Update Node.js to v18.20.5

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
node	final	minor	18.6.0-alpine -> 18.20.5-alpine

---

Release Notes

nodejs/node (node)

v18.20.5: 2024-11-12, Version 18.20.5 'Hydrogen' (LTS), @​aduh95

Compare Source

Notable Changes

• [ac37e554a5] - esm: mark import attributes and JSON module as stable (Nicolò Ribaudo) #​55333

Commits

• [c2e6a8f215] - benchmark: fix napi/ref addon (Michaël Zasso) #​53233
• [4c2e07aaac] - build: pin doc workflow to Node.js 20 (Richard Lau) #​55755
• [6ba4ebd060] - build: fix build with Python 3.12 (Luigi Pinca) #​50582
• [c50f01399e] - crypto: ensure invalid SubtleCrypto JWK data import results in DataError (Filip Skokan) #​55041
• [5c46782137] - crypto: make deriveBits length parameter optional and nullable (Filip Skokan) #​53601
• [6e7274fa53] - crypto: reject dh,x25519,x448 in {Sign,Verify}Final (Huáng Jùnliàng) #​53774
• [d2442044db] - crypto: reject Ed25519/Ed448 in Sign/Verify prototypes (Filip Skokan) #​52340
• [93670de499] - deps: upgrade npm to 10.8.2 (npm team) #​53799
• [8531c95587] - deps: upgrade npm to 10.8.1 (npm team) #​53207
• [fd9933ea0f] - deps: upgrade npm to 10.8.0 (npm team) #​53014
• [03852495d7] - deps: update simdutf to 5.6.0 (Node.js GitHub Bot) #​55379
• [3597be4146] - deps: update simdutf to 5.5.0 (Node.js GitHub Bot) #​54434
• [52d2c03738] - deps: update simdutf to 5.3.4 (Node.js GitHub Bot) #​54312
• [dd882ac483] - deps: update simdutf to 5.3.1 (Node.js GitHub Bot) #​54196
• [5fb8e1b428] - deps: update simdutf to 5.3.0 (Node.js GitHub Bot) #​53837
• [c952fd886d] - deps: update simdutf to 5.2.8 (Node.js GitHub Bot) #​52727
• [a1ae050ed5] - deps: update simdutf to 5.2.6 (Node.js GitHub Bot) #​52727
• [96ec48da7f] - deps: update brotli to 1.1.0 (Node.js GitHub Bot) #​50804
• [11242bcfb4] - deps: update zlib to 1.3.0.1-motley-71660e1 (Node.js GitHub Bot) #​53464
• [64f98a9869] - deps: update zlib to 1.3.0.1-motley-c2469fd (Node.js GitHub Bot) #​53464
• [4b815550e0] - deps: update zlib to 1.3.0.1-motley-68e57e6 (Node.js GitHub Bot) #​53464
• [f6b2f68ce7] - deps: update zlib to 1.3.0.1-motley-8b7eff8 (Node.js GitHub Bot) #​53464
• [e151ebef86] - deps: update zlib to 1.3.0.1-motley-e432200 (Node.js GitHub Bot) #​53464
• [637a306e02] - deps: update zlib to 1.3.0.1-motley-887bb57 (Node.js GitHub Bot) #​53464
• [569a739569] - deps: update zlib to 1.3.0.1-motley-209717d (Node.js GitHub Bot) #​53156
• [033f1e2ba5] - deps: update zlib to 1.3.0.1-motley-4f653ff (Node.js GitHub Bot) #​53052
• [aaa857fc01] - deps: update ada to 2.8.0 (Node.js GitHub Bot) #​53254
• [d577321877] - deps: update acorn to 8.13.0 (Node.js GitHub Bot) #​55558
• [55b3c8a41f] - deps: update acorn-walk to 8.3.4 (Node.js GitHub Bot) #​54950
• [50a9456f1e] - deps: update acorn-walk to 8.3.3 (Node.js GitHub Bot) #​53466
• [f56cfe776b] - deps: update acorn to 8.12.1 (Node.js GitHub Bot) #​53465
• [fce3ab686d] - deps: update archs files for openssl-3.0.15+quic1 (Node.js GitHub Bot) #​55184
• [46c782486e] - deps: upgrade openssl sources to quictls/openssl-3.0.15+quic1 (Node.js GitHub Bot) #​55184
• [4a18581dc3] - deps: update corepack to 0.29.4 (Node.js GitHub Bot) #​54845
• [67e98831ab] - deps: update archs files for openssl-3.0.14+quic1 (Node.js GitHub Bot) #​54336
• [c60c6630af] - deps: upgrade openssl sources to quictls/openssl-3.0.14+quic1 (Node.js GitHub Bot) #​54336
• [935a506377] - deps: update corepack to 0.29.3 (Node.js GitHub Bot) #​54072
• [dbdfdd0226] - deps: update corepack to 0.29.2 (Node.js GitHub Bot) #​53838
• [395ee44608] - deps: update corepack to 0.28.2 (Node.js GitHub Bot) #​53253
• [6ba8bc0618] - deps: update c-ares to 1.29.0 (Node.js GitHub Bot) #​53155
• [81c3260cd2] - deps: update corepack to 0.28.1 (Node.js GitHub Bot) #​52946
• [e4739e9aa6] - doc: only apply content-visibility on all.html (Filip Skokan) #​53510
• [4d2ac5d98f] - doc: move release key for Myles Borins (Richard Lau) #​54059
• [1c4decc998] - doc: add release key for aduh95 (Antoine du Hamel) #​55349
• [a4f6f0918f] - doc: add names next to release key bash commands (Aviv Keller) #​52878
• [c679348f83] - errors: use determineSpecificType in more error messages (Antoine du Hamel) #​49580
• [3059262185] - esm: fix broken assertion in legacyMainResolve (Antoine du Hamel) #​55708
• [ac37e554a5] - esm: mark import attributes and JSON module as stable (Nicolò Ribaudo) #​55333
• [84b0ead758] - esm: fix hook name in error message (Bruce MacNaughton) #​50466
• [0092358d00] - http: handle multi-value content-disposition header (Arsalan Ahmad) #​50977
• [d814fe935c] - src: account for OpenSSL unexpected version (Shelley Vohr) #​54038
• [6615fe5db1] - src: fix dynamically linked OpenSSL version (Richard Lau) #​53456
• [d6114cb2e2] - test: fix test when compiled without engine support (Richard Lau) #​53232
• [ac3a39051c] - test: fix test-tls-junk-closes-server (Michael Dawson) #​55089
• [c8520ff7d2] - test: fix OpenSSL version checks (Richard Lau) #​53503
• [9824827937] - test: update tls test to support OpenSSL32 (Michael Dawson) #​55030
• [1a4d497936] - test: adjust tls-set-ciphers for OpenSSL32 (Michael Dawson) #​55016
• [341496a5a2] - test: add asserts to validate test assumptions (Michael Dawson) #​54997
• [37a2f7eaa4] - test: adjust key sizes to support OpenSSL32 (Michael Dawson) #​54972
• [75ff0cdf66] - test: update test to support OpenSSL32 (Michael Dawson) #​54968
• [b097d85dfe] - test: adjust test-tls-junk-server for OpenSSL32 (Michael Dawson) #​54926
• [e9997388a6] - test: adjust tls test for OpenSSL32 (Michael Dawson) #​54909
• [c7de027adb] - test: fix test test-tls-dhe for OpenSSL32 (Michael Dawson) #​54903
• [68156cbae1] - test: fix test-tls-client-mindhsize for OpenSSL32 (Michael Dawson) #​54739
• [d5b73e5683] - test: increase key size for ca2-cert.pem (Michael Dawson) #​54599
• [5316314755] - test: update TLS test for OpenSSL 3.2 (Richard Lau) #​54612
• [a1f0c87859] - test: fix test-tls-client-auth test for OpenSSL32 (Michael Dawson) #​54610
• [e9e3306426] - test: use assert.{s,deepS}trictEqual() (Sonny) #​54208
• [1320fb9475] - test: update TLS trace tests for OpenSSL >= 3.2 (Richard Lau) #​53229
• [cc3cdf7cc0] - test: check against run-time OpenSSL version (Richard Lau) #​53456
• [fc43c6803e] - test: update TLS tests for OpenSSL 3.2 (Richard Lau) #​53384
• [627d3993f0] - test: fix unreliable assumption in js-native-api/test_cannot_run_js (Joyee Cheung) #​51898
• [9f521f456e] - test: update tests for OpenSSL 3.0.14 (Richard Lau) #​53373
• [0fb652eba9] - tools: update gyp-next to v0.16.1 (Michaël Zasso) #​50380
• [fa72b2c2de] - tools: skip ruff on tools/gyp (Michaël Zasso) #​50380

v18.20.4: 2024-07-08, Version 18.20.4 'Hydrogen' (LTS), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

• CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
• CVE-2024-22020 - Bypass network import restriction via data URL (Medium)

Commits

• [85abedf1ff] - lib,esm: handle bypass network-import via data: (RafaelGSS) nodejs-private/node-private#522
• [eccd63b865] - src: handle permissive extension on cmd check (RafaelGSS) nodejs-private/node-private#596

v18.20.3: 2024-05-21, Version 18.20.3 'Hydrogen' (LTS), @​richardlau

Compare Source

Notable Changes

This release fixes a regression introduced in Node.js 18.19.0 where http.server.close() was incorrectly closing idle connections.

A fix has also been included for compiling Node.js from source with newer versions of Clang.

The list of keys used to sign releases has been synchronized with the current list from the main branch.

Updated dependencies

• acorn updated to 8.11.3.
• acorn-walk updated to 8.3.2.
• ada updated to 2.7.8.
• c-ares updated to 1.28.1.
• corepack updated to 0.28.0.
• nghttp2 updated to 1.61.0.
• ngtcp2 updated to 1.3.0.
• npm updated to 10.7.0. Includes a fix from [email protected] to limit the number of open connections npm/cli#7324.
• simdutf updated to 5.2.4.
• zlib updated to 1.3.0.1-motley-7d77fb7.

Commits

• [0c260e10e7] - deps: update zlib to 1.3.0.1-motley-7d77fb7 (Node.js GitHub Bot) #​52516
• [1152d7f919] - deps: update zlib to 1.3.0.1-motley-24c07df (Node.js GitHub Bot) #​52199
• [755399db9d] - deps: update zlib to 1.3.0.1-motley-24342f6 (Node.js GitHub Bot) #​52123
• [af3e32073b] - deps: update ada to 2.7.8 (Node.js GitHub Bot) #​52517
• [e4ea2db58b] - deps: update c-ares to 1.28.1 (Node.js GitHub Bot) #​52285
• [14e857bea2] - deps: update corepack to 0.28.0 (Node.js GitHub Bot) #​52616
• [7f5dd44ca6] - deps: upgrade npm to 10.7.0 (npm team) #​52767
• [78f84ebb09] - deps: update ngtcp2 to 1.3.0 (Node.js GitHub Bot) #​51796
• [1f489a3753] - deps: update ngtcp2 to 1.2.0 (Node.js GitHub Bot) #​51584
• [3034968225] - deps: update ngtcp2 to 1.1.0 (Node.js GitHub Bot) #​51319
• [1aa9da467f] - deps: add nghttp3/**/.deps to .gitignore (Luigi Pinca) #​51400
• [28c0c78c9a] - deps: update ngtcp2 and nghttp3 (James M Snell) #​51291
• [8fd5a35364] - deps: upgrade npm to 10.5.2 (npm team) #​52458
• [2c53ff31c9] - deps: update acorn-walk to 8.3.2 (Node.js GitHub Bot) #​51457
• [12f28f33c2] - deps: update acorn to 8.11.3 (Node.js GitHub Bot) #​51317
• [dddb7eb3e0] - deps: update acorn-walk to 8.3.1 (Node.js GitHub Bot) #​50457
• [c86550e607] - deps: update acorn-walk to 8.3.0 (Node.js GitHub Bot) #​50457
• [9500817f66] - deps: update acorn to 8.11.2 (Node.js GitHub Bot) #​50460
• [7a8c7b6275] - deps: update ada to 2.7.7 (Node.js GitHub Bot) #​52028
• [b199889943] - deps: update corepack to 0.26.0 (Node.js GitHub Bot) #​52027
• [052b0ba0c6] - deps: upgrade npm to 10.5.1 (npm team) #​52351
• [209823d3af] - deps: update simdutf to 5.2.4 (Node.js GitHub Bot) #​52473
• [5114cbe18a] - deps: update simdutf to 5.2.3 (Yagiz Nizipli) #​52381
• [be30309ea0] - deps: update simdutf to 5.0.0 (Daniel Lemire) #​52138
• [b56f66e250] - deps: update simdutf to 4.0.9 (Node.js GitHub Bot) #​51655
• [a9f3b9d9d1] - deps: update nghttp2 to 1.61.0 (Node.js GitHub Bot) #​52395
• [1b6fa70620] - deps: update nghttp2 to 1.60.0 (Node.js GitHub Bot) #​51948
• [3c9dbbf4d4] - deps: update nghttp2 to 1.59.0 (Node.js GitHub Bot) #​51581
• [e28316da54] - deps: update nghttp2 to 1.58.0 (Node.js GitHub Bot) #​50441
• [678641f470] - deps: V8: cherry-pick d15d49b (Bo Anderson) #​52337
• [1147fee7d9] - doc: remove ableist language from crypto (Jamie King) #​52063
• [5e93eae972] - doc: add release key for marco-ippolito (marco-ippolito) #​52257
• [6689a98488] - http: remove closeIdleConnections function while calling server close (Kumar Rishav) #​52336
• [71616e8a8a] - node-api: make tsfn accept napi_finalize once more (Gabriel Schulhof) #​51801
• [d9d9e62474] - src: avoid draining platform tasks at FreeEnvironment (Chengzhong Wu) #​51290
• [e5fc8ec9fc] - test: skip v8-updates/test-linux-perf (Michaël Zasso) #​49639
• [351ef189ca] - test: v8: Add test-linux-perf-logger test suite (Luke Albao) #​50352
• [5cec2efc31] - test: reduce the number of requests and parsers (Luigi Pinca) #​50240
• [5186e453d9] - test: deflake test-http-regr-gh-2928 (Luigi Pinca) #​49574
• [c60cd67e1c] - test: skip test for dynamically linked OpenSSL (Richard Lau) #​52542

v18.20.2: 2024-04-10, Version 18.20.2 'Hydrogen' (LTS), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

• CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows

Commits

• [6627222409] - src: disallow direct .bat and .cmd file spawning (Ben Noordhuis) nodejs-private/node-private#564

v18.20.1: 2024-04-03, Version 18.20.1 'Hydrogen' (LTS), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

• CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
• CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
• llhttp version 9.2.1
• undici version 5.28.4

Commits

• [60d24938de] - deps: update undici to v5.28.4 (Matteo Collina) nodejs-private/node-private#577
• [5d4d5848cf] - http: do not allow OBS fold in headers by default (Paolo Insogna) nodejs-private/node-private#558
• [0fb816dbcc] - src: ensure to close stream when destroying session (Anna Henningsen) nodejs-private/node-private#561

v18.20.0: 2024-03-26, Version 18.20.0 'Hydrogen' (LTS), @​richardlau

Compare Source

Notable Changes

Added support for import attributes

Support has been added for import attributes, to replace the old import
assertions syntax. This will aid migration by making the new syntax available
across all currently supported Node.js release lines.

This adds the with keyword which should be used in place of the previous
assert keyword, which will be removed in a future semver-major Node.js
release.

For example,

import "foo" assert { ... }

should be replaced with

import "foo" with { ... }

For more details, see

• #​50134
• #​51622

Contributed by Nicolò Ribaudo in #​51136
and Antoine du Hamel in #​50140.

Doc deprecation for dirent.path

Please use newly added dirent.parentPath instead.

Contributed by Antoine du Hamel in #​50976
and #​51020.

Experimental node-api feature flags

Introduces an experimental feature to segregate finalizers that affect GC state.
A new type called node_api_nogc_env has been introduced as the const version
of napi_env and node_api_nogc_finalize as a variant of napi_finalize that
accepts a node_api_nogc_env as its first argument.

This feature can be turned off by defining
NODE_API_EXPERIMENTAL_NOGC_ENV_OPT_OUT.

Contributed by Gabriel Schulhof in #​50060.

Root certificates updated to NSS 3.98

Certificates added:

• Telekom Security TLS ECC Root 2020
• Telekom Security TLS RSA Root 2023

Certificates removed:

• Security Communication Root CA

Updated dependencies

• ada updated to 2.7.6.
• base64 updated to 0.5.2.
• c-ares updated to 1.27.0.
• corepack updated to 0.25.2.
• ICU updated to 74.2. Includes CLDR 44.1 and Unicode 15.1.
• npm updated to 10.5.0. Fixes a regression in signals not being passed onto child processes.
• simdutf8 updated to 4.0.8.
• Timezone updated to 2024a.
• zlib updated to 1.3.0.1-motley-40e35a7.

vm: fix V8 compilation cache support for vm.Script

Previously repeated compilation of the same source code using vm.Script
stopped hitting the V8 compilation cache after v16.x when support for
importModuleDynamically was added to vm.Script, resulting in a performance
regression that blocked users (in particular Jest users) from upgrading from
v16.x.

The recent fixes allow the compilation cache to be hit again
for vm.Script when --experimental-vm-modules is not used even in the
presence of the importModuleDynamically option, so that users affected by the
performance regression can now upgrade. Ongoing work is also being done to
enable compilation cache support for vm.CompileFunction.

Contributed by Joyee Cheung in #​49950
and #​50137.

Commits

• [c70383b8d4] - build: support Python 3.12 (Shi Pujin) #​50209
• [4b960c3a4a] - build: fix incorrect g++ warning message (Richard Lau) #​51695
• [8fdea67694] - crypto: update root certificates to NSS 3.98 (Node.js GitHub Bot) #​51794
• [812b126dd9] - deps: V8: cherry-pick d90d453 (Michaël Zasso) #​50077
• [9ab8c3db87] - deps: update c-ares to 1.27.0 (Node.js GitHub Bot) #​51846
• [c688680387] - deps: update c-ares to 1.26.0 (Node.js GitHub Bot) #​51582
• [9498ac8a47] - deps: compile c-ares with C11 support (Michaël Zasso) #​51410
• [8fb743642f] - deps: update c-ares to 1.25.0 (Node.js GitHub Bot) #​51385
• [7bea2d7c12] - deps: update zlib to 1.3.0.1-motley-40e35a7 (Node.js GitHub Bot) #​51274
• [57a38c8f75] - deps: update zlib to 1.3.0.1-motley-dd5fc13 (Node.js GitHub Bot) #​51105
• [b0ca084a6b] - deps: update zlib to 1.3-22124f5 (Node.js GitHub Bot) #​50910
• [4b43823f37] - deps: update zlib to 1.2.13.1-motley-5daffc7 (Node.js GitHub Bot) #​50803
• [f0da591812] - deps: update zlib to 1.2.13.1-motley-dfc48fc (Node.js GitHub Bot) #​50456
• [16d28a883a] - deps: update base64 to 0.5.2 (Node.js GitHub Bot) #​51455
• [13a9e81cb6] - deps: update base64 to 0.5.1 (Node.js GitHub Bot) #​50629
• [b4502d3ac5] - deps: update simdutf to 4.0.8 (Node.js GitHub Bot) #​51000
• [183cf8a74a] - deps: update simdutf to 4.0.4 (Node.js GitHub Bot) #​50772
• [11ba8593ea] - deps: update ada to 2.7.6 (Node.js GitHub Bot) #​51542
• [73a946d55c] - deps: update ada to 2.7.5 (Node.js GitHub Bot) #​51542
• [cc434c1a39] - deps: update ada to 2.7.4 (Node.js GitHub Bot) #​50815
• [3a3808a6ae] - deps: upgrade npm to 10.5.0 (npm team) #​51913
• [c8876d765c] - deps: upgrade npm to 10.3.0 (npm team) #​51431
• [5aec3af460] - deps: update corepack to 0.25.2 (Node.js GitHub Bot) #​51810
• [a593985326] - deps: update corepack to 0.24.1 (Node.js GitHub Bot) #​51459
• [d1a9237bf5] - deps: update corepack to 0.24.0 (Node.js GitHub Bot) #​51318
• [adac0c7a63] - deps: update corepack to 0.23.0 (Node.js GitHub Bot) #​50563
• [4a6f83e32a] - deps: escape Python strings correctly (Michaël Zasso) #​50695
• [c13969e52a] - deps: V8: cherry-pick ea996ad (Nicolò Ribaudo) #​51136
• [6fbf0ba5c3] - deps: V8: cherry-pick a0fd320 (Nicolò Ribaudo) #​51136
• [68fd7516e1] - deps: update timezone to 2024a (Michaël Zasso) #​51723
• [f9b229ebe1] - deps: update icu to 74.2 (Michaël Zasso) #​51723
• [90c73d2eb4] - deps: update timezone to 2023d (Node.js GitHub Bot) #​51461
• [2a2bf57028] - deps: update icu to 74.1 (Node.js GitHub Bot) #​50515
• [425e011e52] - deps: add v8::Object::SetInternalFieldForNodeCore() (Joyee Cheung) #​49874
• [58c70344a2] - deps: V8: cherry-pick 705e374 (Joyee Cheung) #​51004
• [b0e88899e1] - deps: V8: cherry-pick 1fada6b (Joyee Cheung) #​51004
• [d87a810b81] - deps: V8: cherry-pick 3dd9576 (Joyee Cheung) #​51004
• [6d50966876] - deps: V8: cherry-pick 94e8282 (Joyee Cheung) #​51004
• [fafbacdfec] - deps: V8: cherry-pick 9a98f96 (Joyee Cheung) #​51004
• [d4a530ed8d] - deps: V8: cherry-pick 7f5daed (Joyee Cheung) #​51004
• [1ce901b164] - deps: V8: cherry-pick c400af4 (Joyee Cheung) #​51004
• [f232064f35] - doc: fix historical experimental fetch flag (Kenrick) #​51506
• [194ff6a40f] - (SEMVER-MINOR) doc: add deprecation notice to dirent.path (Antoine du Hamel) #​50976
• [0f09267dc6] - (SEMVER-MINOR) doc: deprecate dirent.path (Antoine du Hamel) #​50976
• [8bfb8f5b2f] - doc,crypto: further clarify RSA_PKCS1_PADDING support (Tobias Nießen) #​51799
• [c7baf7b274] - doc,crypto: add changelog and note about disabled RSA_PKCS1_PADDING (Filip Skokan) #​51782
• [a193be3dc2] - esm: use import attributes instead of import assertions (Antoine du Hamel) #​50140
• [26e8f7793e] - (SEMVER-MINOR) fs: introduce dirent.parentPath (Antoine du Hamel) #​50976
• [5b5e5192f7] - lib: fix compileFunction throws range error for negative numbers (Jithil P Ponnan) #​49855
• [7552de6806] - module: fix the leak in SourceTextModule and ContextifySript (Joyee Cheung) #​48510
• [2e05cf1c60] - module: fix leak of vm.SyntheticModule (Joyee Cheung) #​48510
• [a86a2e14a3] - module: use symbol in WeakMap to manage host defined options (Joyee Cheung) #​48510
• [32906ddcac] - node-api: segregate nogc APIs from rest via type system (Gabriel Schulhof) #​50060
• [1aa71c26ff] - node-api: factor out common code into macros (Gabriel Schulhof) #​50664
• [3d0b233f52] - node-api: introduce experimental feature flags (Gabriel Schulhof) #​50991
• [96514a8b9f] - src: iterate on import attributes array correctly (Michaël Zasso) #​50703
• [2c2892bf88] - src: set ModuleWrap internal fields only once (Joyee Cheung) #​49391
• [ff334cb774] - src: cast v8::Object::GetInternalField() return value to v8::Value (Joyee Cheung) #​48943
• [270b519971] - stream: do not defer construction by one microtick (Matteo Collina) #​52005
• [95d7a75084] - test: fix dns test case failures after c-ares update to 1.21.0+ (Brad House) #​50743
• [cd613e5167] - test: handle relative https redirect (Richard Lau) #​51121
• [40f10eafcf] - test: fix internet/test-inspector-help-page (Richard Lau) #​51693
• [5e426511b1] - test: deflake test-vm-contextified-script-leak (Joyee Cheung) #​49710
• [0b156c6d28] - test: use checkIfCollectable in vm leak tests (Joyee Cheung) #​49671
• [1586c11b3c] - test: add checkIfCollectable to test/common/gc.js (Joyee Cheung) #​49671
• [902d8b3d4b] - test: fix flaky http-chunk-extensions-limit test (Ethan Arrowood) #​51943
• [1743d2bdc1] - test: test surrogate pair filenames on windows (Mert Can Altın) #​51800
• [1c1a7ec22d] - test: increase platform timeout zlib-brotli-16gb (Rafael Gonzaga) #​51792
• [931d02fe3e] - test, v8: fix wrong import attributes test (Nicolò Ribaudo) #​52184
• [d9ea6c1f8d] - tls: fix order of setting cipher before setting cert and key (Kumar Rishav) #​50186
• [3184befa2e] - tools: fix update-icu.sh (Michaël Zasso) #​51723
• [06646e11be] - (SEMVER-MINOR) vm: use import attributes instead of import assertions (Antoine du Hamel) #​50141
• [fe66e9d06e] - vm: reject in importModuleDynamically without --experimental-vm-modules (Joyee Cheung) #​50137
• [052e095c6b] - vm: use internal versions of compileFunction and Script (Joyee Cheung) #​50137
• [9f7899ed0a] - vm: unify host-defined option generation in vm.compileFunction (Joyee Cheung) #​50137
• [6291c107d0] - vm: use default HDO when importModuleDynamically is not set (Joyee Cheung) #​49950

v18.19.1: 2024-02-14, Version 18.19.1 'Hydrogen' (LTS), @​RafaelGSS prepared by @​marco-ippolito

Compare Source

Notable changes

This is a security release.

Notable changes

• CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
• CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
• CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
• CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
• undici version 5.28.3
• npm version 10.2.4

Commits

• [69e0a1dba8] - crypto: update root certificates to NSS 3.95 (Node.js GitHub Bot) #​50805
• [d3d357ab09] - crypto: disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525
• [3d27175c42] - deps: fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) #​51614
• [331558b8ab] - deps: update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) #​51614
• [99b77dfb9c] - deps: upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) #​51614
• [6cdc71bff1] - deps: upgrade npm to 10.2.4 (npm team) #​50751
• [911cb33cda] - http: add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#520
• [f48b89689d] - lib: update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#536
• [e6b4c105e0] - src: fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505
• [97c49076cd] - test: skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) #​49621
• [60affdde8e] - tools: add macOS notarization verification step (Ulises Gascón) #​50833
• [ccc676a327] - tools: use macOS keychain to notarize the releases (Ulises Gascón) #​50715
• [31f1ceb380] - tools: remove unused file (Ulises Gascon) #​50622
• [bd5f6fb92a] - tools: add macOS notarization stapler (Ulises Gascón) #​50625
• [4168c4f71b] - tools: improve macOS notarization process output readability (Ulises Gascón) #​50389
• [4622f775aa] - tools: remove unused version function (Ulises Gascón) #​50390
• [b90804b1e7] - win,tools: upgrade Windows signing to smctl (Stefan Stojanovic) #​50956
• [f31d47e135] - zlib: pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#542

v18.19.0: 2023-11-29, Version 18.19.0 'Hydrogen' (LTS), @​targos

Compare Source

Notable Changes

npm updated to v10

After two months of baking time in Node.js 20, npm 10 is backported, so that all
release lines include a supported version of npm. This release includes npm v10.2.3.

Refer to nodejs/Release#884 for the plan to land npm 10.

ESM and customization hook changes

Leverage loaders when resolving subsequent loaders

Loaders now apply to subsequent loaders, for example: --experimental-loader ts-node --experimental-loader loader-written-in-typescript.

Contributed by Maël Nison in #​43772.

New node:module API register for module customization hooks; new initialize hook

There is a new API register available on node:module to specify a file that exports module customization hooks, and pass data to the hooks, and establish communication channels with them. The “define the file with the hooks” part was previously handled by a flag --experimental-loader, but when the hooks moved into a dedicated thread in 20.0.0 there was a need to provide a way to communicate between the main (application) thread and the hooks thread. This can now be done by calling register from the main thread and passing data, including MessageChannel instances.

We encourage users to migrate to an approach that uses --import with register, such as:

node --import ./file-that-calls-register.js ./app.js

Using --import ensures that the customization hooks are registered before any application code runs, even the entry point.

Contributed by João Lenon and Jacob Smith in #​46826, Izaak Schroeder and Jacob Smith in #​48842 and #​48559.

import.meta.resolve unflagged

In ES modules, import.meta.resolve(specifier)
can be used to get an absolute URL string to which specifier resolves, similar
to require.resolve in CommonJS. This aligns Node.js with browsers and other server-side runtimes.

Contributed by Guy Bedford in #​49028.

--experimental-default-type flag to flip module defaults

The new flag --experimental-default-type can be used to flip the default
module system used by Node.js. Input that is already explicitly defined as ES
modules or CommonJS, such as by a package.json "type" field or .mjs/.cjs
file extension or the --input-type flag, is unaffected. What is currently
implicitly CommonJS would instead be interpreted as ES modules under
--experimental-default-type=module:

• String input provided via --eval or STDIN, if --input-type is unspecified.

• Files ending in .js or with no extension, if there is no package.json file
  present in the same folder or any parent folder.

• Files ending in .js or with no extension, if the nearest parent
  package.json field lacks a type field; unless the folder is inside a
  node_modules folder.

In addition, extensionless files are interpreted as Wasm if
--experimental-wasm-modules is passed and the file contains the "magic bytes"
Wasm header.

Contributed by Geoffrey Booth in #​49869.

Other ESM-related changes

• [ed2d46f4cc] - doc: move and rename loaders section (Geoffrey Booth) #​49261
• [92734d4480] - esm: use import attributes instead of import assertions (Antoine du Hamel) #​50140
• [e96f7ef881] - (SEMVER-MINOR) **vm

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Scan Summary

Tool	Critical	High	Medium	Low	Status
Dependency Scan (nodejs)	0	0	1	0	✅
Security Audit for Infrastructure	2	4	1	1	❌

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍

[github-actions]

Scan Summary

Tool	Critical	High	Medium	Low	Status
Dependency Scan (universal)	0	2	1	18	✅
Security Audit for Infrastructure	2	4	1	1	❌

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍

[github-actions]

Scan Summary

Tool	Critical	High	Medium	Low	Status
Dependency Scan (universal)	0	2	1	19	✅
Security Audit for Infrastructure	2	4	1	1	❌

Recommendation

Please review the findings from Code scanning alerts before approving this pull request. You can also configure the build rules or add suppressions to customize this bot 👍