nodejs/node
### [`v14.21.3`](https://togithub.com/nodejs/node/releases/tag/v14.21.3): 2023-02-16, Version 14.21.3 'Fermium' (LTS), @richardlau
[Compare Source](https://togithub.com/nodejs/node/compare/v14.21.2...v14.21.3)
This is a security release.
##### Notable Changes
The following CVEs are fixed in this release:
- **[CVE-2023-23918](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918)**: Node.js Permissions policies can be bypassed via process.mainModule (High)
- **[CVE-2023-23920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920)**: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low)
More detailed information on each of the vulnerabilities can be found in [February 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/) blog post.
This security release includes OpenSSL security updates as outlined in the recent
[OpenSSL security advisory](https://www.openssl.org/news/secadv/20230207.txt).
This security release also includes an npm update for Node.js 14 to address a number
of CVEs which either do not affect Node.js or are low severity in the context of Node.js. You
can get more details for the individual CVEs in
[nodejs-dependency-vuln-assessments](https://togithub.com/nodejs/nodejs-dependency-vuln-assessments).
##### Commits
- \[[`97a0443f13`](https://togithub.com/nodejs/node/commit/97a0443f13)] - **build**: build ICU with ICU_NO_USER_DATA_OVERRIDE (RafaelGSS) [nodejs-private/node-private#374](https://togithub.com/nodejs-private/node-private/pull/374)
- \[[`9e6221529b`](https://togithub.com/nodejs/node/commit/9e6221529b)] - **deps**: cherry-pick Windows ARM64 fix for openssl (Richard Lau) [#46566](https://togithub.com/nodejs/node/pull/46566)
- \[[`0d5f86451d`](https://togithub.com/nodejs/node/commit/0d5f86451d)] - **deps**: update archs files for OpenSSL-1.1.1t (RafaelGSS) [#46566](https://togithub.com/nodejs/node/pull/46566)
- \[[`8c11d17b40`](https://togithub.com/nodejs/node/commit/8c11d17b40)] - **deps**: upgrade openssl sources to 1.1.1t (RafaelGSS) [#46566](https://togithub.com/nodejs/node/pull/46566)
- \[[`224e93c9ef`](https://togithub.com/nodejs/node/commit/224e93c9ef)] - **deps**: upgrade npm to 6.14.18 (Ruy Adorno) [#45936](https://togithub.com/nodejs/node/pull/45936)
- \[[`d73ea4de13`](https://togithub.com/nodejs/node/commit/d73ea4de13)] - **doc**: clarify release notes for Node.js 14.21.2 (Richard Lau) [#45846](https://togithub.com/nodejs/node/pull/45846)
- \[[`f7892c16be`](https://togithub.com/nodejs/node/commit/f7892c16be)] - **lib**: makeRequireFunction patch when experimental policy (RafaelGSS) [nodejs-private/node-private#358](https://togithub.com/nodejs-private/node-private/pull/358)
- \[[`fa115ee8ac`](https://togithub.com/nodejs/node/commit/fa115ee8ac)] - **module**: protect against prototype mutation (Antoine du Hamel) [#44007](https://togithub.com/nodejs/node/pull/44007)
- \[[`83975b7fb4`](https://togithub.com/nodejs/node/commit/83975b7fb4)] - **policy**: makeRequireFunction on mainModule.require (RafaelGSS) [nodejs-private/node-private#358](https://togithub.com/nodejs-private/node-private/pull/358)
- \[[`a5f8798d7a`](https://togithub.com/nodejs/node/commit/a5f8798d7a)] - **test**: avoid left behind child processes (Richard Lau) [#46276](https://togithub.com/nodejs/node/pull/46276)
### [`v14.21.2`](https://togithub.com/nodejs/node/releases/tag/v14.21.2): 2022-12-13, Version 14.21.2 'Fermium' (LTS), @richardlau
[Compare Source](https://togithub.com/nodejs/node/compare/v14.21.1...v14.21.2)
##### Notable Changes
##### OpenSSL 1.1.1s
This update is a bugfix release and does not address any security
vulnerabilities.
##### Root certificates updated to NSS 3.85
Certificates added:
- Autoridad de Certificacion Firmaprofesional CIF [`A626340`](https://togithub.com/nodejs/node/commit/A62634068)
- Certainly Root E1
- Certainly Root R1
- D-TRUST BR Root CA 1 2020
- D-TRUST EV Root CA 1 2020
- DigiCert TLS ECC P384 Root G5
- DigiCert TLS RSA4096 Root G5
- E-Tugra Global Root CA ECC v3
- E-Tugra Global Root CA RSA v3
- HiPKI Root CA - G1
- ISRG Root X2
- Security Communication ECC RootCA1
- Security Communication RootCA3
- Telia Root CA v2
- vTrus ECC Root CA
- vTrus Root CA
Certificates removed:
- Cybertrust Global Root
- DST Root CA X3
- GlobalSign Root CA - R2
- Hellenic Academic and Research Institutions RootCA 2011
##### Time zone update to 2022f
Time zone data has been updated to 2022f. This includes changes to Daylight
Savings Time (DST) for Fiji and Mexico. For more information, see
.
##### Commits
- \[[`436a596e99`](https://togithub.com/nodejs/node/commit/436a596e99)] - **crypto**: update root certificates (Luigi Pinca) [#45490](https://togithub.com/nodejs/node/pull/45490)
- \[[`4b422d34af`](https://togithub.com/nodejs/node/commit/4b422d34af)] - **deps**: V8: cherry-pick [`d2db7fa`](https://togithub.com/nodejs/node/commit/d2db7fa7f786) (Richard Lau) [#45785](https://togithub.com/nodejs/node/pull/45785)
- \[[`625f4bf3a9`](https://togithub.com/nodejs/node/commit/625f4bf3a9)] - **deps**: update corepack to 0.15.1 (Node.js GitHub Bot) [#45331](https://togithub.com/nodejs/node/pull/45331)
- \[[`48a9810de8`](https://togithub.com/nodejs/node/commit/48a9810de8)] - **deps**: update corepack to 0.15.0 (Node.js GitHub Bot) [#45235](https://togithub.com/nodejs/node/pull/45235)
- \[[`9f4e64b603`](https://togithub.com/nodejs/node/commit/9f4e64b603)] - **deps**: update timezone to 2022f (Richard Lau) [#45521](https://togithub.com/nodejs/node/pull/45521)
- \[[`f297b6bd21`](https://togithub.com/nodejs/node/commit/f297b6bd21)] - **deps**: update archs files for OpenSSL-1.1.1s (RafaelGSS) [#45272](https://togithub.com/nodejs/node/pull/45272)
- \[[`11629fef15`](https://togithub.com/nodejs/node/commit/11629fef15)] - **deps**: upgrade openssl sources to 1.1.1s (RafaelGSS) [#45272](https://togithub.com/nodejs/node/pull/45272)
- \[[`c3a90c4b44`](https://togithub.com/nodejs/node/commit/c3a90c4b44)] - **http2**: fix memory leak when nghttp2 hd threshold is reached (rogertyang) [#41502](https://togithub.com/nodejs/node/pull/41502)
- \[[`785dc3efee`](https://togithub.com/nodejs/node/commit/785dc3efee)] - **module**: cjs-module-lexer WebAssembly fallback (Guy Bedford) [#43612](https://togithub.com/nodejs/node/pull/43612)
- \[[`2dbeb889f6`](https://togithub.com/nodejs/node/commit/2dbeb889f6)] - **node-api**: handle no support for external buffers (Michael Dawson) [#45181](https://togithub.com/nodejs/node/pull/45181)
- \[[`5b2ea124f3`](https://togithub.com/nodejs/node/commit/5b2ea124f3)] - **test**: add test to validate changelogs for releases (Richard Lau) [#45325](https://togithub.com/nodejs/node/pull/45325)
- \[[`f13f889956`](https://togithub.com/nodejs/node/commit/f13f889956)] - **test**: add a test to ensure the correctness of timezone upgrades (Darshan Sen) [#45299](https://togithub.com/nodejs/node/pull/45299)
- \[[`5608e6fa72`](https://togithub.com/nodejs/node/commit/5608e6fa72)] - **tools**: update certdata.txt (Luigi Pinca) [#45490](https://togithub.com/nodejs/node/pull/45490)
- \[[`d6f1d7107b`](https://togithub.com/nodejs/node/commit/d6f1d7107b)] - **tools**: have test-asan use ubuntu-20.04 (Filip Skokan) [#45581](https://togithub.com/nodejs/node/pull/45581)
- \[[`370a00f737`](https://togithub.com/nodejs/node/commit/370a00f737)] - **tools**: make license-builder.sh comply with shellcheck 0.8.0 (Rich Trott) [#41258](https://togithub.com/nodejs/node/pull/41258)
Configuration
📅 Schedule: Branch creation - "before 5am on saturday" in timezone Asia/Jakarta, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
>=14.21.1->>=v14.21.3Release Notes
nodejs/node
### [`v14.21.3`](https://togithub.com/nodejs/node/releases/tag/v14.21.3): 2023-02-16, Version 14.21.3 'Fermium' (LTS), @richardlau [Compare Source](https://togithub.com/nodejs/node/compare/v14.21.2...v14.21.3) This is a security release. ##### Notable Changes The following CVEs are fixed in this release: - **[CVE-2023-23918](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918)**: Node.js Permissions policies can be bypassed via process.mainModule (High) - **[CVE-2023-23920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920)**: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low) More detailed information on each of the vulnerabilities can be found in [February 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/) blog post. This security release includes OpenSSL security updates as outlined in the recent [OpenSSL security advisory](https://www.openssl.org/news/secadv/20230207.txt). This security release also includes an npm update for Node.js 14 to address a number of CVEs which either do not affect Node.js or are low severity in the context of Node.js. You can get more details for the individual CVEs in [nodejs-dependency-vuln-assessments](https://togithub.com/nodejs/nodejs-dependency-vuln-assessments). ##### Commits - \[[`97a0443f13`](https://togithub.com/nodejs/node/commit/97a0443f13)] - **build**: build ICU with ICU_NO_USER_DATA_OVERRIDE (RafaelGSS) [nodejs-private/node-private#374](https://togithub.com/nodejs-private/node-private/pull/374) - \[[`9e6221529b`](https://togithub.com/nodejs/node/commit/9e6221529b)] - **deps**: cherry-pick Windows ARM64 fix for openssl (Richard Lau) [#46566](https://togithub.com/nodejs/node/pull/46566) - \[[`0d5f86451d`](https://togithub.com/nodejs/node/commit/0d5f86451d)] - **deps**: update archs files for OpenSSL-1.1.1t (RafaelGSS) [#46566](https://togithub.com/nodejs/node/pull/46566) - \[[`8c11d17b40`](https://togithub.com/nodejs/node/commit/8c11d17b40)] - **deps**: upgrade openssl sources to 1.1.1t (RafaelGSS) [#46566](https://togithub.com/nodejs/node/pull/46566) - \[[`224e93c9ef`](https://togithub.com/nodejs/node/commit/224e93c9ef)] - **deps**: upgrade npm to 6.14.18 (Ruy Adorno) [#45936](https://togithub.com/nodejs/node/pull/45936) - \[[`d73ea4de13`](https://togithub.com/nodejs/node/commit/d73ea4de13)] - **doc**: clarify release notes for Node.js 14.21.2 (Richard Lau) [#45846](https://togithub.com/nodejs/node/pull/45846) - \[[`f7892c16be`](https://togithub.com/nodejs/node/commit/f7892c16be)] - **lib**: makeRequireFunction patch when experimental policy (RafaelGSS) [nodejs-private/node-private#358](https://togithub.com/nodejs-private/node-private/pull/358) - \[[`fa115ee8ac`](https://togithub.com/nodejs/node/commit/fa115ee8ac)] - **module**: protect against prototype mutation (Antoine du Hamel) [#44007](https://togithub.com/nodejs/node/pull/44007) - \[[`83975b7fb4`](https://togithub.com/nodejs/node/commit/83975b7fb4)] - **policy**: makeRequireFunction on mainModule.require (RafaelGSS) [nodejs-private/node-private#358](https://togithub.com/nodejs-private/node-private/pull/358) - \[[`a5f8798d7a`](https://togithub.com/nodejs/node/commit/a5f8798d7a)] - **test**: avoid left behind child processes (Richard Lau) [#46276](https://togithub.com/nodejs/node/pull/46276) ### [`v14.21.2`](https://togithub.com/nodejs/node/releases/tag/v14.21.2): 2022-12-13, Version 14.21.2 'Fermium' (LTS), @richardlau [Compare Source](https://togithub.com/nodejs/node/compare/v14.21.1...v14.21.2) ##### Notable Changes ##### OpenSSL 1.1.1s This update is a bugfix release and does not address any security vulnerabilities. ##### Root certificates updated to NSS 3.85 Certificates added: - Autoridad de Certificacion Firmaprofesional CIF [`A626340`](https://togithub.com/nodejs/node/commit/A62634068) - Certainly Root E1 - Certainly Root R1 - D-TRUST BR Root CA 1 2020 - D-TRUST EV Root CA 1 2020 - DigiCert TLS ECC P384 Root G5 - DigiCert TLS RSA4096 Root G5 - E-Tugra Global Root CA ECC v3 - E-Tugra Global Root CA RSA v3 - HiPKI Root CA - G1 - ISRG Root X2 - Security Communication ECC RootCA1 - Security Communication RootCA3 - Telia Root CA v2 - vTrus ECC Root CA - vTrus Root CA Certificates removed: - Cybertrust Global Root - DST Root CA X3 - GlobalSign Root CA - R2 - Hellenic Academic and Research Institutions RootCA 2011 ##### Time zone update to 2022f Time zone data has been updated to 2022f. This includes changes to Daylight Savings Time (DST) for Fiji and Mexico. For more information, seeConfiguration
📅 Schedule: Branch creation - "before 5am on saturday" in timezone Asia/Jakarta, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.