCOL_ERROR); + } + } + if (rv == 0) { +@@ -3722,27 +3745,7 @@ static int session_after_header_block_received(nghttp2_session *session) { + } + } + if (rv != 0) { +- int32_t stream_id; +- +- if (frame->hd.type == NGHTTP2_PUSH_PROMISE) { +- stream_id = frame->push_promise.promised_stream_id; +- } else { +- stream_id = frame->hd.stream_id; +- } +- +- rv = session_handle_invalid_stream2(session, stream_id, frame, +- NGHTTP2_ERR_HTTP_MESSAGING); +- if (nghttp2_is_fatal(rv)) { +- return rv; +- } +- +- if (frame->hd.type == NGHTTP2_HEADERS && +- (frame->hd.flags & NGHTTP2_FLAG_END_STREAM)) { +- nghttp2_stream_shutdown(stream, NGHTTP2_SHUT_RD); +- /* Don't call nghttp2_session_close_stream_if_shut_rdwr +- because RST_STREAM has been submitted. */ +- } +- return 0; ++ return nghttp2_session_terminate_session(session, NGHTTP2_PROTOCOL_ERROR); + } + } + +@@ -4078,8 +4081,7 @@ static int update_remote_initial_window_size_func(void *entry, void *ptr) { + rv = nghttp2_stream_update_remote_initial_window_size( + stream, arg->new_window_size, arg->old_window_size); + if (rv != 0) { +- return nghttp2_session_add_rst_stream(arg->session, stream->stream_id, +- NGHTTP2_FLOW_CONTROL_ERROR); ++ return NGHTTP2_ERR_FLOW_CONTROL; + } + + /* If window size gets positive, push deferred DATA frame to +@@ -4105,6 +4107,8 @@ static int update_remote_initial_window_size_func(void *entry, void *ptr) { + * + * NGHTTP2_ERR_NOMEM + * Out of memory. ++ * NGHTTP2_ERR_FLOW_CONTROL ++ * Window size gets out of range. + */ + static int + session_update_remote_initial_window_size(nghttp2_session *session, +@@ -4128,8 +4132,7 @@ static int update_local_initial_window_size_func(void *entry, void *ptr) { + rv = nghttp2_stream_update_local_initial_window_size( + stream, arg->new_window_size, arg->old_window_size); + if (rv != 0) { +- return nghttp2_session_add_rst_stream(arg->session, stream->stream_id, +- NGHTTP2_FLOW_CONTROL_ERROR); ++ return NGHTTP2_ERR_FLOW_CONTROL; + } + + if (stream->window_update_queued) { +@@ -4163,6 +4166,8 @@ static int update_local_initial_window_size_func(void *entry, void *ptr) { + * + * NGHTTP2_ERR_NOMEM + * Out of memory. ++ * NGHTTP2_ERR_FLOW_CONTROL ++ * Window size gets out of range. + */ + static int + session_update_local_initial_window_size(nghttp2_session *session, +@@ -4549,9 +4554,9 @@ int nghttp2_session_on_push_promise_received(nghttp2_session *session, + session->max_incoming_reserved_streams) { + /* Currently, client does not retain closed stream, so we don't + check NGHTTP2_SHUT_RD condition here. */ +- +- rv = nghttp2_session_add_rst_stream( +- session, frame->push_promise.promised_stream_id, NGHTTP2_CANCEL); ++ rv = session_handle_invalid_stream2(session, ++ frame->push_promise.promised_stream_id, ++ NULL, NGHTTP2_ERR_PUSH_CANCEL); + if (rv != 0) { + return rv; + } +@@ -4708,8 +4713,9 @@ static int session_on_stream_window_update_received(nghttp2_session *session, + } + if (NGHTTP2_MAX_WINDOW_SIZE - frame->window_update.window_size_increment < + stream->remote_window_size) { +- return session_handle_invalid_stream(session, frame, +- NGHTTP2_ERR_FLOW_CONTROL); ++ return session_handle_invalid_connection( ++ session, frame, NGHTTP2_ERR_FLOW_CONTROL, ++ "WINDOW_UPDATE: window size overflow"); + } + stream->remote_window_size += frame->window_update.window_size_increment; + +@@ -4939,16 +4945,7 @@ int nghttp2_session_on_data_received(nghttp2_session *session, + if (session_enforce_http_messaging(session) && + (frame->hd.flags & NGHTTP2_FLAG_END_STREAM)) { + if (nghttp2_http_on_remote_end_stream(stream) != 0) { +- rv = nghttp2_session_add_rst_stream(session, stream->stream_id, +- NGHTTP2_PROTOCOL_ERROR); +- if (nghttp2_is_fatal(rv)) { +- return rv; +- } +- +- nghttp2_stream_shutdown(stream, NGHTTP2_SHUT_RD); +- /* Don't call nghttp2_session_close_stream_if_shut_rdwr because +- RST_STREAM has been submitted. */ +- return 0; ++ return nghttp2_session_terminate_session(session, NGHTTP2_PROTOCOL_ERROR); + } + } + +@@ -5006,8 +5003,8 @@ int nghttp2_session_update_recv_stream_window_size(nghttp2_session *session, + rv = adjust_recv_window_size(&stream->recv_window_size, delta_size, + stream->local_window_size); + if (rv != 0) { +- return nghttp2_session_add_rst_stream(session, stream->stream_id, +- NGHTTP2_FLOW_CONTROL_ERROR); ++ return nghttp2_session_terminate_session(session, ++ NGHTTP2_FLOW_CONTROL_ERROR); + } + /* We don't have to send WINDOW_UPDATE if the data received is the + last chunk in the incoming stream. */ +@@ -5469,6 +5466,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + busy = 1; + + rv = session_on_data_received_fail_fast(session); ++ if (nghttp2_is_fatal(rv)) { ++ return rv; ++ } ++ + if (iframe->state == NGHTTP2_IB_IGN_ALL) { + return (nghttp2_ssize)inlen; + } +@@ -5489,10 +5490,6 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + break; + } + +- if (nghttp2_is_fatal(rv)) { +- return rv; +- } +- + rv = inbound_frame_handle_pad(iframe, &iframe->frame.hd); + if (rv < 0) { + rv = nghttp2_session_terminate_session_with_reason( +@@ -5576,6 +5573,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } ++ + on_begin_frame_called = 1; + + rv = session_process_headers_frame(session); +@@ -5590,8 +5591,8 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + } + + if (rv == NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE) { +- rv = nghttp2_session_add_rst_stream( +- session, iframe->frame.hd.stream_id, NGHTTP2_INTERNAL_ERROR); ++ rv = session_handle_invalid_stream2( ++ session, iframe->frame.hd.stream_id, NULL, NGHTTP2_ERR_INTERNAL); + if (nghttp2_is_fatal(rv)) { + return rv; + } +@@ -6044,6 +6045,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + if (nghttp2_is_fatal(rv)) { + return rv; + } ++ ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } + } + } + +@@ -6107,8 +6112,8 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + } + + if (rv == NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE) { +- rv = nghttp2_session_add_rst_stream( +- session, iframe->frame.hd.stream_id, NGHTTP2_INTERNAL_ERROR); ++ rv = session_handle_invalid_stream2( ++ session, iframe->frame.hd.stream_id, NULL, NGHTTP2_ERR_INTERNAL); + if (nghttp2_is_fatal(rv)) { + return rv; + } +@@ -6191,9 +6196,9 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + } + + if (rv == NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE) { +- rv = nghttp2_session_add_rst_stream( +- session, iframe->frame.push_promise.promised_stream_id, +- NGHTTP2_INTERNAL_ERROR); ++ rv = session_handle_invalid_stream2( ++ session, iframe->frame.push_promise.promised_stream_id, NULL, ++ NGHTTP2_ERR_INTERNAL); + if (nghttp2_is_fatal(rv)) { + return rv; + } +@@ -6296,6 +6301,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } ++ + session_inbound_frame_reset(session); + + break; +@@ -6371,12 +6380,12 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + iframe->payloadleft -= hd_proclen; + + /* Use promised stream ID for PUSH_PROMISE */ +- rv = nghttp2_session_add_rst_stream( ++ rv = session_handle_invalid_stream2( + session, + iframe->frame.hd.type == NGHTTP2_PUSH_PROMISE + ? iframe->frame.push_promise.promised_stream_id + : iframe->frame.hd.stream_id, +- NGHTTP2_INTERNAL_ERROR); ++ NULL, NGHTTP2_ERR_INTERNAL); + if (nghttp2_is_fatal(rv)) { + return rv; + } +@@ -6423,6 +6432,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + if (nghttp2_is_fatal(rv)) { + return rv; + } ++ ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } + } + session_inbound_frame_reset(session); + +@@ -6598,6 +6611,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + if (nghttp2_is_fatal(rv)) { + return rv; + } ++ ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } + } else { + iframe->state = NGHTTP2_IB_IGN_HEADER_BLOCK; + } +@@ -6648,6 +6665,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + if (nghttp2_is_fatal(rv)) { + return rv; + } ++ ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } + } + + busy = 1; +@@ -6720,6 +6741,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } ++ + data_readlen = + inbound_frame_effective_readlen(iframe, iframe->payloadleft, readlen); + +@@ -6749,41 +6774,30 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + if (data_readlen > 0) { + if (session_enforce_http_messaging(session)) { + if (nghttp2_http_on_data_chunk(stream, (size_t)data_readlen) != 0) { +- if (session->opt_flags & NGHTTP2_OPTMASK_NO_AUTO_WINDOW_UPDATE) { +- /* Consume all data for connection immediately here */ +- rv = session_update_connection_consumed_size( +- session, (size_t)data_readlen); +- +- if (nghttp2_is_fatal(rv)) { +- return rv; +- } +- +- if (iframe->state == NGHTTP2_IB_IGN_DATA) { +- return (nghttp2_ssize)inlen; +- } +- } +- +- rv = nghttp2_session_add_rst_stream( +- session, iframe->frame.hd.stream_id, NGHTTP2_PROTOCOL_ERROR); ++ rv = nghttp2_session_terminate_session(session, ++ NGHTTP2_PROTOCOL_ERROR); + if (nghttp2_is_fatal(rv)) { + return rv; + } +- busy = 1; +- iframe->state = NGHTTP2_IB_IGN_DATA; +- break; ++ ++ return (nghttp2_ssize)inlen; + } + } + if (session->callbacks.on_data_chunk_recv_callback) { + rv = session->callbacks.on_data_chunk_recv_callback( + session, iframe->frame.hd.flags, iframe->frame.hd.stream_id, + in - readlen, (size_t)data_readlen, session->user_data); +- if (rv == NGHTTP2_ERR_PAUSE) { +- return (nghttp2_ssize)(in - first); +- } +- + if (nghttp2_is_fatal(rv)) { + return NGHTTP2_ERR_CALLBACK_FAILURE; + } ++ ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } ++ ++ if (rv == NGHTTP2_ERR_PAUSE) { ++ return (nghttp2_ssize)(in - first); ++ } + } + } + } +@@ -6797,6 +6811,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } ++ + session_inbound_frame_reset(session); + + break; +@@ -6863,6 +6881,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } ++ + if (rv != 0) { + busy = 1; + +@@ -6881,6 +6903,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } ++ + session_inbound_frame_reset(session); + + break; +@@ -6909,6 +6935,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + return rv; + } + ++ if (iframe->state == NGHTTP2_IB_IGN_ALL) { ++ return (nghttp2_ssize)inlen; ++ } ++ + session_inbound_frame_reset(session); + + break; +-- +2.53.0 + diff --git a/nodejs24.spec b/nodejs24.spec index ba30d0c..86d1449 100644 --- a/nodejs24.spec +++ b/nodejs24.spec @@ -44,7 +44,7 @@ URL: https://nodejs.org # Version from node-v24.14.1/deps/merve/merve.h %nodejs_define_version merve 1.0.0 # Version from node-v24.14.1/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h -%nodejs_define_version nghttp2 1.68.0 +%nodejs_define_version nghttp2 1.68.1 # Version from node-v24.14.1/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h %nodejs_define_version nghttp3 1.6.0 # Version from node-v24.14.1/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h @@ -152,6 +152,7 @@ Source101: nodejs.srpm.macros %patchlist 0001-Remove-unused-OpenSSL-config.patch 0001-fips-disable-options.patch +0003-downstream-update-nghttp2-to-1.68.1.patch %description Node.js is a platform built on Chrome's JavaScript runtime diff --git a/test-should-pass.txt b/test-should-pass.txt index 9e1d633..5be7fa8 100644 --- a/test-should-pass.txt +++ b/test-should-pass.txt @@ -1270,7 +1270,8 @@ parallel/test-crypto-lazy-transform-writable.js parallel/test-child-process-net-reuseport.js parallel/test-errors-systemerror.js parallel/test-fs-fmap.js -parallel/test-http2-reset-flood.js +# 2026-03-25: Breaking update of nghttp2 to 1.68.1 +#parallel/test-http2-reset-flood.js parallel/test-worker-mjs-workerdata.js parallel/test-net-connect-buffer2.js parallel/test-http-response-statuscode.js @@ -1299,7 +1300,8 @@ parallel/test-stream-readable-hwm-0.js parallel/test-whatwg-webstreams-adapters-streambase.js parallel/test-startup-empty-regexp-statics.js parallel/test-http2-respond-file-fd-invalid.js -parallel/test-http2-misbehaving-flow-control.js +# 2026-03-25: Breaking update of nghttp2 to 1.68.1 +#parallel/test-http2-misbehaving-flow-control.js parallel/test-cluster-rr-ref.js parallel/test-domain-no-error-handler-abort-on-uncaught-0.js parallel/test-fs-read-offset-null.js @@ -1488,7 +1490,8 @@ parallel/test-event-emitter-once.js parallel/test-stream-writable-final-async.js parallel/test-fs-open-no-close.js parallel/test-path-glob.js -parallel/test-http2-multi-content-length.js +# 2026-03-25: Breaking update of nghttp2 to 1.68.1 +#parallel/test-http2-multi-content-length.js parallel/test-timers-process-tampering.js parallel/test-url-relative.js parallel/test-messageevent-brandcheck.js @@ -1519,7 +1522,8 @@ parallel/test-punycode.js parallel/test-worker-vm-context-terminate.js parallel/test-https-agent-session-reuse.js parallel/test-stream-objectmode-undefined.js -parallel/test-http2-client-unescaped-path.js +# 2026-03-25: Breaking update of nghttp2 to 1.68.1 +#parallel/test-http2-client-unescaped-path.js parallel/test-dns-perf_hooks.js parallel/test-tls-connect-abort-controller.js parallel/test-whatwg-url-custom-searchparams-foreach.js