The root certificates are currently baked into the binary as PEM - basically base64-encoded binary data.

On startup, node dutifully turns each of the ~140 certifcates into a X509 instance with PEM_read_bio_X509(), which decodes the PEM to DER before passing it to d2i_X509().

You can see where this is going: it's a lot more efficient to store the certificates as DER and pass them to d2i_X509() directly.

One caveat: tls.rootCertificates is documented to be an array of PEM strings. Can be fixed by turning the DER objects into PEM in GetRootCertificates() in src/crypto/crypto_context.cc.