@types/node 24.3.0 → 24.7.2

node/crypto.d.ts

@@ -510,50 +510,50 @@ declare module "crypto" {
         format: "jwk";
     }
     interface JsonWebKey {
-        crv?: string | undefined;
-        d?: string | undefined;
-        dp?: string | undefined;
-        dq?: string | undefined;
-        e?: string | undefined;
-        k?: string | undefined;
-        kty?: string | undefined;
-        n?: string | undefined;
-        p?: string | undefined;
-        q?: string | undefined;
-        qi?: string | undefined;
-        x?: string | undefined;
-        y?: string | undefined;
+        crv?: string;
+        d?: string;
+        dp?: string;
+        dq?: string;
+        e?: string;
+        k?: string;
+        kty?: string;
+        n?: string;
+        p?: string;
+        q?: string;
+        qi?: string;
+        x?: string;
+        y?: string;
         [key: string]: unknown;
     }
     interface AsymmetricKeyDetails {
         /**
          * Key size in bits (RSA, DSA).
          */
-        modulusLength?: number | undefined;
+        modulusLength?: number;
         /**
          * Public exponent (RSA).
          */
-        publicExponent?: bigint | undefined;
+        publicExponent?: bigint;
         /**
          * Name of the message digest (RSA-PSS).
          */
-        hashAlgorithm?: string | undefined;
+        hashAlgorithm?: string;
         /**
          * Name of the message digest used by MGF1 (RSA-PSS).
          */
-        mgf1HashAlgorithm?: string | undefined;
+        mgf1HashAlgorithm?: string;
         /**
          * Minimal salt length in bytes (RSA-PSS).
          */
-        saltLength?: number | undefined;
+        saltLength?: number;
         /**
          * Size of q in bits (DSA).
          */
-        divisorLength?: number | undefined;
+        divisorLength?: number;
         /**
          * Name of the curve (EC).
          */
-        namedCurve?: string | undefined;
+        namedCurve?: string;
     }
     /**
      * Node.js uses a `KeyObject` class to represent a symmetric or asymmetric key,
@@ -591,24 +591,14 @@ declare module "crypto" {
          */
         static from(key: webcrypto.CryptoKey): KeyObject;
         /**
-         * For asymmetric keys, this property represents the type of the key. Supported key
-         * types are:
-         *
-         * * `'rsa'` (OID 1.2.840.113549.1.1.1)
-         * * `'rsa-pss'` (OID 1.2.840.113549.1.1.10)
-         * * `'dsa'` (OID 1.2.840.10040.4.1)
-         * * `'ec'` (OID 1.2.840.10045.2.1)
-         * * `'x25519'` (OID 1.3.101.110)
-         * * `'x448'` (OID 1.3.101.111)
-         * * `'ed25519'` (OID 1.3.101.112)
-         * * `'ed448'` (OID 1.3.101.113)
-         * * `'dh'` (OID 1.2.840.113549.1.3.1)
+         * For asymmetric keys, this property represents the type of the key. See the
+         * supported [asymmetric key types](https://nodejs.org/docs/latest-v24.x/api/crypto.html#asymmetric-key-types).
          *
          * This property is `undefined` for unrecognized `KeyObject` types and symmetric
          * keys.
          * @since v11.6.0
          */
-        asymmetricKeyType?: KeyType | undefined;
+        asymmetricKeyType?: KeyType;
         /**
          * This property exists only on asymmetric keys. Depending on the type of the key,
          * this object contains information about the key. None of the information obtained
@@ -622,7 +612,7 @@ declare module "crypto" {
          * Other key details might be exposed via this API using additional attributes.
          * @since v15.7.0
          */
-        asymmetricKeyDetails?: AsymmetricKeyDetails | undefined;
+        asymmetricKeyDetails?: AsymmetricKeyDetails;
         /**
          * For symmetric keys, the following encoding options can be used:
          *
@@ -661,7 +651,7 @@ declare module "crypto" {
          * property is `undefined` for asymmetric keys.
          * @since v11.6.0
          */
-        symmetricKeySize?: number | undefined;
+        symmetricKeySize?: number;
         /**
          * Converts a `KeyObject` instance to a `CryptoKey`.
          * @since 22.10.0
@@ -2456,7 +2446,22 @@ declare module "crypto" {
      * @since v6.6.0
      */
     function timingSafeEqual(a: NodeJS.ArrayBufferView, b: NodeJS.ArrayBufferView): boolean;
-    type KeyType = "rsa" | "rsa-pss" | "dsa" | "ec" | "ed25519" | "ed448" | "x25519" | "x448";
+    type KeyType =
+        | "dh"
+        | "dsa"
+        | "ec"
+        | "ed25519"
+        | "ed448"
+        | "ml-dsa-44"
+        | "ml-dsa-65"
+        | "ml-dsa-87"
+        | "ml-kem-1024"
+        | "ml-kem-512"
+        | "ml-kem-768"
+        | "rsa-pss"
+        | "rsa"
+        | "x25519"
+        | "x448";
     type KeyFormat = "pem" | "der" | "jwk";
     interface BasePrivateKeyEncodingOptions<T extends KeyFormat> {
         format: T;
@@ -2471,6 +2476,8 @@ declare module "crypto" {
     interface ED448KeyPairKeyObjectOptions {}
     interface X25519KeyPairKeyObjectOptions {}
     interface X448KeyPairKeyObjectOptions {}
+    interface MLDSAKeyPairKeyObjectOptions {}
+    interface MLKEMKeyPairKeyObjectOptions {}
     interface ECKeyPairKeyObjectOptions {
         /**
          * Name of the curve to use
@@ -2505,15 +2512,15 @@ declare module "crypto" {
         /**
          * Name of the message digest
          */
-        hashAlgorithm?: string;
+        hashAlgorithm?: string | undefined;
         /**
          * Name of the message digest used by MGF1
          */
-        mgf1HashAlgorithm?: string;
+        mgf1HashAlgorithm?: string | undefined;
         /**
          * Minimal salt length in bytes
          */
-        saltLength?: string;
+        saltLength?: string | undefined;
     }
     interface DSAKeyPairKeyObjectOptions {
         /**
@@ -2556,15 +2563,15 @@ declare module "crypto" {
         /**
          * Name of the message digest
          */
-        hashAlgorithm?: string;
+        hashAlgorithm?: string | undefined;
         /**
          * Name of the message digest used by MGF1
          */
-        mgf1HashAlgorithm?: string;
+        mgf1HashAlgorithm?: string | undefined;
         /**
          * Minimal salt length in bytes
          */
-        saltLength?: string;
+        saltLength?: string | undefined;
         publicKeyEncoding: {
             type: "spki";
             format: PubF;
@@ -2635,13 +2642,31 @@ declare module "crypto" {
             type: "pkcs8";
         };
     }
+    interface MLDSAKeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
+        publicKeyEncoding: {
+            type: "spki";
+            format: PubF;
+        };
+        privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
+            type: "pkcs8";
+        };
+    }
+    interface MLKEMKeyPairOptions<PubF extends KeyFormat, PrivF extends KeyFormat> {
+        publicKeyEncoding: {
+            type: "spki";
+            format: PubF;
+        };
+        privateKeyEncoding: BasePrivateKeyEncodingOptions<PrivF> & {
+            type: "pkcs8";
+        };
+    }
     interface KeyPairSyncResult<T1 extends string | Buffer, T2 extends string | Buffer> {
         publicKey: T1;
         privateKey: T2;
     }
     /**
      * Generates a new asymmetric key pair of the given `type`. RSA, RSA-PSS, DSA, EC,
-     * Ed25519, Ed448, X25519, X448, and DH are currently supported.
+     * Ed25519, Ed448, X25519, X448, DH, and ML-DSA are currently supported.
      *
      * If a `publicKeyEncoding` or `privateKeyEncoding` was specified, this function
      * behaves as if `keyObject.export()` had been called on its result. Otherwise,
@@ -2678,7 +2703,8 @@ declare module "crypto" {
      * When PEM encoding was selected, the respective key will be a string, otherwise
      * it will be a buffer containing the data encoded as DER.
      * @since v10.12.0
-     * @param type Must be `'rsa'`, `'rsa-pss'`, `'dsa'`, `'ec'`, `'ed25519'`, `'ed448'`, `'x25519'`, `'x448'`, or `'dh'`.
+     * @param type The asymmetric key type to generate. See the
+     * supported [asymmetric key types](https://nodejs.org/docs/latest-v24.x/api/crypto.html#asymmetric-key-types).
      */
     function generateKeyPairSync(
         type: "rsa",
@@ -2816,6 +2842,46 @@ declare module "crypto" {
         options: X448KeyPairOptions<"der", "der">,
     ): KeyPairSyncResult<Buffer, Buffer>;
     function generateKeyPairSync(type: "x448", options?: X448KeyPairKeyObjectOptions): KeyPairKeyObjectResult;
+    function generateKeyPairSync(
+        type: "ml-dsa-44" | "ml-dsa-65" | "ml-dsa-87",
+        options: MLDSAKeyPairOptions<"pem", "pem">,
+    ): KeyPairSyncResult<string, string>;
+    function generateKeyPairSync(
+        type: "ml-dsa-44" | "ml-dsa-65" | "ml-dsa-87",
+        options: MLDSAKeyPairOptions<"pem", "der">,
+    ): KeyPairSyncResult<string, Buffer>;
+    function generateKeyPairSync(
+        type: "ml-dsa-44" | "ml-dsa-65" | "ml-dsa-87",
+        options: MLDSAKeyPairOptions<"der", "pem">,
+    ): KeyPairSyncResult<Buffer, string>;
+    function generateKeyPairSync(
+        type: "ml-dsa-44" | "ml-dsa-65" | "ml-dsa-87",
+        options: MLDSAKeyPairOptions<"der", "der">,
+    ): KeyPairSyncResult<Buffer, Buffer>;
+    function generateKeyPairSync(
+        type: "ml-dsa-44" | "ml-dsa-65" | "ml-dsa-87",
+        options?: MLDSAKeyPairKeyObjectOptions,
+    ): KeyPairKeyObjectResult;
+    function generateKeyPairSync(
+        type: "ml-kem-1024" | "ml-kem-512" | "ml-kem-768",
+        options: MLKEMKeyPairOptions<"pem", "pem">,
+    ): KeyPairSyncResult<string, string>;
+    function generateKeyPairSync(
+        type: "ml-kem-1024" | "ml-kem-512" | "ml-kem-768",
+        options: MLKEMKeyPairOptions<"pem", "der">,
+    ): KeyPairSyncResult<string, Buffer>;
+    function generateKeyPairSync(
+        type: "ml-kem-1024" | "ml-kem-512" | "ml-kem-768",
+        options: MLKEMKeyPairOptions<"der", "pem">,
+    ): KeyPairSyncResult<Buffer, string>;
+    function generateKeyPairSync(
+        type: "ml-kem-1024" | "ml-kem-512" | "ml-kem-768",
+        options: MLKEMKeyPairOptions<"der", "der">,
+    ): KeyPairSyncResult<Buffer, Buffer>;
+    function generateKeyPairSync(
+        type: "ml-kem-1024" | "ml-kem-512" | "ml-kem-768",
+        options?: MLKEMKeyPairKeyObjectOptions,
+    ): KeyPairKeyObjectResult;
     /**
      * Generates a new asymmetric key pair of the given `type`. RSA, RSA-PSS, DSA, EC,
      * Ed25519, Ed448, X25519, X448, and DH are currently supported.
@@ -2853,7 +2919,8 @@ declare module "crypto" {
      * If this method is invoked as its `util.promisify()` ed version, it returns
      * a `Promise` for an `Object` with `publicKey` and `privateKey` properties.
      * @since v10.12.0
-     * @param type Must be `'rsa'`, `'rsa-pss'`, `'dsa'`, `'ec'`, `'ed25519'`, `'ed448'`, `'x25519'`, `'x448'`, or `'dh'`.
+     * @param type The asymmetric key type to generate. See the
+     * supported [asymmetric key types](https://nodejs.org/docs/latest-v24.x/api/crypto.html#asymmetric-key-types).
      */
     function generateKeyPair(
         type: "rsa",
@@ -3055,6 +3122,56 @@ declare module "crypto" {
         options: X448KeyPairKeyObjectOptions | undefined,
         callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
     ): void;
+    function generateKeyPair(
+        type: "ml-dsa-44" | "ml-dsa-65" | "ml-dsa-87",
+        options: MLDSAKeyPairOptions<"pem", "pem">,
+        callback: (err: Error | null, publicKey: string, privateKey: string) => void,
+    ): void;
+    function generateKeyPair(
+        type: "ml-dsa-44" | "ml-dsa-65" | "ml-dsa-87",
+        options: MLDSAKeyPairOptions<"pem", "der">,
+        callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
+    ): void;
+    function generateKeyPair(
+        type: "ml-dsa-44" | "ml-dsa-65" | "ml-dsa-87",
+        options: MLDSAKeyPairOptions<"der", "pem">,
+        callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
+    ): void;
+    function generateKeyPair(
+        type: "ml-dsa-44" | "ml-dsa-65" | "ml-dsa-87",
+        options: MLDSAKeyPairOptions<"der", "der">,
+        callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
+    ): void;
+    function generateKeyPair(
+        type: "ml-dsa-44" | "ml-dsa-65" | "ml-dsa-87",
+        options: MLDSAKeyPairKeyObjectOptions | undefined,
+        callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
+    ): void;
+    function generateKeyPair(
+        type: "ml-kem-1024" | "ml-kem-512" | "ml-kem-768",
+        options: MLKEMKeyPairOptions<"pem", "pem">,
+        callback: (err: Error | null, publicKey: string, privateKey: string) => void,
+    ): void;
+    function generateKeyPair(
+        type: "ml-kem-1024" | "ml-kem-512" | "ml-kem-768",
+        options: MLKEMKeyPairOptions<"pem", "der">,
+        callback: (err: Error | null, publicKey: string, privateKey: Buffer) => void,
+    ): void;
+    function generateKeyPair(
+        type: "ml-kem-1024" | "ml-kem-512" | "ml-kem-768",
+        options: MLKEMKeyPairOptions<"der", "pem">,
+        callback: (err: Error | null, publicKey: Buffer, privateKey: string) => void,
+    ): void;
+    function generateKeyPair(
+        type: "ml-kem-1024" | "ml-kem-512" | "ml-kem-768",
+        options: MLKEMKeyPairOptions<"der", "der">,
+        callback: (err: Error | null, publicKey: Buffer, privateKey: Buffer) => void,
+    ): void;
+    function generateKeyPair(
+        type: "ml-kem-1024" | "ml-kem-512" | "ml-kem-768",
+        options: MLKEMKeyPairKeyObjectOptions | undefined,
+        callback: (err: Error | null, publicKey: KeyObject, privateKey: KeyObject) => void,
+    ): void;
     namespace generateKeyPair {
         function __promisify__(
             type: "rsa",
@@ -3297,11 +3414,78 @@ declare module "crypto" {
             privateKey: Buffer;
         }>;
         function __promisify__(type: "x448", options?: X448KeyPairKeyObjectOptions): Promise<KeyPairKeyObjectResult>;
+        function __promisify__(
+            type: "ml-dsa-44" | "ml-dsa-65" | "ml-dsa-87",
+            options: MLDSAKeyPairOptions<"pem", "pem">,
+        ): Promise<{
+            publicKey: string;
+            privateKey: string;
+        }>;
+        function __promisify__(
+            type: "ml-dsa-44" | "ml-dsa-65" | "ml-dsa-87",
+            options: MLDSAKeyPairOptions<"pem", "der">,
+        ): Promise<{
+            publicKey: string;
+            privateKey: Buffer;
+        }>;
+        function __promisify__(
+            type: "ml-dsa-44" | "ml-dsa-65" | "ml-dsa-87",
+            options: MLDSAKeyPairOptions<"der", "pem">,
+        ): Promise<{
+            publicKey: Buffer;
+            privateKey: string;
+        }>;
+        function __promisify__(
+            type: "ml-dsa-44" | "ml-dsa-65" | "ml-dsa-87",
+            options: MLDSAKeyPairOptions<"der", "der">,
+        ): Promise<{
+            publicKey: Buffer;
+            privateKey: Buffer;
+        }>;
+        function __promisify__(
+            type: "ml-dsa-44" | "ml-dsa-65" | "ml-dsa-87",
+            options?: MLDSAKeyPairKeyObjectOptions,
+        ): Promise<KeyPairKeyObjectResult>;
+        function __promisify__(
+            type: "ml-kem-1024" | "ml-kem-512" | "ml-kem-768",
+            options: MLKEMKeyPairOptions<"pem", "pem">,
+        ): Promise<{
+            publicKey: string;
+            privateKey: string;
+        }>;
+        function __promisify__(
+            type: "ml-kem-1024" | "ml-kem-512" | "ml-kem-768",
+            options: MLKEMKeyPairOptions<"pem", "der">,
+        ): Promise<{
+            publicKey: string;
+            privateKey: Buffer;
+        }>;
+        function __promisify__(
+            type: "ml-kem-1024" | "ml-kem-512" | "ml-kem-768",
+            options: MLKEMKeyPairOptions<"der", "pem">,
+        ): Promise<{
+            publicKey: Buffer;
+            privateKey: string;
+        }>;
+        function __promisify__(
+            type: "ml-kem-1024" | "ml-kem-512" | "ml-kem-768",
+            options: MLKEMKeyPairOptions<"der", "der">,
+        ): Promise<{
+            publicKey: Buffer;
+            privateKey: Buffer;
+        }>;
+        function __promisify__(
+            type: "ml-kem-1024" | "ml-kem-512" | "ml-kem-768",
+            options?: MLKEMKeyPairKeyObjectOptions,
+        ): Promise<KeyPairKeyObjectResult>;
     }
     /**
      * Calculates and returns the signature for `data` using the given private key and
      * algorithm. If `algorithm` is `null` or `undefined`, then the algorithm is
-     * dependent upon the key type (especially Ed25519 and Ed448).
+     * dependent upon the key type.
+     *
+     * `algorithm` is required to be `null` or `undefined` for Ed25519, Ed448, and
+     * ML-DSA.
      *
      * If `key` is not a `KeyObject`, this function behaves as if `key` had been
      * passed to {@link createPrivateKey}. If it is an object, the following
@@ -3322,8 +3506,12 @@ declare module "crypto" {
         callback: (error: Error | null, data: Buffer) => void,
     ): void;
     /**
-     * Verifies the given signature for `data` using the given key and algorithm. If `algorithm` is `null` or `undefined`, then the algorithm is dependent upon the
-     * key type (especially Ed25519 and Ed448).
+     * Verifies the given signature for `data` using the given key and algorithm. If
+     * `algorithm` is `null` or `undefined`, then the algorithm is dependent upon the
+     * key type.
+     *
+     * `algorithm` is required to be `null` or `undefined` for Ed25519, Ed448, and
+     * ML-DSA.
      *
      * If `key` is not a `KeyObject`, this function behaves as if `key` had been
      * passed to {@link createPublicKey}. If it is an object, the following
@@ -3351,9 +3539,37 @@ declare module "crypto" {
         callback: (error: Error | null, result: boolean) => void,
     ): void;
     /**
-     * Computes the Diffie-Hellman secret based on a `privateKey` and a `publicKey`.
-     * Both keys must have the same `asymmetricKeyType`, which must be one of `'dh'`
-     * (for Diffie-Hellman), `'ec'`, `'x448'`, or `'x25519'` (for ECDH).
+     * Key decapsulation using a KEM algorithm with a private key.
+     *
+     * Supported key types and their KEM algorithms are:
+     *
+     * * `'rsa'` RSA Secret Value Encapsulation
+     * * `'ec'` DHKEM(P-256, HKDF-SHA256), DHKEM(P-384, HKDF-SHA256), DHKEM(P-521, HKDF-SHA256)
+     * * `'x25519'` DHKEM(X25519, HKDF-SHA256)
+     * * `'x448'` DHKEM(X448, HKDF-SHA512)
+     * * `'ml-kem-512'` ML-KEM
+     * * `'ml-kem-768'` ML-KEM
+     * * `'ml-kem-1024'` ML-KEM
+     *
+     * If `key` is not a {@link KeyObject}, this function behaves as if `key` had been
+     * passed to `crypto.createPrivateKey()`.
+     *
+     * If the `callback` function is provided this function uses libuv's threadpool.
+     * @since v24.7.0
+     */
+    function decapsulate(
+        key: KeyLike | PrivateKeyInput | JsonWebKeyInput,
+        ciphertext: ArrayBuffer | NodeJS.ArrayBufferView,
+    ): Buffer;
+    function decapsulate(
+        key: KeyLike | PrivateKeyInput | JsonWebKeyInput,
+        ciphertext: ArrayBuffer | NodeJS.ArrayBufferView,
+        callback: (err: Error, sharedKey: Buffer) => void,
+    ): void;
+    /**
+     * Computes the Diffie-Hellman shared secret based on a `privateKey` and a `publicKey`.
+     * Both keys must have the same `asymmetricKeyType` and must support either the DH or
+     * ECDH operation.
      *
      * If the `callback` function is provided this function uses libuv's threadpool.
      * @since v13.9.0, v12.17.0
@@ -3364,10 +3580,59 @@ declare module "crypto" {
         callback: (err: Error | null, secret: Buffer) => void,
     ): void;
     /**
-     * A utility for creating one-shot hash digests of data. It can be faster than the object-based `crypto.createHash()` when hashing a smaller amount of data
-     * (<= 5MB) that's readily available. If the data can be big or if it is streamed, it's still recommended to use `crypto.createHash()` instead. The `algorithm`
-     * is dependent on the available algorithms supported by the version of OpenSSL on the platform. Examples are `'sha256'`, `'sha512'`, etc. On recent releases
-     * of OpenSSL, `openssl list -digest-algorithms` will display the available digest algorithms.
+     * Key encapsulation using a KEM algorithm with a public key.
+     *
+     * Supported key types and their KEM algorithms are:
+     *
+     * * `'rsa'` RSA Secret Value Encapsulation
+     * * `'ec'` DHKEM(P-256, HKDF-SHA256), DHKEM(P-384, HKDF-SHA256), DHKEM(P-521, HKDF-SHA256)
+     * * `'x25519'` DHKEM(X25519, HKDF-SHA256)
+     * * `'x448'` DHKEM(X448, HKDF-SHA512)
+     * * `'ml-kem-512'` ML-KEM
+     * * `'ml-kem-768'` ML-KEM
+     * * `'ml-kem-1024'` ML-KEM
+     *
+     * If `key` is not a {@link KeyObject}, this function behaves as if `key` had been
+     * passed to `crypto.createPublicKey()`.
+     *
+     * If the `callback` function is provided this function uses libuv's threadpool.
+     * @since v24.7.0
+     */
+    function encapsulate(key: KeyLike | PublicKeyInput | JsonWebKeyInput): { sharedKey: Buffer; ciphertext: Buffer };
+    function encapsulate(
+        key: KeyLike | PublicKeyInput | JsonWebKeyInput,
+        callback: (err: Error, result: { sharedKey: Buffer; ciphertext: Buffer }) => void,
+    ): void;
+    interface OneShotDigestOptions {
+        /**
+         * Encoding used to encode the returned digest.
+         * @default 'hex'
+         */
+        outputEncoding?: BinaryToTextEncoding | "buffer" | undefined;
+        /**
+         * For XOF hash functions such as 'shake256', the outputLength option
+         * can be used to specify the desired output length in bytes.
+         */
+        outputLength?: number | undefined;
+    }
+    interface OneShotDigestOptionsWithStringEncoding extends OneShotDigestOptions {
+        outputEncoding?: BinaryToTextEncoding | undefined;
+    }
+    interface OneShotDigestOptionsWithBufferEncoding extends OneShotDigestOptions {
+        outputEncoding: "buffer";
+    }
+    /**
+     * A utility for creating one-shot hash digests of data. It can be faster than
+     * the object-based `crypto.createHash()` when hashing a smaller amount of data
+     * (<= 5MB) that's readily available. If the data can be big or if it is streamed,
+     * it's still recommended to use `crypto.createHash()` instead.
+     *
+     * The `algorithm` is dependent on the available algorithms supported by the
+     * version of OpenSSL on the platform. Examples are `'sha256'`, `'sha512'`, etc.
+     * On recent releases of OpenSSL, `openssl list -digest-algorithms` will
+     * display the available digest algorithms.
+     *
+     * If `options` is a string, then it specifies the `outputEncoding`.
      *
      * Example:
      *
@@ -3387,16 +3652,25 @@ declare module "crypto" {
      * console.log(crypto.hash('sha1', Buffer.from(base64, 'base64'), 'buffer'));
      * ```
      * @since v21.7.0, v20.12.0
-     * @param data When `data` is a string, it will be encoded as UTF-8 before being hashed. If a different input encoding is desired for a string input, user
-     *             could encode the string into a `TypedArray` using either `TextEncoder` or `Buffer.from()` and passing the encoded `TypedArray` into this API instead.
-     * @param [outputEncoding='hex'] [Encoding](https://nodejs.org/docs/latest-v24.x/api/buffer.html#buffers-and-character-encodings) used to encode the returned digest.
+     * @param data When `data` is a string, it will be encoded as UTF-8 before being hashed. If a different
+     * input encoding is desired for a string input, user could encode the string
+     * into a `TypedArray` using either `TextEncoder` or `Buffer.from()` and passing
+     * the encoded `TypedArray` into this API instead.
      */
-    function hash(algorithm: string, data: BinaryLike, outputEncoding?: BinaryToTextEncoding): string;
-    function hash(algorithm: string, data: BinaryLike, outputEncoding: "buffer"): Buffer;
     function hash(
         algorithm: string,
         data: BinaryLike,
-        outputEncoding?: BinaryToTextEncoding | "buffer",
+        options?: OneShotDigestOptionsWithStringEncoding | BinaryToTextEncoding,
+    ): string;
+    function hash(
+        algorithm: string,
+        data: BinaryLike,
+        options: OneShotDigestOptionsWithBufferEncoding | "buffer",
+    ): Buffer;
+    function hash(
+        algorithm: string,
+        data: BinaryLike,
+        options: OneShotDigestOptions | BinaryToTextEncoding | "buffer",
     ): string | Buffer;
     type CipherMode = "cbc" | "ccm" | "cfb" | "ctr" | "ecb" | "gcm" | "ocb" | "ofb" | "stream" | "wrap" | "xts";
     interface CipherInfoOptions {
@@ -3561,23 +3835,23 @@ declare module "crypto" {
         /**
          * @default 'always'
          */
-        subject?: "always" | "default" | "never";
+        subject?: "always" | "default" | "never" | undefined;
         /**
          * @default true
          */
-        wildcards?: boolean;
+        wildcards?: boolean | undefined;
         /**
          * @default true
          */
-        partialWildcards?: boolean;
+        partialWildcards?: boolean | undefined;
         /**
          * @default false
          */
-        multiLabelWildcards?: boolean;
+        multiLabelWildcards?: boolean | undefined;
         /**
          * @default false
          */
-        singleLabelSubdomains?: boolean;
+        singleLabelSubdomains?: boolean | undefined;
     }
     /**
      * Encapsulates an X509 certificate and provides read-only access to
@@ -3679,7 +3953,7 @@ declare module "crypto" {
          * available.
          * @since v15.9.0
          */
-        readonly issuerCertificate?: X509Certificate | undefined;
+        readonly issuerCertificate: X509Certificate | undefined;
         /**
          * The public key `KeyObject` for this certificate.
          * @since v15.6.0
@@ -3971,6 +4245,130 @@ declare module "crypto" {
      * @return Returns `typedArray`.
      */
     function getRandomValues<T extends webcrypto.BufferSource>(typedArray: T): T;
+    type Argon2Algorithm = "argon2d" | "argon2i" | "argon2id";
+    interface Argon2Parameters {
+        /**
+         * REQUIRED, this is the password for password hashing applications of Argon2.
+         */
+        message: string | ArrayBuffer | NodeJS.ArrayBufferView;
+        /**
+         * REQUIRED, must be at least 8 bytes long. This is the salt for password hashing applications of Argon2.
+         */
+        nonce: string | ArrayBuffer | NodeJS.ArrayBufferView;
+        /**
+         * REQUIRED, degree of parallelism determines how many computational chains (lanes)
+         * can be run. Must be greater than 1 and less than `2**24-1`.
+         */
+        parallelism: number;
+        /**
+         * REQUIRED, the length of the key to generate. Must be greater than 4 and
+         * less than `2**32-1`.
+         */
+        tagLength: number;
+        /**
+         * REQUIRED, memory cost in 1KiB blocks. Must be greater than
+         * `8 * parallelism` and less than `2**32-1`. The actual number of blocks is rounded
+         * down to the nearest multiple of `4 * parallelism`.
+         */
+        memory: number;
+        /**
+         * REQUIRED, number of passes (iterations). Must be greater than 1 and less
+         * than `2**32-1`.
+         */
+        passes: number;
+        /**
+         * OPTIONAL, Random additional input,
+         * similar to the salt, that should **NOT** be stored with the derived key. This is known as pepper in
+         * password hashing applications. If used, must have a length not greater than `2**32-1` bytes.
+         */
+        secret?: string | ArrayBuffer | NodeJS.ArrayBufferView | undefined;
+        /**
+         * OPTIONAL, Additional data to
+         * be added to the hash, functionally equivalent to salt or secret, but meant for
+         * non-random data. If used, must have a length not greater than `2**32-1` bytes.
+         */
+        associatedData?: string | ArrayBuffer | NodeJS.ArrayBufferView | undefined;
+    }
+    /**
+     * Provides an asynchronous [Argon2](https://www.rfc-editor.org/rfc/rfc9106.html) implementation. Argon2 is a password-based
+     * key derivation function that is designed to be expensive computationally and
+     * memory-wise in order to make brute-force attacks unrewarding.
+     *
+     * The `nonce` should be as unique as possible. It is recommended that a nonce is
+     * random and at least 16 bytes long. See [NIST SP 800-132](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf) for details.
+     *
+     * When passing strings for `message`, `nonce`, `secret` or `associatedData`, please
+     * consider [caveats when using strings as inputs to cryptographic APIs](https://nodejs.org/docs/latest-v24.x/api/crypto.html#using-strings-as-inputs-to-cryptographic-apis).
+     *
+     * The `callback` function is called with two arguments: `err` and `derivedKey`.
+     * `err` is an exception object when key derivation fails, otherwise `err` is
+     * `null`. `derivedKey` is passed to the callback as a `Buffer`.
+     *
+     * An exception is thrown when any of the input arguments specify invalid values
+     * or types.
+     *
+     * ```js
+     * const { argon2, randomBytes } = await import('node:crypto');
+     *
+     * const parameters = {
+     *   message: 'password',
+     *   nonce: randomBytes(16),
+     *   parallelism: 4,
+     *   tagLength: 64,
+     *   memory: 65536,
+     *   passes: 3,
+     * };
+     *
+     * argon2('argon2id', parameters, (err, derivedKey) => {
+     *   if (err) throw err;
+     *   console.log(derivedKey.toString('hex'));  // 'af91dad...9520f15'
+     * });
+     * ```
+     * @since v24.7.0
+     * @param algorithm Variant of Argon2, one of `"argon2d"`, `"argon2i"` or `"argon2id"`.
+     * @experimental
+     */
+    function argon2(
+        algorithm: Argon2Algorithm,
+        parameters: Argon2Parameters,
+        callback: (err: Error | null, derivedKey: Buffer) => void,
+    ): void;
+    /**
+     * Provides a synchronous [Argon2][] implementation. Argon2 is a password-based
+     * key derivation function that is designed to be expensive computationally and
+     * memory-wise in order to make brute-force attacks unrewarding.
+     *
+     * The `nonce` should be as unique as possible. It is recommended that a nonce is
+     * random and at least 16 bytes long. See [NIST SP 800-132](https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf) for details.
+     *
+     * When passing strings for `message`, `nonce`, `secret` or `associatedData`, please
+     * consider [caveats when using strings as inputs to cryptographic APIs](https://nodejs.org/docs/latest-v24.x/api/crypto.html#using-strings-as-inputs-to-cryptographic-apis).
+     *
+     * An exception is thrown when key derivation fails, otherwise the derived key is
+     * returned as a `Buffer`.
+     *
+     * An exception is thrown when any of the input arguments specify invalid values
+     * or types.
+     *
+     * ```js
+     * const { argon2Sync, randomBytes } = await import('node:crypto');
+     *
+     * const parameters = {
+     *   message: 'password',
+     *   nonce: randomBytes(16),
+     *   parallelism: 4,
+     *   tagLength: 64,
+     *   memory: 65536,
+     *   passes: 3,
+     * };
+     *
+     * const derivedKey = argon2Sync('argon2id', parameters);
+     * console.log(derivedKey.toString('hex'));  // 'af91dad...9520f15'
+     * ```
+     * @since v24.7.0
+     * @experimental
+     */
+    function argon2Sync(algorithm: Argon2Algorithm, parameters: Argon2Parameters): Buffer;
     /**
      * A convenient alias for `crypto.webcrypto.subtle`.
      * @since v17.4.0
@@ -3985,21 +4383,30 @@ declare module "crypto" {
     const webcrypto: webcrypto.Crypto;
     namespace webcrypto {
         type BufferSource = ArrayBufferView | ArrayBuffer;
-        type KeyFormat = "jwk" | "pkcs8" | "raw" | "spki";
+        type KeyFormat = "jwk" | "pkcs8" | "raw" | "raw-public" | "raw-secret" | "raw-seed" | "spki";
         type KeyType = "private" | "public" | "secret";
         type KeyUsage =
-            | "decrypt"
-            | "deriveBits"
-            | "deriveKey"
             | "encrypt"
+            | "decrypt"
             | "sign"
-            | "unwrapKey"
             | "verify"
-            | "wrapKey";
+            | "deriveKey"
+            | "deriveBits"
+            | "encapsulateBits"
+            | "decapsulateBits"
+            | "encapsulateKey"
+            | "decapsulateKey"
+            | "wrapKey"
+            | "unwrapKey";
         type AlgorithmIdentifier = Algorithm | string;
         type HashAlgorithmIdentifier = AlgorithmIdentifier;
         type NamedCurve = string;
         type BigInteger = Uint8Array;
+        interface AeadParams extends Algorithm {
+            additionalData?: BufferSource;
+            iv: BufferSource;
+            tagLength: number;
+        }
         interface AesCbcParams extends Algorithm {
             iv: BufferSource;
         }
@@ -4010,6 +4417,8 @@ declare module "crypto" {
         interface AesDerivedKeyParams extends Algorithm {
             length: number;
         }
+        // TODO: remove in next major
+        /** @deprecated Replaced by `AeadParams`. */
         interface AesGcmParams extends Algorithm {
             additionalData?: BufferSource;
             iv: BufferSource;
@@ -4024,6 +4433,14 @@ declare module "crypto" {
         interface Algorithm {
             name: string;
         }
+        interface CShakeParams extends Algorithm {
+            customization?: BufferSource;
+            functionName?: BufferSource;
+            length: number;
+        }
+        interface ContextParams extends Algorithm {
+            context?: BufferSource;
+        }
         interface EcKeyAlgorithm extends KeyAlgorithm {
             namedCurve: NamedCurve;
         }
@@ -4135,22 +4552,15 @@ declare module "crypto" {
              * An error will be thrown if the given `typedArray` is larger than 65,536 bytes.
              * @since v15.0.0
              */
-            getRandomValues<T extends Exclude<NodeJS.TypedArray, Float32Array | Float64Array>>(typedArray: T): T;
+            getRandomValues<T extends Exclude<NodeJS.TypedArray, Float16Array | Float32Array | Float64Array>>(
+                typedArray: T,
+            ): T;
             /**
              * Generates a random {@link https://www.rfc-editor.org/rfc/rfc4122.txt RFC 4122} version 4 UUID.
              * The UUID is generated using a cryptographic pseudorandom number generator.
              * @since v16.7.0
              */
             randomUUID(): UUID;
-            CryptoKey: CryptoKeyConstructor;
-        }
-        // This constructor throws ILLEGAL_CONSTRUCTOR so it should not be newable.
-        interface CryptoKeyConstructor {
-            /** Illegal constructor */
-            (_: { readonly _: unique symbol }): never; // Allows instanceof to work but not be callable by the user.
-            readonly length: 0;
-            readonly name: "CryptoKey";
-            readonly prototype: CryptoKey;
         }
         /**
          * @since v15.0.0
@@ -4205,10 +4615,50 @@ declare module "crypto" {
              */
             publicKey: CryptoKey;
         }
+        interface EncapsulatedBits {
+            sharedKey: ArrayBuffer;
+            ciphertext: ArrayBuffer;
+        }
+        interface EncapsulatedKey {
+            sharedKey: CryptoKey;
+            ciphertext: ArrayBuffer;
+        }
         /**
          * @since v15.0.0
          */
         interface SubtleCrypto {
+            /**
+             * The algorithms currently supported include:
+             *
+             * * `'ML-KEM-512'`
+             * * `'ML-KEM-768'`
+             * * `'ML-KEM-1024'`
+             * @since v24.7.0
+             * @returns Fulfills with `ArrayBuffer` upon success.
+             */
+            decapsulateBits(
+                decapsulationAlgorithm: AlgorithmIdentifier,
+                decapsulationKey: CryptoKey,
+                ciphertext: BufferSource,
+            ): Promise<ArrayBuffer>;
+            /**
+             * The algorithms currently supported include:
+             *
+             * * `'ML-KEM-512'`
+             * * `'ML-KEM-768'`
+             * * `'ML-KEM-1024'`
+             * @since v24.7.0
+             * @param usages See [Key usages](https://nodejs.org/docs/latest-v24.x/api/webcrypto.html#cryptokeyusages).
+             * @returns Fulfills with `CryptoKey` upon success.
+             */
+            decapsulateKey(
+                decapsulationAlgorithm: AlgorithmIdentifier,
+                decapsulationKey: CryptoKey,
+                ciphertext: BufferSource,
+                sharedKeyAlgorithm: AlgorithmIdentifier | HmacImportParams | AesDerivedKeyParams,
+                extractable: boolean,
+                usages: KeyUsage[],
+            ): Promise<CryptoKey>;
             /**
              * Using the method and parameters specified in `algorithm` and the keying material provided by `key`,
              * `subtle.decrypt()` attempts to decipher the provided `data`. If successful,
@@ -4216,14 +4666,16 @@ declare module "crypto" {
              *
              * The algorithms currently supported include:
              *
-             * - `'RSA-OAEP'`
-             * - `'AES-CTR'`
-             * - `'AES-CBC'`
-             * - `'AES-GCM'`
+             * * `'AES-CBC'`
+             * * `'AES-CTR'`
+             * * `'AES-GCM'`
+             * * `'AES-OCB'`
+             * * `'ChaCha20-Poly1305'`
+             * * `'RSA-OAEP'`
              * @since v15.0.0
              */
             decrypt(
-                algorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AesGcmParams,
+                algorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AeadParams,
                 key: CryptoKey,
                 data: BufferSource,
             ): Promise<ArrayBuffer>;
@@ -4237,11 +4689,11 @@ declare module "crypto" {
              *
              * The algorithms currently supported include:
              *
-             * - `'ECDH'`
-             * - `'X25519'`
-             * - `'X448'`
-             * - `'HKDF'`
-             * - `'PBKDF2'`
+             * * `'ECDH'`
+             * * `'HKDF'`
+             * * `'PBKDF2'`
+             * * `'X25519'`
+             * * `'X448'`
              * @since v15.0.0
              */
             deriveBits(
@@ -4263,11 +4715,11 @@ declare module "crypto" {
              *
              * The algorithms currently supported include:
              *
-             * - `'ECDH'`
-             * - `'X25519'`
-             * - `'X448'`
-             * - `'HKDF'`
-             * - `'PBKDF2'`
+             * * `'ECDH'`
+             * * `'HKDF'`
+             * * `'PBKDF2'`
+             * * `'X25519'`
+             * * `'X448'`
              * @param keyUsages See {@link https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages Key usages}.
              * @since v15.0.0
              */
@@ -4284,15 +4736,50 @@ declare module "crypto" {
              *
              * If `algorithm` is provided as a `<string>`, it must be one of:
              *
-             * - `'SHA-1'`
-             * - `'SHA-256'`
-             * - `'SHA-384'`
-             * - `'SHA-512'`
+             * * `'cSHAKE128'`
+             * * `'cSHAKE256'`
+             * * `'SHA-1'`
+             * * `'SHA-256'`
+             * * `'SHA-384'`
+             * * `'SHA-512'`
+             * * `'SHA3-256'`
+             * * `'SHA3-384'`
+             * * `'SHA3-512'`
              *
              * If `algorithm` is provided as an `<Object>`, it must have a `name` property whose value is one of the above.
              * @since v15.0.0
              */
-            digest(algorithm: AlgorithmIdentifier, data: BufferSource): Promise<ArrayBuffer>;
+            digest(algorithm: AlgorithmIdentifier | CShakeParams, data: BufferSource): Promise<ArrayBuffer>;
+            /**
+             * The algorithms currently supported include:
+             *
+             * * `'ML-KEM-512'`
+             * * `'ML-KEM-768'`
+             * * `'ML-KEM-1024'`
+             * @since v24.7.0
+             * @returns Fulfills with `EncapsulatedBits` upon success.
+             */
+            encapsulateBits(
+                encapsulationAlgorithm: AlgorithmIdentifier,
+                encapsulationKey: CryptoKey,
+            ): Promise<EncapsulatedBits>;
+            /**
+             * The algorithms currently supported include:
+             *
+             * * `'ML-KEM-512'`
+             * * `'ML-KEM-768'`
+             * * `'ML-KEM-1024'`
+             * @since v24.7.0
+             * @param usages See [Key usages](https://nodejs.org/docs/latest-v24.x/api/webcrypto.html#cryptokeyusages).
+             * @returns Fulfills with `EncapsulatedKey` upon success.
+             */
+            encapsulateKey(
+                encapsulationAlgorithm: AlgorithmIdentifier,
+                encapsulationKey: CryptoKey,
+                sharedKeyAlgorithm: AlgorithmIdentifier | HmacImportParams | AesDerivedKeyParams,
+                extractable: boolean,
+                usages: KeyUsage[],
+            ): Promise<EncapsulatedKey>;
             /**
              * Using the method and parameters specified by `algorithm` and the keying material provided by `key`,
              * `subtle.encrypt()` attempts to encipher `data`. If successful,
@@ -4300,14 +4787,16 @@ declare module "crypto" {
              *
              * The algorithms currently supported include:
              *
-             * - `'RSA-OAEP'`
-             * - `'AES-CTR'`
-             * - `'AES-CBC'`
-             * - `'AES-GCM'`
+             * * `'AES-CBC'`
+             * * `'AES-CTR'`
+             * * `'AES-GCM'`
+             * * `'AES-OCB'`
+             * * `'ChaCha20-Poly1305'`
+             * * `'RSA-OAEP'`
              * @since v15.0.0
              */
             encrypt(
-                algorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AesGcmParams,
+                algorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AeadParams,
                 key: CryptoKey,
                 data: BufferSource,
             ): Promise<ArrayBuffer>;
@@ -4321,35 +4810,45 @@ declare module "crypto" {
              *
              * When `format` is `'jwk'` and the export is successful, the returned promise will be resolved with a
              * JavaScript object conforming to the {@link https://tools.ietf.org/html/rfc7517 JSON Web Key} specification.
-             * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
+             * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, `'jwk'`, `'raw-secret'`,
+             * `'raw-public'`, or `'raw-seed'`.
              * @returns `<Promise>` containing `<ArrayBuffer>`.
              * @since v15.0.0
              */
             exportKey(format: "jwk", key: CryptoKey): Promise<JsonWebKey>;
             exportKey(format: Exclude<KeyFormat, "jwk">, key: CryptoKey): Promise<ArrayBuffer>;
             /**
-             * Using the method and parameters provided in `algorithm`,
-             * `subtle.generateKey()` attempts to generate new keying material.
-             * Depending the method used, the method may generate either a single `<CryptoKey>` or a `<CryptoKeyPair>`.
+             * Using the method and parameters provided in `algorithm`, `subtle.generateKey()`
+             * attempts to generate new keying material. Depending the method used, the method
+             * may generate either a single `CryptoKey` or a `CryptoKeyPair`.
              *
-             * The `<CryptoKeyPair>` (public and private key) generating algorithms supported include:
+             * The `CryptoKeyPair` (public and private key) generating algorithms supported
+             * include:
              *
-             * - `'RSASSA-PKCS1-v1_5'`
-             * - `'RSA-PSS'`
-             * - `'RSA-OAEP'`
-             * - `'ECDSA'`
-             * - `'Ed25519'`
-             * - `'Ed448'`
-             * - `'ECDH'`
-             * - `'X25519'`
-             * - `'X448'`
-             * The `<CryptoKey>` (secret key) generating algorithms supported include:
+             * * `'ECDH'`
+             * * `'ECDSA'`
+             * * `'Ed25519'`
+             * * `'Ed448'`
+             * * `'ML-DSA-44'`
+             * * `'ML-DSA-65'`
+             * * `'ML-DSA-87'`
+             * * `'ML-KEM-512'`
+             * * `'ML-KEM-768'`
+             * * `'ML-KEM-1024'`
+             * * `'RSA-OAEP'`
+             * * `'RSA-PSS'`
+             * * `'RSASSA-PKCS1-v1_5'`
+             * * `'X25519'`
+             * * `'X448'`
              *
-             * - `'HMAC'`
-             * - `'AES-CTR'`
-             * - `'AES-CBC'`
-             * - `'AES-GCM'`
-             * - `'AES-KW'`
+             * The {CryptoKey} (secret key) generating algorithms supported include:
+             * * `'AES-CBC'`
+             * * `'AES-CTR'`
+             * * `'AES-GCM'`
+             * * `'AES-KW'`
+             * * `'AES-OCB'`
+             * * `'ChaCha20-Poly1305'`
+             * * `'HMAC'`
              * @param keyUsages See {@link https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages Key usages}.
              * @since v15.0.0
              */
@@ -4368,13 +4867,22 @@ declare module "crypto" {
                 extractable: boolean,
                 keyUsages: KeyUsage[],
             ): Promise<CryptoKeyPair | CryptoKey>;
+            /**
+             * Derives the public key from a given private key.
+             * @since v24.7.0
+             * @param key A private key from which to derive the corresponding public key.
+             * @param keyUsages See [Key usages](https://nodejs.org/docs/latest-v24.x/api/webcrypto.html#cryptokeyusages).
+             * @returns Fulfills with a `CryptoKey` upon success.
+             */
+            getPublicKey(key: CryptoKey, keyUsages: KeyUsage[]): Promise<CryptoKey>;
             /**
              * The `subtle.importKey()` method attempts to interpret the provided `keyData` as the given `format`
              * to create a `<CryptoKey>` instance using the provided `algorithm`, `extractable`, and `keyUsages` arguments.
              * If the import is successful, the returned promise will be resolved with the created `<CryptoKey>`.
              *
              * If importing a `'PBKDF2'` key, `extractable` must be `false`.
-             * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
+             * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, `'jwk'`, `'raw-secret'`,
+             * `'raw-public'`, or `'raw-seed'`.
              * @param keyUsages See {@link https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages Key usages}.
              * @since v15.0.0
              */
@@ -4409,16 +4917,19 @@ declare module "crypto" {
              *
              * The algorithms currently supported include:
              *
-             * - `'RSASSA-PKCS1-v1_5'`
-             * - `'RSA-PSS'`
-             * - `'ECDSA'`
-             * - `'Ed25519'`
-             * - `'Ed448'`
-             * - `'HMAC'`
+             * * `'ECDSA'`
+             * * `'Ed25519'`
+             * * `'Ed448'`
+             * * `'HMAC'`
+             * * `'ML-DSA-44'`
+             * * `'ML-DSA-65'`
+             * * `'ML-DSA-87'`
+             * * `'RSA-PSS'`
+             * * `'RSASSA-PKCS1-v1_5'`
              * @since v15.0.0
              */
             sign(
-                algorithm: AlgorithmIdentifier | RsaPssParams | EcdsaParams | Ed448Params,
+                algorithm: AlgorithmIdentifier | RsaPssParams | EcdsaParams | Ed448Params | ContextParams,
                 key: CryptoKey,
                 data: BufferSource,
             ): Promise<ArrayBuffer>;
@@ -4431,29 +4942,40 @@ declare module "crypto" {
              *
              * The wrapping algorithms currently supported include:
              *
-             * - `'RSA-OAEP'`
-             * - `'AES-CTR'`
-             * - `'AES-CBC'`
-             * - `'AES-GCM'`
-             * - `'AES-KW'`
+             * * `'AES-CBC'`
+             * * `'AES-CTR'`
+             * * `'AES-GCM'`
+             * * `'AES-KW'`
+             * * `'AES-OCB'`
+             * * `'ChaCha20-Poly1305'`
+             * * `'RSA-OAEP'`
              *
              * The unwrapped key algorithms supported include:
              *
-             * - `'RSASSA-PKCS1-v1_5'`
-             * - `'RSA-PSS'`
-             * - `'RSA-OAEP'`
-             * - `'ECDSA'`
-             * - `'Ed25519'`
-             * - `'Ed448'`
-             * - `'ECDH'`
-             * - `'X25519'`
-             * - `'X448'`
-             * - `'HMAC'`
-             * - `'AES-CTR'`
-             * - `'AES-CBC'`
-             * - `'AES-GCM'`
-             * - `'AES-KW'`
-             * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
+             * * `'AES-CBC'`
+             * * `'AES-CTR'`
+             * * `'AES-GCM'`
+             * * `'AES-KW'`
+             * * `'AES-OCB'`
+             * * `'ChaCha20-Poly1305'`
+             * * `'ECDH'`
+             * * `'ECDSA'`
+             * * `'Ed25519'`
+             * * `'Ed448'`
+             * * `'HMAC'`
+             * * `'ML-DSA-44'`
+             * * `'ML-DSA-65'`
+             * * `'ML-DSA-87'`
+             * * `'ML-KEM-512'`
+             * * `'ML-KEM-768'`
+             * * `'ML-KEM-1024'`
+             * * `'RSA-OAEP'`
+             * * `'RSA-PSS'`
+             * * `'RSASSA-PKCS1-v1_5'`
+             * * `'X25519'`
+             * * `'X448'`
+             * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, `'jwk'`, `'raw-secret'`,
+             * `'raw-public'`, or `'raw-seed'`.
              * @param keyUsages See {@link https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages Key usages}.
              * @since v15.0.0
              */
@@ -4461,7 +4983,7 @@ declare module "crypto" {
                 format: KeyFormat,
                 wrappedKey: BufferSource,
                 unwrappingKey: CryptoKey,
-                unwrapAlgorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AesGcmParams,
+                unwrapAlgorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AeadParams,
                 unwrappedKeyAlgorithm:
                     | AlgorithmIdentifier
                     | RsaHashedImportParams
@@ -4478,16 +5000,19 @@ declare module "crypto" {
              *
              * The algorithms currently supported include:
              *
-             * - `'RSASSA-PKCS1-v1_5'`
-             * - `'RSA-PSS'`
-             * - `'ECDSA'`
-             * - `'Ed25519'`
-             * - `'Ed448'`
-             * - `'HMAC'`
+             * * `'ECDSA'`
+             * * `'Ed25519'`
+             * * `'Ed448'`[^secure-curves]
+             * * `'HMAC'`
+             * * `'ML-DSA-44'`
+             * * `'ML-DSA-65'`
+             * * `'ML-DSA-87'`
+             * * `'RSA-PSS'`
+             * * `'RSASSA-PKCS1-v1_5'`
              * @since v15.0.0
              */
             verify(
-                algorithm: AlgorithmIdentifier | RsaPssParams | EcdsaParams | Ed448Params,
+                algorithm: AlgorithmIdentifier | RsaPssParams | EcdsaParams | Ed448Params | ContextParams,
                 key: CryptoKey,
                 signature: BufferSource,
                 data: BufferSource,
@@ -4502,30 +5027,25 @@ declare module "crypto" {
              *
              * The wrapping algorithms currently supported include:
              *
-             * - `'RSA-OAEP'`
-             * - `'AES-CTR'`
-             * - `'AES-CBC'`
-             * - `'AES-GCM'`
-             * - `'AES-KW'`
-             * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
+             * * `'AES-CBC'`
+             * * `'AES-CTR'`
+             * * `'AES-GCM'`
+             * * `'AES-KW'`
+             * * `'AES-OCB'`
+             * * `'ChaCha20-Poly1305'`
+             * * `'RSA-OAEP'`
+             * @param format Must be one of `'raw'`, `'pkcs8'`, `'spki'`, `'jwk'`, `'raw-secret'`,
+             * `'raw-public'`, or `'raw-seed'`.
              * @since v15.0.0
              */
             wrapKey(
                 format: KeyFormat,
                 key: CryptoKey,
                 wrappingKey: CryptoKey,
-                wrapAlgorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AesGcmParams,
+                wrapAlgorithm: AlgorithmIdentifier | RsaOaepParams | AesCtrParams | AesCbcParams | AeadParams,
             ): Promise<ArrayBuffer>;
         }
     }
-
-    global {
-        var crypto: typeof globalThis extends {
-            crypto: infer T;
-            onmessage: any;
-        } ? T
-            : webcrypto.Crypto;
-    }
 }
 declare module "node:crypto" {
     export * from "crypto";