From c2a035332f9a96565be207cd481818e3cc20ecd3 Mon Sep 17 00:00:00 2001
From: Chengzhong Wu <cwu631@bloomberg.net>
Date: Sat, 7 Feb 2026 17:14:40 -0500
Subject: [PATCH 1/2] test: print stack immediately avoiding GC interleaving
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`require(mod)` does not keep the mod in require cache if
mod throws synchronously. This fixes the tests to print
the stack immediately in case that source map cache could
be cleaned up when the CJS module is reclaimed by GC in
the next event loop tick.

PR-URL: https://github.com/nodejs/node/pull/61699
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
---
 lib/internal/source_map/source_map_cache_map.js               | 4 ++++
 .../source-map/output/source_map_sourcemapping_url_string.js  | 4 +---
 test/fixtures/source-map/output/source_map_throw_catch.js     | 4 +---
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/internal/source_map/source_map_cache_map.js b/lib/internal/source_map/source_map_cache_map.js
index dcacfd9bdbf269..10561acffc4bab 100644
--- a/lib/internal/source_map/source_map_cache_map.js
+++ b/lib/internal/source_map/source_map_cache_map.js
@@ -13,6 +13,9 @@ const {
     source_map_data_private_symbol,
   },
 } = internalBinding('util');
+let debug = require('internal/util/debuglog').debuglog('source_map', (fn) => {
+  debug = fn;
+});
 
 /**
  * Specialized map of WeakRefs to module instances that caches source map
@@ -46,6 +49,7 @@ class SourceMapCacheMap {
     ArrayPrototypeForEach(keys, (key) => {
       const ref = this.#weakModuleMap.get(key);
       if (ref && ref.deref() === undefined) {
+        debug(`Cleanup obsolete source map cache entry with key: ${key}`);
         this.#weakModuleMap.delete(key);
       }
     });
diff --git a/test/fixtures/source-map/output/source_map_sourcemapping_url_string.js b/test/fixtures/source-map/output/source_map_sourcemapping_url_string.js
index 8dca7a35bfe7b9..1890e6e0b6d429 100644
--- a/test/fixtures/source-map/output/source_map_sourcemapping_url_string.js
+++ b/test/fixtures/source-map/output/source_map_sourcemapping_url_string.js
@@ -7,7 +7,5 @@ Error.stackTraceLimit = 2;
 try {
   require('../typescript-sourcemapping_url_string');
 } catch (err) {
-  setTimeout(() => {
-    console.info(err);
-  }, 10);
+  console.info(err);
 }
diff --git a/test/fixtures/source-map/output/source_map_throw_catch.js b/test/fixtures/source-map/output/source_map_throw_catch.js
index c49ffcff865907..75ce228c918870 100644
--- a/test/fixtures/source-map/output/source_map_throw_catch.js
+++ b/test/fixtures/source-map/output/source_map_throw_catch.js
@@ -7,7 +7,5 @@ Error.stackTraceLimit = 2;
 try {
   require('../typescript-throw');
 } catch (err) {
-  setTimeout(() => {
-    console.info(err);
-  }, 10);
+  console.info(err);
 }

From 6aa465c962e7c1541bbba54eb3f4caeb1170e1f5 Mon Sep 17 00:00:00 2001
From: Matteo Collina <hello@matteocollina.com>
Date: Sun, 8 Feb 2026 00:03:34 +0100
Subject: [PATCH 2/2] doc: clarify EventEmitter error handling in threat model
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add documentation explaining that applications are expected to attach
'error' event handlers to EventEmitters that can emit errors, including
HTTP streams. Crashes resulting from missing error handlers are not
considered denial-of-service vulnerabilities in Node.js.

PR-URL: https://github.com/nodejs/node/pull/61701
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
---
 SECURITY.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index 34d8633cf1f27d..6213ca3d43a704 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -335,6 +335,18 @@ the community they pose.
   proper security boundaries between trusted application logic and untrusted
   user input.
 
+#### Unhandled 'error' Events on EventEmitters (CWE-248)
+
+* EventEmitters that can emit `'error'` events require the application to
+  attach an `'error'` event handler. This includes HTTP streams and other
+  Node.js core streams. If the application fails to attach an `'error'`
+  handler, the EventEmitter will throw an uncaught exception, which may
+  crash the process.
+* Crashes resulting from missing `'error'` handlers are not considered
+  denial-of-service vulnerabilities in Node.js. It is the application's
+  responsibility to properly handle errors by attaching appropriate
+  `'error'` event listeners to EventEmitters that may emit errors.
+
 ## Assessing experimental features reports
 
 Experimental features are eligible for security reports just like any other