Skip to content

build: update node.js to v14.17.3

Common Ground Bot requested to merge renovate/node-14.x into master

This MR contains the following updates:

Package Type Update Change
node final minor 14.16.1-alpine -> 14.17.3-alpine
node stage minor 14.16.1-alpine -> 14.17.3-alpine

Release Notes

nodejs/node

v14.17.3

Compare Source

Notable Changes

Node.js 14.17.2 introduced a regression in the Windows installer on non-English locales that is being fixed in this release. There is no need to download this release if you are not using the Windows installer.

Commits

v14.17.2

Compare Source

This is a security release.

Notable Changes

Vulnerabilities fixed:

  • CVE-2021-22918: libuv upgrade - Out of bounds read (Medium)
    • Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918
  • CVE-2021-22921: Windows installer - Node Installer Local Privilege Escalation (Medium)
    • Node.js is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22921
Commits

v14.17.1

Compare Source

Notable Changes
Commits

v14.17.0

Compare Source

Notable Changes
Diagnostics channel (experimental module)

diagnostics_channel is a new experimental module that provides an API to create named channels to report arbitrary message data for diagnostics purposes.

The module was initially introduced in Node.js v15.1.0 and is backported to v14.17.0 to enable testing it at a larger scale.

With diagnostics_channel, Node.js core and module authors can publish contextual data about what they are doing at a given time. This could be the hostname and query string of a mysql query, for example. Just create a named channel with dc.channel(name) and call channel.publish(data) to send the data to any listeners to that channel.

const dc = require('diagnostics_channel');
const channel = dc.channel('mysql.query');

MySQL.prototype.query = function query(queryString, values, callback) {
  // Broadcast query information whenever a query is made
  channel.publish({
    query: queryString,
    host: this.hostname,
  });

  this.doQuery(queryString, values, callback);
};

Channels are like one big global event emitter but are split into separate objects to ensure they get the best performance. If nothing is listening to the channel, the publishing overhead should be as close to zero as possible. Consuming channel data is as easy as using channel.subscribe(listener) to run a function whenever a message is published to that channel.

const dc = require('diagnostics_channel');
const channel = dc.channel('mysql.query');

channel.subscribe(({ query, host }) => {
  console.log(`mysql query to ${host}: ${query}`);
});

The data captured can be used to provide context for what an app is doing at a given time. This can be used for things like augmenting tracing data, tracking network and filesystem activity, logging queries, and many other things. It's also a very useful data source for diagnostics tools to provide a clearer picture of exactly what the application is doing at a given point in the data they are presenting.

Contributed by Stephen Belanger #​34895.

UUID support in the crypto module

The new crypto.randomUUID() method now allows to generate random RFC 4122 Version 4 UUID strings:

const { randomUUID } = require('crypto');

console.log(randomUUID());
// 'aa7c91a1-f8fc-4339-b9db-f93fc7233429'

Contributed by James M Snell #​36729.

Experimental support for AbortController and AbortSignal

Node.js 14.17.0 adds experimental partial support for AbortController and AbortSignal.

Both constructors can be enabled globally using the --experimental-abortcontroller flag.

Additionally, several Node.js APIs have been updated to support AbortSignal for cancellation. It is not mandatory to use the built-in constructors with them. Any spec-compliant third-party alternatives should be compatible.

AbortSignal support was added to the following methods:

  • child_process.exec
  • child_process.execFile
  • child_process.fork
  • child_process.spawn
  • dgram.createSocket
  • events.on
  • events.once
  • fs.readFile
  • fs.watch
  • fs.writeFile
  • http.request
  • https.request
  • http2Session.request
  • The promisified variants of setImmediate and setTimeout
Other notable changes
  • doc:
    • revoke deprecation of legacy url, change status to legacy (James M Snell) #​37784
    • add legacy status to stability index (James M Snell) #​37784
    • upgrade stability status of report API (Gireesh Punathil) #​35654
  • deps:
    • V8: Backport various patches for Apple Silicon support (BoHong Li) #​38051
    • update ICU to 68.1 (Michaël Zasso) #​36187
    • upgrade to libuv 1.41.0 (Colin Ihrig) #​37360
  • http:
    • add http.ClientRequest.getRawHeaderNames() (simov) #​37660
    • report request start and end with diagnostics_channel (Stephen Belanger) #​34895
  • util:
    • add getSystemErrorMap() impl (eladkeyshawn) #​38101
Commits

Configuration

📅 Schedule: "after 10pm every weekday,before 5am every weekday,every weekend" (UTC).

🚦 Automerge: Enabled.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about these updates again.

  • If you want to rebase/retry this MR, check this box.

This MR has been generated by Renovate Bot.

Edited by Common Ground Bot

Merge request reports