Node.js Driver release notes for 2026

This article contains the release notes for the Node.js Driver, including the following when applicable:

  • Behavior changes
  • New features
  • Customer-facing bug fixes

Snowflake uses semantic versioning for Node.js Driver updates.

See Node.js Driver for documentation.

Version 2.4.1 (May 12, 2026)

New features and updates

  • Reduced peak memory usage when streaming large result sets by reordering the chunk lifecycle to free the previous chunk before parsing the next one.
  • Bumped axios to version 1.15.1 to address the deprecated url.parse() warning in Node.js 22+ and a set of security issues, including CVE-2025-62718.
  • Pinned all @aws-sdk/* dependencies to their latest minor (patch floats only) to avoid breaking changes for supported Node.js versions (Node 18+).
  • Removed the browser-request dependency and related dead code.
  • Dropped the uuid dependency in favor of the Node.js built-in crypto.randomUUID().

Bug fixes

  • Fixed file name pattern matching to not match dot-prefixed files or directories by default, aligning with standard glob behavior and the dot: false default. This bug was introduced in v2.3.3.
  • Fixed the OAUTH_AUTHORIZATION_CODE cache not evicting entries on server 390303 errors.

Version 2.4.0 (Apr 07, 2026)

New features and updates

  • Added the browserRedirectPort connection option to customize the port of the local server that receives the EXTERNALBROWSER authentication callback.
  • Bumped @aws-sdk/* dependencies to address a fast-xml-parser vulnerability.
  • Improved keep-alive HTTP agents with a 30-second idle socket timeout that proactively discards stale connections before the server closes them, preventing socket hang up and ECONNRESET errors.

Bug fixes

  • Fixed connection pools re-prompting browser authentication for every pooled connection when using EXTERNALBROWSER or OAUTH_AUTHORIZATION_CODE authenticators. The first connection now completes auth and caches tokens before subsequent pool connections start.
  • Fixed session token renewal failing due to a malformed request, which caused long-running connections to disconnect instead of refreshing their expired session token.
  • Fixed query context cache not being updated on failed queries, which could cause a stale cache when subsequent queries land on a different GS node.

Version 2.3.6 (Mar 25, 2026)

New features and updates

  • Added support for every authenticator type (including external browser and Okta) in connect(), matching connectAsync().
  • Removed the @google-cloud/storage dependency. GCS transfers now use the JSON API directly. The forceGCPUseDownscopedCredential connection option has been removed as it is no longer needed.
  • Updated the default jsonColumnVariantParser to fall back to eval-based parsing for non-JSON-compliant variant values (such as undefined, NaN, and Infinity), restoring pre-2.3.5 behavior while keeping JSON.parse as the primary parser.

Bug fixes

  • Fixed the OAUTH_AUTHORIZATION_CODE authenticator not honoring the openExternalBrowserCallback connection option.
  • Fixed createConnection() and createPool() types to accept no arguments, matching the runtime behavior of loading configuration from connections.toml.
  • Fixed the account field in the ConnectionOptions type to be optional, since it can be derived from accessUrl or host.
  • Fixed external browser SSO authentication crashing when the SSO URL request returns a server-side error.

Version 2.3.5 (Mar 17, 2026)

New features and updates

  • Added the ability to skip token file permission checks by using the SF_SKIP_TOKEN_FILE_PERMISSIONS_VERIFICATION environment variable.
  • Added Node 18+ to engines, which is the minimum officially supported version since the 2.x release.
  • Added the PLATFORM field to login-request telemetry.
  • Added request retries to previously uncovered query execution paths.
  • Added the rowStreamHighWaterMark connection option to control how many rows are buffered when streaming query results through statement.streamRows().
  • Added a warning when converting query results to JavaScript numbers with precision loss.
  • Added snake_case key support when loading connections.toml through createConnection() with no arguments.
  • Exported the normalizeConnectionOptions() utility to convert snake_case connection keys to camelCase, with key aliases and acronym overrides.
  • Added the LIBC_FAMILY and LIBC_VERSION fields to login-request telemetry.
  • Added the crlDownloadMaxSize configuration option to enforce a maximum response size limit when downloading CRL files.
  • Added RSASSA-PSS signature verification support for CRL validation.
  • Improved error details when OAuth fails.
  • Changed the default jsonColumnVariantParser to JSON.parse.
  • Updated Linux GNU minicore binaries to target glibc 2.18 for broader compatibility with older Linux distributions.

Bug fixes

  • Fixed OAuth crashing when using bundlers.

  • Fixed Binds typing to allow readonly arrays.

  • Fixed the connectAsync() method resolving before the connection is completed.

  • Fixed incorrect handling of a callback argument that should be optional in connect() and connectAsync().

  • Fixed a bug where an invalid JWT was generated if a user accidentally set both the account and the host in the configuration.

  • Fixed a bug where parsing the JSON media type failed when it included an optional parameter from Microsoft Identity Platform v2.0 tokens, causing the OAuth Client Credentials flow to fail.

  • Fixed disableSamlUrlCheck typing to use the correct casing: disableSamlURLCheck.

  • Fixed getDefaultCacheDir() crashing in environments where no user home directory is configured by falling back to os.tmpdir().

  • Fixed SF_OCSP_RESPONSE_CACHE_DIR not being used directly as the OCSP cache directory.

  • Fixed bugs in noProxy and NO_PROXY handling:

    • The .domain.com wildcard format was not correctly matching the destination host.
    • . was incorrectly matching as any character instead of a literal dot.
    • Partial strings were incorrectly matching instead of requiring a full destination match.

  • Fixed CRL ADVISORY mode to log failures at the warn level instead of debug.

  • Fixed OAuth Authorization Code reauthentication not using the refreshed access token when the cached access token is expired.

  • Fixed OAuth Authorization Code refresh token being removed from cache when the IDP does not return a new one.

  • Fixed an unhandled promise rejection when the server returns malformed query responses.

Version 2.3.4 (Feb 09, 2026)

New features and updates

  • Reduced memory usage during PUT operations.
  • Added APPLICATION_PATH to login-request telemetry.
  • Added Linux distribution details parsed from /etc/os-release to login-request telemetry.
  • Bumped axios to version 1.13.4 to address a bug in axios interceptors.
  • Bumped other dependencies to their latest minor versions.

Bug fixes

  • Fixed inconsistent retry behavior across HTTP requests and ensured all recoverable failures are properly retried.
  • Fixed invalid oauth scope when role and oauthScope are missing from the connection configuration.
  • Fixed APPLICATION field not being passed from the connection configuration to login-request telemetry.
  • Fixed build errors in bundlers caused by the minicore module.