Node.js 26.3.0: Buffer Pool Doubles, Permission API Gains drop(), Intel Macs at Risk

Node.js 26.3.0: Buffer Pool Doubles, Permission API Gains drop(), Intel Macs at Risk

lschvn

Node.js 26.3.0 landed June 1, 2026 on the Current release line. It is a substantial mid-cycle update: the Buffer allocator gets a meaningful tuning change, the experimental permission system gains its most-requested feature, Apple signals another step toward dropping Intel Macs, and the crypto team lands a multi-PR hardening of WebCrypto.

Buffer.poolSize doubles to 64 KiB

The most impactful runtime change is the default Buffer.poolSize increase from 32 KiB to 64 KiB, contributed by Matteo Collina (#63597). Node's internal slab allocator uses this pool for Buffer.allocUnsafe() and Buffer.from() calls that fall below the threshold. A larger slab reduces the rate at which the allocator must request new memory pages from the OS, cutting fragmentation and improving throughput for HTTP servers, streaming pipelines, and any code that allocates many small to medium buffers.

The change is not breaking, it only affects the default, and applications can still set Buffer.poolSize manually. But if you have been running benchmarks that benchmark the allocator itself, now is a good time to re-run them.

permission.drop() for fine-grained privilege surrender

Rafael Gonzaga contributed permission.drop() (#62672), the most-requested addition to Node.js's experimental permission system. The existing model granted capabilities at startup and held them for the process lifetime. permission.drop() lets running code surrender individual permission handles, file system, environment, child process, without exiting. This enables patterns such as:

// After initialization, drop file-system access
permission.drop('fs');
// Only network access remains

The change brings Node.js closer to capability-based security models and reduces the blast radius of supply-chain or injection attacks where a compromised module loses its file-system grip after initialization completes.

macOS universal binary warning

Antoine du Hamel's PR #63055 formally documents what the project has been signaling informally: the macOS universal binary, which packages both Intel (x64) and Apple Silicon (arm64) slices in a single binary, may not be maintainable for the full lifespan of Node.js 26. Apple has been progressively deprecating Intel toolchain support, and the Node.js build infrastructure is hitting friction keeping the x64 slice working. Intel-based Macs remain Tier 2; arm64 is Tier 1. This is a heads-up, not an immediate removal.

WebCrypto hardening and npm 11.16.0

Filip Skokan led a multi-PR effort hardening WebCrypto (#63363). Changes include:

  • WebCrypto methods no longer use async wrappers internally, reducing overhead
  • CryptoKey handles are now passed directly to KDF jobs instead of being serialized and deserialized
  • A new CryptoJob mode aligns Node's WebCrypto implementation with the spec and improves performance
  • The implementation is hardened against prototype pollution attacks targeting CryptoKey property definitions

npm is updated to 11.16.0 (#63602), which includes dependency tree fixes and faster resolution. SQLite bundled with Node is updated with a cherry-pick addressing a memory corruption risk (#63525).

The http module gains an httpValidation option (#61597) that lets servers configure how strictly to validate incoming header values, defaulting to lenient behavior for backward compatibility. The inspector API also gains a preciseCoverageStart flag (#63079) for more accurate code coverage instrumentation.

Node.js 26.3.0 is the Current (non-LTS) line. The LTS transition for Node.js 26 is expected with Node.js 26.9.0 in September 2026.

Frequently Asked Questions

Related articles

More coverage with overlapping topics and tags.

State of TypeScript 2026: GitHub's #1 Language, Project Corsa, and the Supply Chain Reckoning
security

State of TypeScript 2026: GitHub's #1 Language, Project Corsa, and the Supply Chain Reckoning

A look back at the major events that reshaped TypeScript's position in the JavaScript ecosystem, from surpassing JavaScript on GitHub to npm supply chain compromises and the Go-based compiler rewrite targeting 10x faster builds.
Node.js March 2026: Six Security Patches Land Across All Active Branches
security

Node.js March 2026: Six Security Patches Land Across All Active Branches

Node.js shipped emergency security releases for v25, v24, v22, and v20 on March 24, 2026, patching two high-severity CVEs including a TLS SNICallback crash and an HTTP header prototype pollution risk. Here's what each fix does and which versions are affected.
Fastify v5.9.0 Adds `request.mediaType` and `onMaxParamLength`, Hardens `forwarded` Header Trust, Chunks Large HTTP/2 Replies, and Moves Type Tests to TSTyche
security

Fastify v5.9.0 Adds `request.mediaType` and `onMaxParamLength`, Hardens `forwarded` Header Trust, Chunks Large HTTP/2 Replies, and Moves Type Tests to TSTyche

Fastify v5.9.0, published on 2026-06-28 (github.com/fastify/fastify), is the first minor release of the v5 line in 2026 and a substantial 65-PR cycle. The headline features are `request.mediaType` (a typed accessor for the negotiated media type, [#6653](https://github.com/fastify/fastify/pull/6653) by climba03003), `onMaxParamLength` route option ([#6716](https://github.com/fastify/fastify/pull/6716) by climba03003), and a security fix that no longer trusts `X-Forwarded-Host` and `X-Forwarded-Proto` when the incoming socket is missing ([#6684](https://github.com/fastify/fastify/pull/6684) by mcollina). The cycle ships an HTTP/2 buffer-chunking fix for large replies ([#6746](https://github.com/fastify/fastify/pull/6746) by mcollina), three schema-related performance wins (deferred `getSchemaSerializer` content-type parsing #6692, cached `ContentType` objects in `ContentTypeParser` #6694, `typeof` guard before `toString.call` in `send` / `onSendEnd` #6693 by aquie00t), Node.js 26 added to the test matrix ([#6728](https://github.com/fastify/fastify/pull/6728) by Fdawgs) and Node.js 20 dropped from the yarn CI matrix ([#6662](https://github.com/fastify/fastify/pull/6662) by Tony133), the migration of the type-test suite from hand-rolled `expect-type` to [TSTyche](https://github.com/mrazauskas/tstyche) ([#6532](https://github.com/fastify/fastify/pull/6532) by mrazauskas, with follow-ups #6726 and #6727), and a TypeScript-only fastify-plugin v6.0.0 bump. Other notable fixes: trailer `res.end` deduplication (#6676), trailer duplicate-completion guard (#6714), `error.code` on routing errors (#6678), `hasRequestDecorator` / `hasReplyDecorator` catching constructor-assigned built-ins (#6753), `getValidationFunction()` allowed to return `undefined` (#6665), and a socket `_meta` clear that closes a keep-alive leak (#6799).

Comments

Log in Log in to join the conversation.

No comments yet. Be the first to share your thoughts.