Node.js: Virtual File System and WebCrypto Security Updates

Transcript

Good morning. This is your Node.js development briefing for May 24th, 2026.

Matteo Collina merged a substantial addition - the experimental node:vfs subsystem. This 10,000-line update introduces VirtualFileSystem, MemoryProvider, and RealFSProvider classes behind the --experimental-vfs flag. The module doesn't yet integrate with node:fs or the module loader, with those features planned for follow-up releases.

Han5991 merged test runner improvements, fixing coverage support when using the run API with isolation set to 'none'. Previously, this configuration returned empty coverage reports due to V8 precise coverage not being enabled at bootstrap.

Trivikr merged a stream fix addressing fused stateless transforms. The update ensures each transform properly receives its own flush signal, preventing data processing issues when one transform emits data during flush.

A minor documentation fix by watilde corrected double spacing in modules.md.

Several additional commits landed focusing on WebCrypto security enhancements. Filip Skokan implemented comprehensive prototype pollution hardening across WebCrypto operations, modified key derivation functions to pass CryptoKey handles directly to native jobs, and restructured the crypto job system with a WebCrypto-specific mode. These changes eliminate potential security vulnerabilities while improving performance by reducing unnecessary key material copies.

The test runner also received a critical fix for the --test-rerun-failures feature, which was incorrectly reporting some failures as passes due to counter synchronization issues.

What's next: Integration of the VFS system with existing file operations and module loading is expected in upcoming releases. The WebCrypto security improvements should be particularly relevant for production applications handling sensitive cryptographic operations.

That's your Node.js update for today.