Update dependency node to v18.12.1
This MR contains the following updates:
| Package | Update | Change |
|---|---|---|
| node (source) | minor |
18.8.0 -> 18.12.1
|
⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.
Release Notes
nodejs/node
v18.12.1: 2022-11-04, Version 18.12.1 'Hydrogen' (LTS), @juanarbol
This is a security release.
Notable changes
The following CVEs are fixed in this release:
- CVE-2022-3602: X.509 Email Address 4-byte Buffer Overflow (High)
- CVE-2022-3786: X.509 Email Address Variable Length Buffer Overflow (High)
- CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP address (Medium)
More detailed information on each of the vulnerabilities can be found in November 2022 Security Releases blog post.
Commits
- [
39f8a672e3] - deps: update archs files for quictls/openssl-3.0.7+quic nodejs/node#45286 - [
80218127c8] - deps: upgrade openssl sources to quictls/openssl-3.0.7+quic nodejs/node#45286 - [
165342beac] - inspector: harden IP address validation again (Tobias Nießen) nodejs-private/node-private#354
v18.12.0: 2022-10-25, Version 18.12.0 'Hydrogen' (LTS), @ruyadorno and @RafaelGSS
Notable Changes
This release marks the transition of Node.js 18.x into Long Term Support (LTS) with the codename 'Hydrogen'. The 18.x release line now moves into "Active LTS" and will remain so until October 2023. After that time, it will move into "Maintenance" until end of life in April 2025.
v18.11.0: 2022-10-13, Version 18.11.0 (Current), @danielleadams
Notable changes
watch mode (experimental)
Running in 'watch' mode using node --watch restarts the process when an imported file is changed.
Contributed by Moshe Atlow in #44366
Other notable changes
-
fs:
- (SEMVER-MINOR) add
FileHandle.prototype.readLines(Antoine du Hamel) #42590
- (SEMVER-MINOR) add
-
http:
- (SEMVER-MINOR) add writeEarlyHints function to ServerResponse (Wing) #44180
-
http2:
- (SEMVER-MINOR) make early hints generic (Yagiz Nizipli) #44820
-
lib:
- (SEMVER-MINOR) refactor transferable AbortSignal (flakey5) #44048
-
src:
- (SEMVER-MINOR) add detailed embedder process initialization API (Anna Henningsen) #44121
-
util:
- (SEMVER-MINOR) add default value option to parsearg (Manuel Spigolon) #44631
Commits
- [
27b4b782ce] - benchmark: add vm context global proxy benchmark (Joyee Cheung) #44796 - [
4e82521af1] - bootstrap: update comments in bootstrap/node.js (Joyee Cheung) #44726 - [
725be0ea50] - buffer: initialize TextDecoder once on blob.text() (Yagiz Nizipli) #44787 - [
653c3b1f62] - buffer,lib: update atob to align wpt's base64.json (Khaidi Chu) #43901 - [
37808b3355] - build: convert V8 test JSON to JUnit XML (Keyhan Vakil) #44049 - [
f92871a52b] - build: update timezone-update.yml (Alex) #44717 - [
f85d3471ee] - child_process: remove lookup of undefined property (Colin Ihrig) #44766 - [
2f5f41c315] - (SEMVER-MINOR) cli: add--watch(Moshe Atlow) #44366 - [
7fb9cc70f3] - cluster: use inspector utils (Moshe Atlow) #44592 - [
99a2c16040] - crypto: add causes to applicable webcrypto's OperationError (Filip Skokan) #44890 - [
e0fbba0939] - crypto: use EVP_PKEY_CTX_set_dsa_paramgen_q_bits when available (David Benjamin) #44561 - [
a90386b0a1] - deps: update undici to 5.11.0 (Node.js GitHub Bot) #44929 - [
aa68d40fbf] - deps: update corepack to 0.14.2 (Node.js GitHub Bot) #44775 - [
c892f35815] - deps: V8: fix debug build (Ben Noordhuis) #44392 - [
91514393dc] - dns: support dns module in the snapshot (Joyee Cheung) #44633 - [
ce3cb29319] - doc: add fsPromises.readFile() example (Tierney Cyren) #40237 - [
97df9b84a2] - doc: improve building doc for Android (BuShe Pie) #44888 - [
8c69da893b] - doc: mentioncorepack preparesupports tag or range (Michael Rienstra) #44646 - [
842bc64833] - doc: remove Legacy status from querystring (Rich Trott) #44912 - [
ddb5402f5f] - doc: fix label name in collaborator guide (Rich Trott) #44920 - [
d08b024a3d] - doc: fix typo in Node.js 12 changelog (Lorand Horvath) #42880 - [
b6b9c427c5] - doc: move release keys we don't use anymore in README (Rich Trott) #44899 - [
e92b074b32] - doc: fix grammar in dns docs (#44850) (Colin Ihrig) #44850 - [
780144c339] - doc: remove unnecessary leading commas (Colin Ihrig) #44854 - [
6ae9bc8fbc] - doc: add extra step for reporter pre-approval (Rafael Gonzaga) #44806 - [
ccf31d8bca] - doc: add anchor link for --preserve-symlinks (Kohei Ueno) #44858 - [
7c5c19ee54] - doc: update node prefix require.cache example (Simone Busoli) #44724 - [
2a5bce6318] - doc: include last security release date (Vladimir de Turckheim) #44794 - [
4efaf4265c] - doc: remove "currently" and comma splice from child_process.md (Rich Trott) #44789 - [
3627616b40] - doc,crypto: mark experimental algorithms more visually (Filip Skokan) #44892 - [
3c653cf23a] - doc,crypto: add missing CFRG curve algorithms to supported lists (Filip Skokan) #44876 - [
70f55020d3] - doc,crypto: add null length to crypto.subtle.deriveBits (Filip Skokan) #44876 - [
910fbd0ece] - esm: fix duplicated test (Geoffrey Booth) #44779 - [
bc00f3bde1] - fs: fix opts.filter issue in cp async (Tho) #44922 - [
11d1c23fa0] - (SEMVER-MINOR) fs: addFileHandle.prototype.readLines(Antoine du Hamel) #42590 - [
67fb76519a] - fs: improve promise based readFile performance for big files (Ruben Bridgewater) #44295 - [
dc6379bdc2] - fs: don't hard code name in validatePosition() (Colin Ihrig) #44767 - [
eb19b1e97c] - http: be more aggressive to reply 400, 408 and 431 (ywave620) #44818 - [
4c869c8d9e] - (SEMVER-MINOR) http: add writeEarlyHints function to ServerResponse (Wing) #44180 - [
9c7e66478c] - (SEMVER-MINOR) http2: make early hints generic (Yagiz Nizipli) #44820 - [
3f20e5b15c] - (SEMVER-MINOR) lib: refactor transferable AbortSignal (flakey5) #44048 - [
ada7d82b16] - lib: require JSDoc in internal validators code (Rich Trott) #44896 - [
67eaa303af] - lib: add cause to DOMException (flakey5) #44703 - [
0db86ee98e] - meta: update AUTHORS (Node.js GitHub Bot) #44930 - [
2efe4d985b] - meta: label test.js and test.md with test_runner label (Moshe Atlow) #44863 - [
fd9feb3a6c] - meta: update AUTHORS (Node.js GitHub Bot) #44857 - [
a854bb39c9] - node-api: create reference only when needed (Gerhard Stöbich) #44827 - [
fd5c26b8db] - path: change basename() argument from ext to suffix (Rich Trott) #44774 - [
803fbfb168] - process: fix uid/gid validation to avoid crash (Tobias Nießen) #44910 - [
9f2dd48fc3] - src: remove uid_t/gid_t casts (Tobias Nießen) #44914 - [
3abb607f3a] - src: remove UncheckedMalloc(0) workaround (Tobias Nießen) #44543 - [
0606f9298f] - src: deduplicate setting RSA OAEP label (Tobias Nießen) #44849 - [
daf3152f7e] - src: implement GetDetachedness() in MemoryRetainerNode (Joyee Cheung) #44803 - [
7ca77dd4ef] - src: avoid X509_free in loops in crypto_x509.cc (Tobias Nießen) #44855 - [
781ad96227] - src: use OnScopeLeave instead of multiple free() (Tobias Nießen) #44852 - [
b27b336a7a] - src: remove ParseIP() in cares_wrap.cc (Tobias Nießen) #44771 - [
f99f5d3c01] - (SEMVER-MINOR) src: add detailed embedder process initialization API (Anna Henningsen) #44121 - [
281fd7a09a] - src,stream: improve DoWrite() and Write() (ywave620) #44434 - [
a33cc22bf7] - src,worker: fix race of WorkerHeapSnapshotTaker (ywave620) #44745 - [
f300f197da] - stream: handle enqueuing chunks when a pending BYOB pull request exists (Daeyeon Jeong) #44770 - [
9ac029ea11] - test: bump memory limit for abort fatal error (Danielle Adams) #44984 - [
b9b671f25f] - test: debug watch mode inspect (Moshe Atlow) #44861 - [
2308b71d09] - test: don't clobber RegExp.$_ on startup (Ben Noordhuis) #44864 - [
fe91bebb67] - test: loosen test for negative timestamps intest-fs-stat-date(Livia Medeiros) #44707 - [
a080608552] - test: check--testis disallowed in NODE_OPTIONS (Kohei Ueno) #44846 - [
dc2af265d7] - test: improve lib/internal/source_map/source_map.js coverage (MURAKAMI Masahiko) #42771 - [
60a05d6dea] - test: skip some binding tests on IBMi PASE (Richard Lau) #44810 - [
8dacedaa3d] - test: remove unused variable in addon test (Joyee Cheung) #44809 - [
c54cee1c3f] - test: check server status in test-tls-psk-client (Richard Lau) #44824 - [
ee3c6a4dc5] - test: use async/await in test-debugger-exceptions (pete3249) #44690 - [
9f14625fe5] - test: use async/await in test-debugger-help (Chandana) #44686 - [
8033ad846b] - test: update test-debugger-scripts to use await/async (mmeenapriya) #44692 - [
f4f08be384] - test: use await in test-debugger-invalid-json (Anjana Krishnakumar Vellore) #44689 - [
d2f36169f3] - test: use async/await in test-debugger-random-port-with-inspect-port (Monu-Chaudhary) #44695 - [
ddf029725b] - test: use async/await in test-debugger-heap-profiler (Brinda Ashar) #44693 - [
117f068250] - test: use async/await in test-debugger-auto-resume (samyuktaprabhu) #44675 - [
143c428cae] - test: migrated from Promise chains to Async/Await (Rathi N Das) #44674 - [
e609a3309c] - test: change promises to async/await in test-debugger-backtrace.js (Juliet Zhang) #44677 - [
eeabd23ca6] - test: use async/await in test-debugger-sb-before-load (Hope Olaidé) #44697 - [
5c63d1464e] - test: add extra tests for basename with ext option (Connor Burton) #44772 - [
f8b2d7a059] - test: refactor to async/await (Divya Mohan) #44694 - [
9864bde9ab] - test: modify test-debugger-custom-port.js to use async-await (Priya Shastri) #44680 - [
af30823881] - test: upgrade all 1024 bit RSA keys to 2048 bits (Momtchil Momtchev) #44498 - [
0fb669e31f] - test: update test-debugger-breakpoint-exists.js to use async/await (Archana Kamath) #44682 - [
cca253503e] - test: use async/await in test-debugger-preserve-breaks (poorvitusam) #44696 - [
0b2e8b1681] - test: use async/await in test-debugger-profile (surbhirjain) #44684 - [
4db72a65cf] - test: change the promises to async/await in test-debugger-exec-scope.js (Ankita Khiratkar) #44685 - [
56c9c98963] - test: fix test-runner-inspect (Moshe Atlow) #44620 - [
36227ed862] - test: fix watch mode test flake (Moshe Atlow) #44739 - [
3abd71a0ea] - test: deflake watch mode tests (Moshe Atlow) #44621 - [
0c9f38f2be] - test: split watch mode inspector tests to sequential (Moshe Atlow) #44551 - [
d762a34128] - test_runner: add --test-name-pattern CLI flag (Colin Ihrig) - [
c7ece464a1] - test_runner: remove runtime experimental warning (Colin Ihrig) #44844 - [
3c1e9d41c8] - test_runner: support using--inspectwith--test(Moshe Atlow) #44520 - [
4bdef48732] - tools: remove faulty early termination logic from update-timezone.mjs (Darshan Sen) #44870 - [
19d8574996] - tools: fix timezone update tool (Darshan Sen) #44870 - [
ad8b8ae7d3] - tools: update eslint to 8.25.0 (Node.js GitHub Bot) #44931 - [
fd99b17a4d] - tools: makeutils.SearchFilesdeterministic (Bruno Pitrus) #44496 - [
131adece37] - tools: fix typo in tools/update-authors.mjs (Darshan Sen) #44780 - [
ab22777e65] - tools: refactor deprecated format in no-unescaped-regexp-dot (Madhuri) #44763 - [
3ad0fae89d] - tools: update eslint-check.js to object style (andiemontoyeah) #44706 - [
e9d572a9bd] - tools: update eslint to 8.24.0 (Node.js GitHub Bot) #44778 - [
984b0b4a6c] - tools: update lint-md-dependencies to rollup@2.79.1 (Node.js GitHub Bot) #44776 - [
db5aeed702] - (SEMVER-MINOR) util: add default value option to parsearg (Manuel Spigolon) #44631 - [
576ccdf125] - util: increase robustness with primordials (Jordan Harband) #41212
v18.10.0: 2022-09-28, Version 18.10.0 (Current), @RafaelGSS
Notable changes
- doc:
-
gyp:
- libnode for ios app embedding (chexiongsheng) #44210
-
http:
- (SEMVER-MINOR) throw error on content-length mismatch (sidwebworks) #44588
-
stream:
- (SEMVER-MINOR) add
ReadableByteStream.tee()(Daeyeon Jeong) #44505
- (SEMVER-MINOR) add
Commits
- [
f497368679] - benchmark: fix startup benchmark (Evan Lucas) #44727 - [
0c9a94684e] - benchmark: add stream destroy benchmark (SindreXie) #44533 - [
9c5c1459a8] - bootstrap: clean up inspector console methods during serialization (Joyee Cheung) #44279 - [
19f67dba8a] - bootstrap: remove unused global parameter in per-context scripts (Joyee Cheung) #44472 - [
9da11426f6] - build: remove redundant entry in crypto (Jiawen Geng) #44604 - [
70898b4e67] - build: rewritten the Android build system (BuShe Pie) #44207 - [
a733f7faac] - Revert "build: go faster, drop -fno-omit-frame-pointer" (Ben Noordhuis) #44566 - [
1315a83333] - build: fix bad upstream merge (Stephen Gallagher) #44642 - [
993bd9b134] - crypto: restrict PBKDF2 args to signed int (Tobias Nießen) #44575 - [
ca5fb67b4e] - deps: update to ngtcp2 0.8.1 and nghttp3 0.7.0 (Tobias Nießen) #44622 - [
8da1d6ebc4] - deps: update corepack to 0.14.1 (Node.js GitHub Bot) #44704 - [
d36c4a3088] - deps: update ngtcp2 update instructions (Tobias Nießen) #44619 - [
7129106aa0] - deps: upgrade npm to 8.19.2 (npm team) #44632 - [
3cc8f4bb56] - deps: update to uvwasi 0.0.13 (Colin Ihrig) #44524 - [
4686579d4b] - dns: remove unnecessary parameter from validateOneOf (Yagiz Nizipli) #44635 - [
729dd95f1f] - dns: refactor default resolver (Joyee Cheung) #44541 - [
6dc038262a] - doc: mention git node backport (RafaelGSS) #44764 - [
fd971f5176] - doc: ensure to revert node_version changes (Rafael Gonzaga) #44760 - [
f274b08f8e] - doc: fix description fornapi_get_cb_info()inn-api.md(Daeyeon Jeong) #44761 - [
2502f2353d] - doc: update the deprecation for exit code to clarify its scope (Daeyeon Jeong) #44714 - [
064543d0ae] - doc: update guidance for adding new modules (Michael Dawson) #44576 - [
33a2f17534] - doc: add registry number for Electron 22 (Keeley Hammond) #44748 - [
10a0d75c26] - doc: include code examples for webstreams consumers (Lucas Santos) #44387 - [
4dbe4a010c] - doc: mention where to push security commits (RafaelGSS) #44691 - [
82cb8151ad] - doc: remove extra space on threadpool usage (Connor Burton) #44734 - [
6ef9af2748] - doc: make legacy banner slightly less bright (Rich Trott) #44665 - [
b209c83e66] - doc: improve building doc for Windows Powershell (Brian Muenzenmeyer) #44625 - [
05b17e9250] - doc: maintain only one list of MODP groups (Tobias Nießen) #44644 - [
ec1cbdb69b] - doc: add legendecas to TSC list (Michael Dawson) #44662 - [
9341fb4446] - doc: remove comma in README.md (Taha-Chaudhry) #44599 - [
3dabb44dda] - doc: use serial comma in report docs (Daeyeon Jeong) #44608 - [
226d90a95a] - doc: use serial comma in stream docs (Daeyeon Jeong) #44609 - [
3f710fa636] - doc: remove empty line in YAML block (Claudio Wunder) #44617 - [
4ad1b0abc3] - (SEMVER-MINOR) doc: deprecate modp1, modp2, and modp5 groups (Tobias Nießen) #44588 - [
2d92610525] - doc: remove old OpenSSL ENGINE constants (Tobias Nießen) #44589 - [
03705639c4] - doc: fix heading levels for test runner hooks (Fabian Meyer) #44603 - [
6c557346a7] - doc: fix errors in http.md (Luigi Pinca) #44587 - [
48d944b71c] - doc: fix vm.Script createCachedData example (Chengzhong Wu) #44487 - [
2813323120] - doc: mention how to get commit release (Rafael Gonzaga) #44572 - [
ea7b44d474] - doc: fix link inprocess.md(Antoine du Hamel) #44594 - [
39b65d2fb7] - doc: do not use weak MODP group in example (Tobias Nießen) #44585 - [
f5549afd90] - doc: remove ebpf from supported tooling list (Rafael Gonzaga) #44549 - [
a3360b1f4f] - doc: emphasize that createCipher is never secure (Tobias Nießen) #44538 - [
4e6f7862ba] - doc: document attribute Script.cachedDataRejected (Chengzhong Wu) #44451 - [
01e584ecab] - doc: move policy docs to the permissions scope (Rafael Gonzaga) #44222 - [
57dac53c22] - doc,crypto: cleanup removed pbkdf2 behaviours (Filip Skokan) #44733 - [
c209bd6fb9] - doc,inspector: document changes of inspector.close (Chengzhong Wu) #44628 - [
9b3b7d6978] - esm,loader: tidy ESMLoader internals (Jacob Smith) #44701 - [
daf63d2fa3] - fs: fix typo in mkdir example (SergeyTsukanov) #44791 - [
85ab2f857f] - fs: remove unused option infs.fstatSync()(Livia Medeiros) #44613 - [
a6091f5496] - gyp: libnode for ios app embedding (chexiongsheng) #44210 - [
f158656e4c] - (SEMVER-MINOR) http: throw error on content-length mismatch (sidwebworks) #44378 - [
1b160517f5] - inspector: expose inspector.close on workers (Chengzhong Wu) #44489 - [
a2eb55a2c9] - lib: don't matchsourceMappingURLin strings (Alan Agius) #44658 - [
2baf532518] - lib: fix reference leak (falsandtru) #44499 - [
d8d34ae6bc] - lib: resetRegExpstatics before running user code (Antoine du Hamel) #44247 - [
eb3635184b] - lib,test: fix bug in InternalSocketAddress (Tobias Nießen) #44618 - [
74dc4d198f] - meta: update AUTHORS (Node.js GitHub Bot) #44777 - [
97d2ed7296] - meta: add mailmap entry for dnlup (Rich Trott) #44716 - [
35fbd2cc14] - meta: update AUTHORS (Node.js GitHub Bot) #44705 - [
c5c1bc40a2] - meta: move dnlup to emeriti (dnlup) #44667 - [
c62dfe0427] - meta: update test_runner in label-pr-config (Shrujal Shah) #44615 - [
fe56efd0bc] - meta: update AUTHORS (Node.js GitHub Bot) #44591 - [
4436ffb536] - module: open stat/readPackage to mutations (Maël Nison) #44537 - [
f8ec946c82] - module: exports & imports map invalid slash deprecation (Guy Bedford) #44477 - [
64cb43a2b6] - node-api: add deprecation code of uncaught exception (Chengzhong Wu) #44624 - [
ce1704c2c7] - src: avoid using v8 on Isolate termination (Santiago Gimeno) #44669 - [
3036b85d71] - src: remove <unistd.h> from node_os.cc (Tobias Nießen) #44668 - [
29f57b7899] - src: avoid copy when creating Blob (Tobias Nießen) #44616 - [
75cfb13ea6] - src: make ReqWrap weak (Rafael Gonzaga) #44074 - [
c12abb5ece] - src: make NearHeapLimitCallback() more robust (Joyee Cheung) #44581 - [
81ea507e8e] - src: dump isolate stats when process exits (daomingq) #44534 - [
687844822f] - src: consolidate environment cleanup queue (Chengzhong Wu) #44379 - [
3d42aaaac0] - stream: handle a pending pull request from a released reader (Daeyeon Jeong) #44702 - [
73ad9db6c5] - stream: refactor use es2020 statement (SindreXie) #44533 - [
0af6e420b3] - stream: removeabortReasonfromWritableStreamDefaultController(Daeyeon Jeong) #44540 - [
2f2f8d5821] - (SEMVER-MINOR) stream: addReadableByteStream.tee()(Daeyeon Jeong) #44505 - [
667e8bf3fb] - stream: fixwritableStream.abort()(Daeyeon Jeong) #44327 - [
3112d5dae0] - test: verify napi_remove_wrap with napi_delete_reference (Chengzhong Wu) #44754 - [
b512436841] - test: change promises to async/await (Madhulika Sharma) #44683 - [
858631f720] - test: use async/await in test-debugger-invalid-args (Nupur Chauhan) #44678 - [
6c9ded810c] - test: update test-debugger-low-level to use await/async (Meghana Ramesh) #44688 - [
945aa74e57] - test: check that sysconf returns a positive value (Tobias Nießen) #44666 - [
79f0f48a6f] - test: change promise to async/await in debugger-watcher (“Pooja) #44687 - [
a56cb65bd6] - test: fix addon tests compilation with OpenSSL 1.1.1 (Adam Majer) #44725 - [
8a68a80a06] - test: fix test-performance-measure (smitley) #44637 - [
55de0136b3] - test: improve lib/readline.js coverage (MURAKAMI Masahiko) #42686 - [
a3095d217f] - test: fixtest-replnot validating leaked globals properly (Antoine du Hamel) #44640 - [
7db2974692] - test: ignore stale process cleanup failures on Windows (Joyee Cheung) #44480 - [
6c35f338c3] - test: use python3 instead of python (Luigi Pinca) #44545 - [
20e04c6d44] - test: fix DebugSymbolsTest.ReqWrapList on PPC64LE (Daniel Bevenius) #44341 - [
eb25fe73b0] - test: add more cases for parse-encoding (Tony Gorez) #44427 - [
5ab3bc9419] - test_runner: include stack of uncaught exceptions (Moshe Atlow) #44614 - [
752e1472e1] - tls: fix out-of-bounds read in ClientHelloParser (Tobias Nießen) #44580 - [
0cddb0af99] - tools: add update-llhttp.sh (Paolo Insogna) #44652 - [
ef0dc47df9] - tools: fix typo in update-nghttp2.sh (Luigi Pinca) #44664 - [
0df181a5a1] - tools: add timezone update workflow (Lenvin Gonsalves) #43988 - [
dd4348900d] - tools: update eslint to 8.23.1 (Node.js GitHub Bot) #44639 - [
b9cfb71e12] - tools: update lint-md-dependencies to @rollup/plugin-node-resolve@14.1.0 (Node.js GitHub Bot) #44638 - [
5ae142d7ad] - tools: update gyp-next to v0.13.0 (Jiawen Geng) #44605 - [
5dd86c3faf] - tools: update lint-md-dependencies to @rollup/plugin-node-resolve@14.0.1 (Node.js GitHub Bot) #44590 - [
caad4748cf] - tools: increase timeout of running WPT (Joyee Cheung) #44574 - [
5db9779f14] - tools: fix shebang to use python3 by default (Himself65) #44531 - [
9aa6a560e9] - v8: add setHeapSnapshotNearHeapLimit (theanarkh) #44420 - [
360b74e94f] - win: fix fs.realpath.native for long paths (StefanStojanovic) #44536
v18.9.1: 2022-09-23, Version 18.9.1 (Current), @RafaelGSS
This is a security release.
Notable changes
The following CVEs are fixed in this release:
-
CVE-2022-32212: DNS rebinding in --inspect on macOS (High)
- Insufficient fix for macOS devices on v18.5.0
- CVE-2022-32222: Node 18 reads openssl.cnf from /home/iojs/build/ upon startup on MacOS (Medium)
-
CVE-2022-32213: HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding (Medium)
- Insufficient fix on v18.5.0
-
CVE-2022-32215: HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding (Medium)
- Insufficient fix on v18.5.0
- CVE-2022-35256: HTTP Request Smuggling - Incorrect Parsing of Header Fields (Medium)
- CVE-2022-35255: Weak randomness in WebCrypto keygen
More detailed information on each of the vulnerabilities can be found in September 22nd 2022 Security Releases blog post.
llhttp updated to 6.0.10
llhttp is updated to 6.0.10 which includes fixes for the following vulnerabilities.
-
HTTP Request Smuggling - CVE-2022-32213 bypass via obs-fold mechanic (Medium)(CVE-2022-32213 ): The
llhttpparser in thehttpmodule does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS). -
HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding (Medium)(CVE-2022-32215): The
llhttpparser in thehttpmodule does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS). -
HTTP Request Smuggling - Incorrect Parsing of Header Fields (Medium)(CVE-35256): The llhttp parser in the
httpdoes not correctly handle header fields that are not terminated with CLRF. This can lead to HTTP Request Smuggling (HRS).
Commits
- [
0c2a5723be] - crypto: fix weak randomness in WebCrypto keygen (Ben Noordhuis) nodejs-private/node-private# - [
ffb6f4d51d] - deps: MacOS - fix location of OpenSSL config file (Michael Dawson) nodejs-private/node-private#345 - [
01bffcdd93] - http: disable chunked encoding when OBS fold is used (Paolo Insogna) nodejs-private/node-private#341 - [
2c379d341d] - src: fix IPv4 non routable validation (RafaelGSS) nodejs-private/node-private#337
v18.9.0: 2022-09-08, Version 18.9.0 (Current), @RafaelGSS
Notable changes
-
doc
- add daeyeon to collaborators (Daeyeon Jeong) #44355
-
lib
- (SEMVER-MINOR) add diagnostics channel for process and worker (theanarkh) #44045
-
os
- (SEMVER-MINOR) add machine method (theanarkh) #44416
-
report
- (SEMVER-MINOR) expose report public native apis (Chengzhong Wu) #44255
-
src
- (SEMVER-MINOR) expose environment RequestInterrupt api (Chengzhong Wu) #44362
-
vm
- include vm context in the embedded snapshot (Joyee Cheung) #44252
Commits
- [
e27e709d3c] - build: add --libdir flag to configure (Stephen Gallagher) #44361 - [
30da2b4d89] - build: added NINJA env to customize ninja binary (Jeff Dickey) #44293 - [
3c5354869e] - cluster: fix cluster rr distribute error (theanarkh) #44202 - [
5cefd02618] - crypto: handle invalid prepareAsymmetricKey JWK inputs (Filip Skokan) #44475 - [
c868e36385] - crypto: add digest name to INVALID_DIGEST errors (Tobias Nießen) #44468 - [
35cbe1ad85] - crypto: use actual option name in error message (Tobias Nießen) #44455 - [
c3dbe18e4c] - crypto: simplify control flow in HKDF (Tobias Nießen) #44272 - [
28781a1f7e] - crypto: improve RSA-PSS digest error messages (Tobias Nießen) #44307 - [
b1eafe14fd] - debugger: decrease timeout used to wait for the port to be free (Joyee Cheung) #44359 - [
8ef5c40a83] - deps: update corepack to 0.14.0 (Node.js GitHub Bot) #44509 - [
cf19a79dfc] - deps: upgrade npm to 8.19.1 (npm team) #44486 - [
c5630ad1a7] - deps: V8: backportff8d67c(Michaël Zasso) #44423 - [
255e7fbd08] - deps: update Acorn to v8.8.0 (Michaël Zasso) #44437 - [
754d26a53e] - deps: patch V8 to 10.2.154.15 (Michaël Zasso) #44294 - [
1b50ff2600] - deps: update icu tzdata to 2022b (Matías Zúñiga) #44283 - [
1e451dca99] - deps: upgrade llhttp to 6.0.9 (Paolo Insogna) #44344 - [
57da3db522] - deps: update undici to 5.9.1 (Node.js GitHub Bot) #44319 - [
1c87a7e8f6] - doc: add missing parenthesis in TLSSocket section (Tobias Nießen) #44512 - [
05006eddb2] - doc: do not use "Returns:" for crypto.constants (Tobias Nießen) #44481 - [
54b6ed58bc] - doc: use serial comma in addons docs (Tobias Nießen) #44482 - [
11452a97b3] - doc: add --update-assert-snapshot to node.1 (Colin Ihrig) #44429 - [
ae028e8ac3] - doc: improve assert.snapshot() docs (Colin Ihrig) #44429 - [
71c869688a] - doc: add missing imports in events sample code (Brian Evans) #44337 - [
92046e8027] - doc: apply scroll-margin-top to h2, h3 elements (metonym) #44414 - [
3e6cde5931] - doc: fix spacing issue in--build-snapshothelp text (Shohei YOSHIDA) #44435 - [
8e41dbb81b] - doc: mention cherry-pick edge-case on release (RafaelGSS) #44408 - [
cef30f9afc] - doc: note on release guide to updatemainbranch (Ruy Adorno) #44384 - [
21437f7a7f] - doc: fix release guide example consistency (Ruy Adorno) #44385 - [
ed52bd0a18] - doc: fix style of n-api.md (theanarkh) #44377 - [
65c1f4015f] - doc: add history for net.createServer() options (Luigi Pinca) #44326 - [
4a0f750a6c] - doc: add daeyeon to collaborators (Daeyeon Jeong) #44355 - [
8cc5556f76] - doc: fix typo in test runner code examples (Moshe Atlow) #44351 - [
b660b7467d] - doc,worker: document resourceLimits overrides (Keyhan Vakil) #43992 - [
2ed3b30696] - inspector: prevent integer overflow in open() (Tobias Nießen) #44367 - [
b8f08e5e7e] - lib: codify findSourceMap return value when not found (Chengzhong Wu) #44397 - [
a86ef1ba3e] - lib: use safePromisealternatives when available (Antoine du Hamel) #43476 - [
e519ac7842] - meta: update AUTHORS (Node.js GitHub Bot) #44511 - [
c03f28b960] - meta: update AUTHORS (Node.js GitHub Bot) #44422 - [
ef08cbddac] - node-api: avoid calling virtual methods in base's dtor (Chengzhong Wu) #44424 - [
256340197c] - node-api: cleanup redundant static modifiers (Chengzhong Wu) #44301 - [
6714736706] - (SEMVER-MINOR) os: add machine method (theanarkh) #44416 - [
807b1e5533] - report: get stack trace with cross origin contexts (Chengzhong Wu) #44398 - [
b17cc877d0] - report: fix missing section javascriptHeap on OOMError (Chengzhong Wu) #44398 - [
1f23c17ae0] - (SEMVER-MINOR) report: expose report public native apis (Chengzhong Wu) #44255 - [
df259005d9] - report: add queue info for udp (theanarkh) #44345 - [
fc17b808c9] - src: rename misleading arg in ClientHelloParser (Tobias Nießen) #44500 - [
125ab7da2a] - src: improve error handling in CloneSSLCerts (Tobias Nießen) #44410 - [
aa34f7347b] - src: fix incorrect comments in crypto (Tobias Nießen) #44470 - [
18b720805f] - src: avoid casting std::trunc(... / ...) to size_t (Tobias Nießen) #44467 - [
4331bbe2af] - (SEMVER-MINOR) src: expose environment RequestInterrupt api (Chengzhong Wu) #44362 - [
c5413a1146] - src: simplify enable_if logic ofToStringHelper::BaseConvert(Feng Yu) #44306 - [
dcc1cf4f4e] - src: add error handling touv_uptimecall (Juan José Arboleda) #44386 - [
fd611cc272] - src: remove base64_select_table and base64_table (Tobias Nießen) #44425 - [
4776b4767b] - src: fix uv_err_name memory leak (theanarkh) #44421 - [
8db2e66d3a] - src: make Endianness an enum class (Tobias Nießen) #44411 - [
048e440878] - src: fix ssize_t error from nghttp2.h (Darshan Sen) #44393 - [
dc1c95ede3] - src: trace fs async api (theanarkh) #44057 - [
0f4e98ba2c] - src: restore context default IsCodeGenerationFromStringsAllowed value (Chengzhong Wu) #44324 - [
05fb650b54] - src: simplify and optimize GetOpenSSLVersion() (Tobias Nießen) #44395 - [
7f16177f96] - src: useif constexprwhere appropriate (Anna Henningsen) #44291 - [
2be8acad18] - src: simplify ECDH::GetCurves() (Tobias Nießen) #44309 - [
3eb7918f8e] - src: make minor improvements to EnabledDebugList (Tobias Nießen) #44350 - [
88d9566593] - src: remove KeyObjectData::symmetric_key_len_ (Tobias Nießen) #44346 - [
768c9cb872] - src: fix multiple format string bugs (Tobias Nießen) #44314 - [
6857ee8299] - src: make minor improvements to SecureBuffer (Tobias Nießen) #44302 - [
2facf8b8e0] - stream: fix setting abort reason inReadableStream.pipeTo()(Daeyeon Jeong) #44418 - [
65134d696b] - stream: fixReadableStreamReader.releaseLock()(Daeyeon Jeong) #44292 - [
4c33e5d4ce] - test: avoid race in file write stream handle tests (Joyee Cheung) #44380 - [
0d77342a39] - test: style updates for assert.snapshot() (Colin Ihrig) #44429 - [
e36ed44b26] - test: deflake child process exec timeout tests (Joyee Cheung) #44390 - [
0af15c71fb] - test: make the vm timeout escape tests more lenient (Joyee Cheung) #44433 - [
0f071b800e] - test: split heap prof tests (Joyee Cheung) #44388 - [
2dd88b8425] - test: fix multiple incorrect mustNotCall() uses (Tobias Nießen) #44022 - [
4ae1f4990c] - test: split report OOM tests (Joyee Cheung) #44389 - [
3a5fdacdc2] - test: fix WPT runner result (Daeyeon Jeong) #44238 - [
e001aafee3] - test: raise sleep times in child process tests (Joyee Cheung) #44375 - [
8e2dcafc24] - test: remove duplicate test (Luigi Pinca) #44313 - [
c65d7fb1fa] - test: add OpenSSL 3.x providers test (Richard Lau) #44148 - [
11e9d6e173] - test: make tmpdir.js importable from esm (Geoffrey Booth) #44322 - [
a35c2f9ef4] - test_runner: fixduration_msto be milliseconds (Moshe Atlow) #44450 - [
8175c65b4d] - test_runner: support programmatically running--test(Moshe Atlow) #44241 - [
1cdccbc845] - tls: remove SecureContext setFreeListLength (Tobias Nießen) #44300 - [
70399166f3] - tls: use OpenSSL constant for client random size (Tobias Nießen) #44305 - [
6fe189b62a] - tools: update lint-md-dependencies to rollup@2.79.0 (Node.js GitHub Bot) #44510 - [
1e62bb14dd] - tools: fix typo inavoid-prototype-pollutionlint rule (Antoine du Hamel) #44446 - [
78c6827688] - tools: don't use f-strings in test.py (Santiago Gimeno) #44407 - [
443730c419] - tools: update doc to unist-util-visit@4.1.1 (Node.js GitHub Bot) #44370 - [
96df99375e] - tools: update eslint to 8.23.0 (Node.js GitHub Bot) #44419 - [
b6709544e9] - tools: refactoravoid-prototype-pollutionlint rule (Antoine du Hamel) #43476 - [
8b0a4afcae] - tty: fix TypeError when stream is closed (Antoine du Hamel) #43803 - [
c4a45a93f3] - vm: avoid unnecessary property getter interceptor calls (Joyee Cheung) #44252 - [
736a04aa13] - vm: include vm context in the embedded snapshot (Joyee Cheung) #44252 - [
bce827e5d1] - vm: make ContextifyContext template context-independent (Joyee Cheung) #44252
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.