tools: add root certificate update script

[richardlau]

Automates the steps from doc/contributing/maintaining-root-certs.md.
Extend "Tools and deps update" workflow to use the new script to update
the root certificates.

---

I attempted to test the workflow changes over in https://github.com/nodejs/node-auto-test but it looks like the tokens/permissions are not set up for that repository: https://github.com/nodejs/node-auto-test/actions/runs/4621889241

Running the new update script locally updates to NSS 3.89:

$ nvm run 18 tools/dep_updaters/update-root-certs.mjs -v
Running node v18.14.0 (npm v9.3.1)
Fetching NSS release schedule
Found NSS version:
{
  version: '3.89',
  date: 2023-03-09T00:00:00.000Z,
  firefoxVersion: '112',
  firefoxDate: 2023-04-11T00:00:00.000Z
}
Fetching https://hg.mozilla.org/projects/nss/raw-file/NSS_3_89_RTM/lib/ckfw/builtins/certdata.txt
Writing /home/rlau/sandbox/github/node/tools/certdata.txt
Running tools/mk-ca-bundle.pl
Parsing: GlobalSign Root CA
Parsing: Entrust.net Premium 2048 Secure Server CA
Parsing: Baltimore CyberTrust Root
Parsing: Entrust Root Certification Authority
Parsing: Comodo AAA Services root
Parsing: QuoVadis Root CA 2
Parsing: QuoVadis Root CA 3
Parsing: Security Communication Root CA
Parsing: XRamp Global CA Root
Parsing: Go Daddy Class 2 CA
Parsing: Starfield Class 2 CA
Parsing: DigiCert Assured ID Root CA
Parsing: DigiCert Global Root CA
Parsing: DigiCert High Assurance EV Root CA
Parsing: SwissSign Gold CA - G2
Parsing: SwissSign Silver CA - G2
Parsing: SecureTrust CA
Parsing: Secure Global CA
Parsing: COMODO Certification Authority
Parsing: COMODO ECC Certification Authority
Parsing: Certigna
Parsing: ePKI Root Certification Authority
Parsing: certSIGN ROOT CA
Parsing: NetLock Arany (Class Gold) Főtanúsítvány
Parsing: Hongkong Post Root CA 1
Parsing: SecureSign RootCA11
Parsing: Microsec e-Szigno Root CA 2009
Parsing: GlobalSign Root CA - R3
Parsing: Autoridad de Certificacion Firmaprofesional CIF A62634068
Parsing: Izenpe.com
Parsing: Go Daddy Root Certificate Authority - G2
Parsing: Starfield Root Certificate Authority - G2
Parsing: Starfield Services Root Certificate Authority - G2
Parsing: AffirmTrust Commercial
Parsing: AffirmTrust Networking
Parsing: AffirmTrust Premium
Parsing: AffirmTrust Premium ECC
Parsing: Certum Trusted Network CA
Parsing: TWCA Root Certification Authority
Parsing: Security Communication RootCA2
Parsing: Actalis Authentication Root CA
Parsing: Buypass Class 2 Root CA
Parsing: Buypass Class 3 Root CA
Parsing: T-TeleSec GlobalRoot Class 3
Parsing: D-TRUST Root Class 3 CA 2 2009
Parsing: D-TRUST Root Class 3 CA 2 EV 2009
Parsing: CA Disig Root R2
Parsing: ACCVRAIZ1
Parsing: TWCA Global Root CA
Parsing: TeliaSonera Root CA v1
Parsing: E-Tugra Certification Authority
Parsing: T-TeleSec GlobalRoot Class 2
Parsing: Atos TrustedRoot 2011
Parsing: QuoVadis Root CA 1 G3
Parsing: QuoVadis Root CA 2 G3
Parsing: QuoVadis Root CA 3 G3
Parsing: DigiCert Assured ID Root G2
Parsing: DigiCert Assured ID Root G3
Parsing: DigiCert Global Root G2
Parsing: DigiCert Global Root G3
Parsing: DigiCert Trusted Root G4
Parsing: COMODO RSA Certification Authority
Parsing: USERTrust RSA Certification Authority
Parsing: USERTrust ECC Certification Authority
Parsing: GlobalSign ECC Root CA - R5
Parsing: IdenTrust Commercial Root CA 1
Parsing: IdenTrust Public Sector Root CA 1
Parsing: Entrust Root Certification Authority - G2
Parsing: Entrust Root Certification Authority - EC1
Parsing: CFCA EV ROOT
Parsing: OISTE WISeKey Global Root GB CA
Parsing: SZAFIR ROOT CA2
Parsing: Certum Trusted Network CA 2
Parsing: Hellenic Academic and Research Institutions RootCA 2015
Parsing: Hellenic Academic and Research Institutions ECC RootCA 2015
Parsing: ISRG Root X1
Parsing: AC RAIZ FNMT-RCM
Parsing: Amazon Root CA 1
Parsing: Amazon Root CA 2
Parsing: Amazon Root CA 3
Parsing: Amazon Root CA 4
Parsing: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
Parsing: GDCA TrustAUTH R5 ROOT
Parsing: SSL.com Root Certification Authority RSA
Parsing: SSL.com Root Certification Authority ECC
Parsing: SSL.com EV Root Certification Authority RSA R2
Parsing: SSL.com EV Root Certification Authority ECC
Parsing: GlobalSign Root CA - R6
Parsing: OISTE WISeKey Global Root GC CA
Parsing: UCA Global G2 Root
Parsing: UCA Extended Validation Root
Parsing: Certigna Root CA
Parsing: emSign Root CA - G1
Parsing: emSign ECC Root CA - G3
Parsing: emSign Root CA - C1
Parsing: emSign ECC Root CA - C3
Parsing: Hongkong Post Root CA 3
Parsing: Entrust Root Certification Authority - G4
Parsing: Microsoft ECC Root Certificate Authority 2017
Parsing: Microsoft RSA Root Certificate Authority 2017
Parsing: e-Szigno Root CA 2017
Parsing: certSIGN Root CA G2
Parsing: Trustwave Global Certification Authority
Parsing: Trustwave Global ECC P256 Certification Authority
Parsing: Trustwave Global ECC P384 Certification Authority
Parsing: NAVER Global Root Certification Authority
Parsing: AC RAIZ FNMT-RCM SERVIDORES SEGUROS
Parsing: GlobalSign Root R46
Parsing: GlobalSign Root E46
Parsing: GLOBALTRUST 2020
Parsing: ANF Secure Server Root CA
Parsing: Certum EC-384 CA
Parsing: Certum Trusted Root CA
Parsing: TunTrust Root CA
Parsing: HARICA TLS RSA Root CA 2021
Parsing: HARICA TLS ECC Root CA 2021
Parsing: Autoridad de Certificacion Firmaprofesional CIF A62634068
Parsing: vTrus ECC Root CA
Parsing: vTrus Root CA
Parsing: ISRG Root X2
Parsing: HiPKI Root CA - G1
Parsing: GlobalSign ECC Root CA - R4
Parsing: GTS Root R1
Parsing: GTS Root R2
Parsing: GTS Root R3
Parsing: GTS Root R4
Parsing: Telia Root CA v2
Parsing: D-TRUST BR Root CA 1 2020
Parsing: D-TRUST EV Root CA 1 2020
Parsing: DigiCert TLS ECC P384 Root G5
Parsing: DigiCert TLS RSA4096 Root G5
Parsing: Certainly Root R1
Parsing: Certainly Root E1
Parsing: E-Tugra Global Root CA RSA v3
Parsing: E-Tugra Global Root CA ECC v3
Parsing: Security Communication RootCA3
Parsing: Security Communication ECC RootCA1
Done (137 CA certs processed, 23 skipped).

diff --git a/src/node_root_certs.h b/src/node_root_certs.h
index 025df5ca33..010a4d1616 100644
--- a/src/node_root_certs.h
+++ b/src/node_root_certs.h
@@ -474,29 +474,6 @@
 "+8cFduPYSo38NBejxiEovjBFMR7HeL5YYTisO+IBZQ==\n"
 "-----END CERTIFICATE-----",

-/* Network Solutions Certificate Authority */
-"-----BEGIN CERTIFICATE-----\n"
-"MIID5jCCAs6gAwIBAgIQV8szb8JcFuZHFhfjkDFo4DANBgkqhkiG9w0BAQUFADBiMQswCQYD\n"
-"VQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydO\n"
-"ZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDYxMjAxMDAwMDAw\n"
-"WhcNMjkxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1\n"
-"dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBB\n"
-"dXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkvH6SMG3G2I4rC7xG\n"
-"zuAnlt7e+foS0zwzc7MEL7xxjOWftiJgPl9dzgn/ggwbmlFQGiaJ3dVhXRncEg8tCqJDXRfQ\n"
-"NJIg6nPPOCwGJgl6cvf6UDL4wpPTaaIjzkGxzOTVHzbRijr4jGPiFFlp7Q3Tf2vouAPlT2rl\n"
-"mGNpSAW+Lv8ztumXWWn4Zxmuk2GWRBXTcrA/vGp97Eh/jcOrqnErU2lBUzS1sLnFBgrEsEX1\n"
-"QV1uiUV7PTsmjHTC5dLRfbIR1PtYMiKagMnc/Qzpf14Dl847ABSHJ3A4qY5usyd2mFHgBeMh\n"
-"qxrVhSI8KbWaFsWAqPS7azCPL0YCorEMIuDTAgMBAAGjgZcwgZQwHQYDVR0OBBYEFCEwyfsA\n"
-"106Y2oeqKtCnLrFAMadMMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MFIGA1Ud\n"
-"HwRLMEkwR6BFoEOGQWh0dHA6Ly9jcmwubmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25z\n"
-"Q2VydGlmaWNhdGVBdXRob3JpdHkuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQC7rkvnt1frf6ot\n"
-"t3NHhWrB5KUd5Oc86fRZZXe1eltajSU24HqXLjjAV2CDmAaDn7l2em5Q4LqILPxFzBiwmZVR\n"
-"DuwduIj/h1AcgsLj4DKAv6ALR8jDMe+ZZzKATxcheQxpXN5eNK4CtSbqUN9/GGUsyfJj4akH\n"
-"/nxxH2szJGoeBfcFaMBqEssuXmHLrijTfsK0ZpEmXzwuJF/LWA/rKOyvEZbz3HtvwKeI8lN3\n"
-"s2Berq4o2jUsbzRF0ybh3uxbTydrFny9RAQYgrOJeRcQcT16ohZO9QHNpGxlaKFJdlxDydi8\n"
-"NmdspZS11My5vWo1ViHe2MPr+8ukYEywVaCge1ey\n"
-"-----END CERTIFICATE-----",
-
 /* COMODO ECC Certification Authority */
 "-----BEGIN CERTIFICATE-----\n"
 "MIICiTCCAg+gAwIBAgIQH0evqmIAcFBUTAGem2OZKjAKBggqhkjOPQQDAzCBhTELMAkGA1UE\n"
@@ -980,36 +957,6 @@
 "SjnRBUkLp7Y3gaVdjKozXoEofKd9J+sAro03\n"
 "-----END CERTIFICATE-----",

-/* EC-ACC */
-"-----BEGIN CERTIFICATE-----\n"
-"MIIFVjCCBD6gAwIBAgIQ7is969Qh3hSoYqwE893EATANBgkqhkiG9w0BAQUFADCB8zELMAkG\n"
-"A1UEBhMCRVMxOzA5BgNVBAoTMkFnZW5jaWEgQ2F0YWxhbmEgZGUgQ2VydGlmaWNhY2lvIChO\n"
-"SUYgUS0wODAxMTc2LUkpMSgwJgYDVQQLEx9TZXJ2ZWlzIFB1YmxpY3MgZGUgQ2VydGlmaWNh\n"
-"Y2lvMTUwMwYDVQQLEyxWZWdldSBodHRwczovL3d3dy5jYXRjZXJ0Lm5ldC92ZXJhcnJlbCAo\n"
-"YykwMzE1MDMGA1UECxMsSmVyYXJxdWlhIEVudGl0YXRzIGRlIENlcnRpZmljYWNpbyBDYXRh\n"
-"bGFuZXMxDzANBgNVBAMTBkVDLUFDQzAeFw0wMzAxMDcyMzAwMDBaFw0zMTAxMDcyMjU5NTla\n"
-"MIHzMQswCQYDVQQGEwJFUzE7MDkGA1UEChMyQWdlbmNpYSBDYXRhbGFuYSBkZSBDZXJ0aWZp\n"
-"Y2FjaW8gKE5JRiBRLTA4MDExNzYtSSkxKDAmBgNVBAsTH1NlcnZlaXMgUHVibGljcyBkZSBD\n"
-"ZXJ0aWZpY2FjaW8xNTAzBgNVBAsTLFZlZ2V1IGh0dHBzOi8vd3d3LmNhdGNlcnQubmV0L3Zl\n"
-"cmFycmVsIChjKTAzMTUwMwYDVQQLEyxKZXJhcnF1aWEgRW50aXRhdHMgZGUgQ2VydGlmaWNh\n"
-"Y2lvIENhdGFsYW5lczEPMA0GA1UEAxMGRUMtQUNDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\n"
-"MIIBCgKCAQEAsyLHT+KXQpWIR4NA9h0X84NzJB5R85iKw5K4/0CQBXCHYMkAqbWUZRkiFRfC\n"
-"Q2xmRJoNBD45b6VLeqpjt4pEndljkYRm4CgPukLjbo73FCeTae6RDqNfDrHrZqJyTxIThmV6\n"
-"PttPB/SnCWDaOkKZx7J/sxaVHMf5NLWUhdWZXqBIoH7nF2W4onW4HvPlQn2v7fOKSGRdghST\n"
-"2MDk/7NQcvJ29rNdQlB50JQ+awwAvthrDk4q7D7SzIKiGGUzE3eeml0aE9jD2z3Il3rucO2n\n"
-"5nzbcc8tlGLfbdb1OL4/pYUKGbio2Al1QnDE6u/LDsg0qBIimAy4E5S2S+zw0JDnJwIDAQAB\n"
-"o4HjMIHgMB0GA1UdEQQWMBSBEmVjX2FjY0BjYXRjZXJ0Lm5ldDAPBgNVHRMBAf8EBTADAQH/\n"
-"MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUoMOLRKo3pUW/l4Ba0fF4opvpXY0wfwYDVR0g\n"
-"BHgwdjB0BgsrBgEEAfV4AQMBCjBlMCwGCCsGAQUFBwIBFiBodHRwczovL3d3dy5jYXRjZXJ0\n"
-"Lm5ldC92ZXJhcnJlbDA1BggrBgEFBQcCAjApGidWZWdldSBodHRwczovL3d3dy5jYXRjZXJ0\n"
-"Lm5ldC92ZXJhcnJlbCAwDQYJKoZIhvcNAQEFBQADggEBAKBIW4IB9k1IuDlVNZyAelOZ1Vr/\n"
-"sXE7zDkJlF7W2u++AVtd0x7Y/X1PzaBB4DSTv8vihpw3kpBWHNzrKQXlxJ7HNd+KDM3FIUPp\n"
-"qojlNcAZQmNaAl6kSBg6hW/cnbw/nZzBh7h6YQjpdwt/cKt63dmXLGQehb+8dJahw3oS7Awa\n"
-"boMMPOhyRp/7SNVel+axofjk70YllJyJ22k4vuxcDlbHZVHlUIiIv0LVKz3l+bqeLrPK9HOS\n"
-"Agu+TGbrIP65y7WZf+a2E/rKS03Z7lNGBjvGTq2TWoF+bCpLagVFjPIhpDGQh2xlnJ2lYJU6\n"
-"Un/10asIbvPuW/mIPX64b24D5EI=\n"
-"-----END CERTIFICATE-----",
-
 /* Actalis Authentication Root CA */
 "-----BEGIN CERTIFICATE-----\n"
 "MIIFuzCCA6OgAwIBAgIIVwoRl0LE48wwDQYJKoZIhvcNAQELBQAwazELMAkGA1UEBhMCSVQx\n"
@@ -1670,36 +1617,6 @@
 "+SvzZpA3\n"
 "-----END CERTIFICATE-----",

-/* Staat der Nederlanden EV Root CA */
-"-----BEGIN CERTIFICATE-----\n"
-"MIIFcDCCA1igAwIBAgIEAJiWjTANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJOTDEeMBwG\n"
-"A1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFhdCBkZXIgTmVkZXJs\n"
-"YW5kZW4gRVYgUm9vdCBDQTAeFw0xMDEyMDgxMTE5MjlaFw0yMjEyMDgxMTEwMjhaMFgxCzAJ\n"
-"BgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIgTmVkZXJsYW5kZW4xKTAnBgNVBAMMIFN0\n"
-"YWF0IGRlciBOZWRlcmxhbmRlbiBFViBSb290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8A\n"
-"MIICCgKCAgEA48d+ifkkSzrSM4M1LGns3Amk41GoJSt5uAg94JG6hIXGhaTK5skuU6TJJB79\n"
-"VWZxXSzFYGgEt9nCUiY4iKTWO0Cmws0/zZiTs1QUWJZV1VD+hq2kY39ch/aO5ieSZxeSAgMs\n"
-"3NZmdO3dZ//BYY1jTw+bbRcwJu+r0h8QoPnFfxZpgQNH7R5ojXKhTbImxrpsX23Wr9GxE46p\n"
-"rfNeaXUmGD5BKyF/7otdBwadQ8QpCiv8Kj6GyzyDOvnJDdrFmeK8eEEzduG/L13lpJhQDBXd\n"
-"4Pqcfzho0LKmeqfRMb1+ilgnQ7O6M5HTp5gVXJrm0w912fxBmJc+qiXbj5IusHsMX/FjqTf5\n"
-"m3VpTCgmJdrV8hJwRVXj33NeN/UhbJCONVrJ0yPr08C+eKxCKFhmpUZtcALXEPlLVPxdhkqH\n"
-"z3/KRawRWrUgUY0viEeXOcDPusBCAUCZSCELa6fS/ZbV0b5GnUngC6agIk440ME8MLxwjyx1\n"
-"zNDFjFE7PZQIZCZhfbnDZY8UnCHQqv0XcgOPvZuM5l5Tnrmd74K74bzickFbIZTTRTeU0d8J\n"
-"OV3nI6qaHcptqAqGhYqCvkIH1vI4gnPah1vlPNOePqc7nvQDs/nxfRN0Av+7oeX6AHkcpmZB\n"
-"iFxgV6YuCcS6/ZrPpx9Aw7vMWgpVSzs4dlG4Y4uElBbmVvMCAwEAAaNCMEAwDwYDVR0TAQH/\n"
-"BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFP6rAJCYniT8qcwaivsnuL8wbqg7\n"
-"MA0GCSqGSIb3DQEBCwUAA4ICAQDPdyxuVr5Os7aEAJSrR8kN0nbHhp8dB9O2tLsIeK9p0gtJ\n"
-"3jPFrK3CiAJ9Brc1AsFgyb/E6JTe1NOpEyVa/m6irn0F3H3zbPB+po3u2dfOWBfoqSmuc0iH\n"
-"55vKbimhZF8ZE/euBhD/UcabTVUlT5OZEAFTdfETzsemQUHSv4ilf0X8rLiltTMMgsT7B/Zq\n"
-"5SWEXwbKwYY5EdtYzXc7LMJMD16a4/CrPmEbUCTCwPTxGfARKbalGAKb12NMcIxHowNDXLld\n"
-"RqANb/9Zjr7dn3LDWyvfjFvO5QxGbJKyCqNMVEIYFRIYvdr8unRu/8G2oGTYqV9Vrp9canaW\n"
-"2HNnh/tNf1zuacpzEPuKqf2evTY4SUmH9A4U8OmHuD+nT3pajnnUk+S7aFKErGzp85hwVXIy\n"
-"+TSrK0m1zSBi5Dp6Z2Orltxtrpfs/J92VoguZs9btsmksNcFuuEnL5O7Jiqik7Ab846+HUCj\n"
-"uTaPPoIaGl6I6lD4WeKDRikL40Rc4ZW2aZCaFG+XroHPaO+Zmr615+F/+PoTRxZMzG0IQOeL\n"
-"eG9QgkRQP2YGiqtDhFZKDyAthg710tvSeopLzaXoTvFeJiUBWSOgftL2fiFX1ye8FVdMpEbB\n"
-"4IMeDExNH08GGeL5qPQ6gqGyeUN51q1veieQA6TqJIc/2b3Z6fJfUEkc7uzXLg==\n"
-"-----END CERTIFICATE-----",
-
 /* IdenTrust Commercial Root CA 1 */
 "-----BEGIN CERTIFICATE-----\n"
 "MIIFYDCCA0igAwIBAgIQCgFCgAAAAUUjyES1AAAAAjANBgkqhkiG9w0BAQsFADBKMQswCQYD\n"

NEW_VERSION=3.89
COMMIT_MSG<<235daeed-339c-4351-b68f-69a3e44ea577
crypto: update root certificates to NSS 3.89

This is the certdata.txt[0] from NSS 3.89, released on 2023-03-09.

This is the version of NSS that will ship in Firefox 112 on
2023-04-11.

Certificates removed:
- Network Solutions Certificate Authority
- EC-ACC
- Staat der Nederlanden EV Root CA

[0] https://hg.mozilla.org/projects/nss/raw-file/NSS_3_89_RTM/lib/ckfw/builtins/certdata.txt
235daeed-339c-4351-b68f-69a3e44ea577

$

[nodejs-github-bot]

Review requested:

• @nodejs/actions
• @nodejs/tsc

[richardlau]

One difference from the previous manual steps in doc/contributing/maintaining-root-certs.md is that the automation collapses the two commits into a single commit to fit in with the existing tools workflow.

[mhdawson]

LGTM once issues flagged by linter are resolved.

[richardlau]

LGTM once issues flagged by linter are resolved.

Fixed now.

[richardlau]

Manually dispatched the workflow using this branch: https://github.com/nodejs/node/actions/runs/4622343859

[marco-ippolito]

LGTM

[richardlau]

Manually dispatched the workflow using this branch: https://github.com/nodejs/node/actions/runs/4622343859

This opened #47429. The second commit in that looks correct. The first commit looks odd, but is probably a side-effect of running the workflow from this branch which hasn't been merged.

[richardlau]

Manually dispatched the workflow using this branch: https://github.com/nodejs/node/actions/runs/4622343859

This opened #47429. The second commit in that looks correct. The first commit looks odd, but is probably a side-effect of running the workflow from this branch which hasn't been merged.

Ah, it's probably because this branch doesn't have #47339. Anyway that shouldn't be an issue when this is merged and the workflow run from main.

[tniessen]

Do we usually do these as semver-minor? I'm not sure.

Suggested change

	label: crypto, notable-change
	label: crypto, notable-change, semver-minor

I'm also not sure if it's notable.

[richardlau]

#45490, #40280 and #35546 were not labelled semver-minor PRs that contain new features and should be released in the next minor version. but were labelled notable-change PRs with changes that should be highlighted in changelogs. . I kind of feel that listing the removed and/or added certificates should be in the release notes (hence notable-change PRs with changes that should be highlighted in changelogs. ).

[richardlau]

Do we usually do these as semver-minor? I'm not sure.

@nodejs/releasers @nodejs/crypto Thoughts? We haven't been labelling root certificates updates as semver-minor, but maybe we should be?

[targos]

I would say no, but I understand if people think differently. To me this is more a bug fix (a certificate that would error before is then accepted). It doesn't add anything to the public API.

[richardlau]

To clarify my stance on notable-change PRs with changes that should be highlighted in changelogs. -- I'm thinking that when certificates are removed (often for security reasons) that at least noting that will help anyone running into issues because of it.

[bnoordhuis]

I'm in the semver-minor camp but with only one toe and it's not even my big toe. Call it +.1

[bnoordhuis]

LGTM, and good idea.

[bnoordhuis]

I'm in the semver-minor camp but with only one toe and it's not even my big toe. Call it +.1

[richardlau]

I may not be around much over the Easter weekend (Friday and Monday are public holidays here). I've added the commit-queue Add this label to land a pull request using GitHub Actions. label so this can land after the wait period (and no objections). Not labelling the updates semver-minor PRs that contain new features and should be released in the next minor version. (the current state of this PR) is what we've been doing, which I am persuadable to change. If we do decide to make these updates semver-minor PRs that contain new features and should be released in the next minor version. by default, that's easily done in a follow up PR.

[lpinca]

RSLGTM

[nodejs-github-bot]

Landed in a75871a