nodejs · kxxt · Jan 24, 2026 · Jan 25, 2026 · Jan 30, 2026 · Feb 2, 2026
diff --git a/.github/workflows/build-tarball.yml b/.github/workflows/build-tarball.yml
@@ -30,7 +30,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  PYTHON_VERSION: '3.12'
+  PYTHON_VERSION: '3.14'
   FLAKY_TESTS: keep_retrying
 
 permissions:

diff --git a/.github/workflows/coverage-linux-without-intl.yml b/.github/workflows/coverage-linux-without-intl.yml
@@ -34,7 +34,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  PYTHON_VERSION: '3.12'
+  PYTHON_VERSION: '3.14'
   FLAKY_TESTS: keep_retrying
   CC: sccache clang
   CXX: sccache clang++

diff --git a/.github/workflows/coverage-linux.yml b/.github/workflows/coverage-linux.yml
@@ -34,7 +34,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  PYTHON_VERSION: '3.12'
+  PYTHON_VERSION: '3.14'
   FLAKY_TESTS: keep_retrying
   CC: sccache clang
   CXX: sccache clang++

diff --git a/.github/workflows/coverage-windows.yml b/.github/workflows/coverage-windows.yml
@@ -34,7 +34,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  PYTHON_VERSION: '3.12'
+  PYTHON_VERSION: '3.14'
   FLAKY_TESTS: keep_retrying
 
 permissions:

diff --git a/.github/workflows/daily-wpt-fyi.yml b/.github/workflows/daily-wpt-fyi.yml
@@ -13,7 +13,7 @@ on:
     - cron: 30 0 * * *
 
 env:
-  PYTHON_VERSION: '3.12'
+  PYTHON_VERSION: '3.14'
 
 permissions:
   contents: read

diff --git a/.github/workflows/lint-release-proposal.yml b/.github/workflows/lint-release-proposal.yml
@@ -10,7 +10,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  PYTHON_VERSION: '3.12'
+  PYTHON_VERSION: '3.14'
   NODE_VERSION: lts/*
 
 permissions:

diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
@@ -14,7 +14,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  PYTHON_VERSION: '3.12'
+  PYTHON_VERSION: '3.14'
   NODE_VERSION: lts/*
 
 permissions:

diff --git a/.github/workflows/test-internet.yml b/.github/workflows/test-internet.yml
@@ -31,7 +31,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  PYTHON_VERSION: '3.12'
+  PYTHON_VERSION: '3.14'
   FLAKY_TESTS: keep_retrying
   CC: sccache clang
   CXX: sccache clang++

diff --git a/.github/workflows/test-linux.yml b/.github/workflows/test-linux.yml
@@ -29,7 +29,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  PYTHON_VERSION: '3.12'
+  PYTHON_VERSION: '3.14'
   FLAKY_TESTS: keep_retrying
   CC: sccache clang
   CXX: sccache clang++

diff --git a/.github/workflows/test-macos.yml b/.github/workflows/test-macos.yml
@@ -31,7 +31,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  PYTHON_VERSION: '3.12'
+  PYTHON_VERSION: '3.14'
   XCODE_VERSION: '16.1'
   FLAKY_TESTS: keep_retrying
 

diff --git a/.github/workflows/tools.yml b/.github/workflows/tools.yml
@@ -43,7 +43,7 @@ on:
           - zstd
 
 env:
-  PYTHON_VERSION: '3.12'
+  PYTHON_VERSION: '3.14'
 
 permissions:
   contents: read

diff --git a/README.md b/README.md
@@ -305,6 +305,8 @@ For information about the governance of the Node.js project, see
   **Ruben Bridgewater** <<ruben@bridgewater.de>> (he/him)
 * [cclauss](https://github.com/cclauss) -
   **Christian Clauss** <<cclauss@me.com>> (he/him)
+* [ChALkeR](https://github.com/ChALkeR) -
+  **Сковорода Никита Андреевич** <<chalkerx@gmail.com>> (he/him)
 * [cjihrig](https://github.com/cjihrig) -
   **Colin Ihrig** <<cjihrig@gmail.com>> (he/him)
 * [codebytere](https://github.com/codebytere) -
@@ -499,8 +501,6 @@ For information about the governance of the Node.js project, see
   **Bartosz Sosnowski** <<bartosz@janeasystems.com>>
 * [calvinmetcalf](https://github.com/calvinmetcalf) -
   **Calvin Metcalf** <<calvin.metcalf@gmail.com>>
-* [ChALkeR](https://github.com/ChALkeR) -
-  **Сковорода Никита Андреевич** <<chalkerx@gmail.com>> (he/him)
 * [chrisdickinson](https://github.com/chrisdickinson) -
   **Chris Dickinson** <<christopher.s.dickinson@gmail.com>>
 * [claudiorodriguez](https://github.com/claudiorodriguez) -
@@ -900,10 +900,10 @@ releases on a rotation basis as outlined in the
   * [mcollina](https://github.com/mcollina) - OpenJSF handle: `mcollina`
     **Matteo Collina** <<matteo.collina@gmail.com>> (he/him)
 * [Red Hat](https://redhat.com) / [IBM](https://ibm.com)
-  * [joesepi](https://github.com/joesepi) -
-    **Joe Sepi** <<joesepi@ibm.com>> (he/him)
-  * [mhdawson](https://github.com/mhdawson) -
-    **Michael Dawson** <<midawson@redhat.com>> (he/him)
+  * [BethGriggs](https://github.com/BethGriggs) -
+    **Beth Griggs** <<bethanyngriggs@gmail.com>> (she/her)
+  * [sxa](https://github.com/sxa) -
+    **Stewart X Addison** <<sxa@redhat.com>> (he/him)
 
 ## License
 

diff --git a/SECURITY.md b/SECURITY.md
@@ -373,3 +373,100 @@ repository.
 
 In the event of a security incident, please refer to the
 [Security Incident Response Plan](https://github.com/nodejs/security-wg/blob/main/INCIDENT_RESPONSE_PLAN.md).
+
+## Node.js Security Team
+
+Node.js security team members are expected to keep all information that they
+have privileged access to by being on the team completely private to the team.
+This includes agreeing to not notify anyone outside the team of issues that have
+not yet been disclosed publicly, including the existence of issues, expectations
+of upcoming releases, and patching of any issues other than in the process of
+their work as a member of the security team.
+
+### Node.js Security Team Membership Policy
+
+The Node.js Security Team has access to security-sensitive issues and patches
+that aren't appropriate for public availability.
+
+The policy for inclusion is as follows:
+
+1. All members of @nodejs/TSC have access to private security reports and
+   private patches.
+2. Members of the @nodejs/releasers team
+   have access to private security patches in order to produce releases.
+3. On a case-by-case basis, individuals outside the Technical Steering
+   Committee are invited by the TSC to have access to private security reports
+   or private patches so that their expertise can be applied to an issue or
+   patch. This access may be temporary or permanent, as decided by the TSC.
+
+Membership on the security teams can be requested via an issue in the TSC repo.
+
+## Team responsible for Triaging security reports
+
+The responsibility of Triage is to determine whether Node.js must take any
+action to mitigate the issue, and if so, to ensure that the action is taken.
+
+Mitigation may take many forms, for example, a Node.js security release that
+includes a fix, documentation, an informational CVE or blog post.
+
+* [@mcollina](https://github.com/mcollina) - Matteo Collina
+* [@RafaelGSS](https://github.com/RafaelGSS) - Rafael Gonzaga
+* [@vdeturckheim](https://github.com/vdeturckheim) - Vladimir de Turckheim
+* [@BethGriggs](https://github.com/BethGriggs) - Beth Griggs
+
+## Team with access to private security reports against Node.js
+
+[TSC voting members](https://github.com/nodejs/node#tsc-voting-members)
+have access.
+
+In addition, these individuals have access:
+
+* [BethGriggs](https://github.com/BethGriggs) - **Beth Griggs**
+* [MylesBorins](https://github.com/MylesBorins) -  **Myles Borins**
+* [bengl](https://github.com/bengl)- **Bryan English**
+* [bnoordhuis](https://github.com/bnoordhuis) **Ben Noordhuis**
+* [cjihrig](https://github.com/cjihrig) **Colin Ihrig**
+* [joesepi](https://github.com/joesepi) - **Joe Sepi**
+* [juanarbol](https://github.com/juanarbol) **Juan Jose Arboleda**
+* [ulisesgascon](https://github.com/ulisesgascon) **Ulises Gascón**
+* [vdeturckheim](https://github.com/vdeturckheim) - **Vladimir de Turckheim**
+
+The list is from the [member page](https://hackerone.com/organizations/nodejs/settings/users) for
+the Node.js program on HackerOne.
+
+## Team with access to private security patches to Node.js
+
+<!-- ncu-team-sync.team(nodejs-private/security) -->
+
+* [@aduh95](https://github.com/aduh95) - Antoine du Hamel
+* [@anonrig](https://github.com/anonrig) - Yagiz Nizipli
+* [@bengl](https://github.com/bengl) - Bryan English
+* [@benjamingr](https://github.com/benjamingr) - Benjamin Gruenbaum
+* [@bmeck](https://github.com/bmeck) - Bradley Farias
+* [@bnoordhuis](https://github.com/bnoordhuis) - Ben Noordhuis
+* [@BridgeAR](https://github.com/BridgeAR) - Ruben Bridgewater
+* [@gireeshpunathil](https://github.com/gireeshpunathil) - Gireesh Punathil
+* [@guybedford](https://github.com/guybedford) - Guy Bedford
+* [@indutny](https://github.com/indutny) - Fedor Indutny
+* [@jasnell](https://github.com/jasnell) - James M Snell
+* [@joaocgreis](https://github.com/joaocgreis) - João Reis
+* [@joesepi](https://github.com/joesepi) - Joe Sepi
+* [@joyeecheung](https://github.com/joyeecheung) - Joyee Cheung
+* [@juanarbol](https://github.com/juanarbol) - Juan José
+* [@legendecas](https://github.com/legendecas) - Chengzhong Wu
+* [@marco-ippolito](https://github.com/marco-ippolito) - Marco Ippolito
+* [@mcollina](https://github.com/mcollina) - Matteo Collina
+* [@MoLow](https://github.com/MoLow) - Moshe Atlow
+* [@panva](https://github.com/panva) - Filip Skokan
+* [@RafaelGSS](https://github.com/RafaelGSS) - Rafael Gonzaga
+* [@richardlau](https://github.com/richardlau) - Richard Lau
+* [@ronag](https://github.com/ronag) - Robert Nagy
+* [@ruyadorno](https://github.com/ruyadorno) - Ruy Adorno
+* [@santigimeno](https://github.com/santigimeno) - Santiago Gimeno
+* [@ShogunPanda](https://github.com/ShogunPanda) - Paolo Insogna
+* [@targos](https://github.com/targos) - Michaël Zasso
+* [@tniessen](https://github.com/tniessen) - Tobias Nießen
+* [@UlisesGascon](https://github.com/UlisesGascon) - Ulises Gascón
+* [@vdeturckheim](https://github.com/vdeturckheim) - Vladimir de Turckheim
+
+<!-- ncu-team-sync end -->
diff --git a/android-configure b/android-configure
@@ -4,6 +4,7 @@
 # Note that the mix of single and double quotes is intentional,
 # as is the fact that the ] goes on a new line.
 _=[ 'exec' '/bin/sh' '-c' '''
+command -v python3.14 >/dev/null && exec python3.14 "$0" "$@"
 command -v python3.13 >/dev/null && exec python3.13 "$0" "$@"
 command -v python3.12 >/dev/null && exec python3.12 "$0" "$@"
 command -v python3.11 >/dev/null && exec python3.11 "$0" "$@"
@@ -22,7 +23,7 @@ except ImportError:
   from distutils.spawn import find_executable as which
 
 print('Node.js android configure: Found Python {}.{}.{}...'.format(*sys.version_info))
-acceptable_pythons = ((3, 13), (3, 12), (3, 11), (3, 10), (3, 9))
+acceptable_pythons = ((3, 14), (3, 13), (3, 12), (3, 11), (3, 10), (3, 9))
 if sys.version_info[:2] in acceptable_pythons:
   import android_configure
 else:

diff --git a/common.gypi b/common.gypi
@@ -38,7 +38,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.40',
+    'v8_embedder_string': '-node.41',
 
     ##### V8 defaults for Node.js #####
 

diff --git a/configure b/configure
@@ -4,6 +4,7 @@
 # Note that the mix of single and double quotes is intentional,
 # as is the fact that the ] goes on a new line.
 _=[ 'exec' '/bin/sh' '-c' '''
+command -v python3.14 >/dev/null && exec python3.14 "$0" "$@"
 command -v python3.13 >/dev/null && exec python3.13 "$0" "$@"
 command -v python3.12 >/dev/null && exec python3.12 "$0" "$@"
 command -v python3.11 >/dev/null && exec python3.11 "$0" "$@"
@@ -22,7 +23,7 @@ except ImportError:
   from distutils.spawn import find_executable as which
 
 print('Node.js configure: Found Python {}.{}.{}...'.format(*sys.version_info))
-acceptable_pythons = ((3, 13), (3, 12), (3, 11), (3, 10), (3, 9))
+acceptable_pythons = ((3, 14), (3, 13), (3, 12), (3, 11), (3, 10), (3, 9))
 if sys.version_info[:2] in acceptable_pythons:
   import configure
 else: