Node.js Driver release notes for 2026¶

Added support for every authenticator type (including external browser and Okta) in connect(), matching connectAsync().

Removed the @google-cloud/storage dependency. GCS transfers now use the JSON API directly. The forceGCPUseDownscopedCredential connection option has been removed as it is no longer needed.

Updated the default jsonColumnVariantParser to fall back to eval-based parsing for non-JSON-compliant variant values (such as undefined, NaN, and Infinity), restoring pre-2.3.5 behavior while keeping JSON.parse as the primary parser.

Fixed the OAUTH_AUTHORIZATION_CODE authenticator not honoring the openExternalBrowserCallback connection option.

Fixed createConnection() and createPool() types to accept no arguments, matching the runtime behavior of loading configuration from connections.toml.

Fixed the account field in the ConnectionOptions type to be optional, since it can be derived from accessUrl or host.

Fixed external browser SSO authentication crashing when the SSO URL request returns a server-side error.

Added the ability to skip token file permission checks by using the SF_SKIP_TOKEN_FILE_PERMISSIONS_VERIFICATION environment variable.

Added Node 18+ to engines, which is the minimum officially supported version since the 2.x release.

Added the PLATFORM field to login-request telemetry.

Added request retries to previously uncovered query execution paths.

Added the rowStreamHighWaterMark connection option to control how many rows are buffered when streaming query results through statement.streamRows().

Added a warning when converting query results to JavaScript numbers with precision loss.

Added snake_case key support when loading connections.toml through createConnection() with no arguments.

Exported the normalizeConnectionOptions() utility to convert snake_case connection keys to camelCase, with key aliases and acronym overrides.

Added the LIBC_FAMILY and LIBC_VERSION fields to login-request telemetry.

Added the crlDownloadMaxSize configuration option to enforce a maximum response size limit when downloading CRL files.

Added RSASSA-PSS signature verification support for CRL validation.

Improved error details when OAuth fails.

Changed the default jsonColumnVariantParser to JSON.parse.

Updated Linux GNU minicore binaries to target glibc 2.18 for broader compatibility with older Linux distributions.

Fixed OAuth crashing when using bundlers.

Fixed Binds typing to allow readonly arrays.

Fixed the connectAsync() method resolving before the connection is completed.

Fixed incorrect handling of a callback argument that should be optional in connect() and connectAsync().

Fixed a bug where an invalid JWT was generated if a user accidentally set both the account and the host in the configuration.

Fixed a bug where parsing the JSON media type failed when it included an optional parameter from Microsoft Identity Platform v2.0 tokens, causing the OAuth Client Credentials flow to fail.

Fixed disableSamlUrlCheck typing to use the correct casing: disableSamlURLCheck.

Fixed getDefaultCacheDir() crashing in environments where no user home directory is configured by falling back to os.tmpdir().

Fixed SF_OCSP_RESPONSE_CACHE_DIR not being used directly as the OCSP cache directory.

Fixed bugs in noProxy and NO_PROXY handling:

• The .domain.com wildcard format was not correctly matching the destination host.

• . was incorrectly matching as any character instead of a literal dot.

• Partial strings were incorrectly matching instead of requiring a full destination match.

Fixed CRL ADVISORY mode to log failures at the warn level instead of debug.

Fixed OAuth Authorization Code reauthentication not using the refreshed access token when the cached access token is expired.

Fixed OAuth Authorization Code refresh token being removed from cache when the IDP does not return a new one.

Fixed an unhandled promise rejection when the server returns malformed query responses.

Reduced memory usage during PUT operations.

Added APPLICATION_PATH to login-request telemetry.

Added Linux distribution details parsed from /etc/os-release to login-request telemetry.

Bumped axios to version 1.13.4 to address a bug in axios interceptors.

Bumped other dependencies to their latest minor versions.

Fixed inconsistent retry behavior across HTTP requests and ensured all recoverable failures are properly retried.

Fixed invalid oauth scope when role and oauthScope are missing from the connection configuration.

Fixed APPLICATION field not being passed from the connection configuration to login-request telemetry.

Fixed build errors in bundlers caused by the minicore module.