Closed renovate[bot] closed 10 months ago
Latest commit: e5d1e71b2a6c74f6caeb4d3d64696633d1f75051
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.
You can manually request rebase by checking the rebase/retry box above.
⚠ Warning: custom changes will be lost.
This PR contains the following updates:
20.5.0
->20.5.1
8.6.10
->8.7.0
^0.33.0
->^0.34.0
Release Notes
nodejs/node (node)
### [`v20.5.1`](https://togithub.com/nodejs/node/releases/tag/v20.5.1): 2023-08-09, Version 20.5.1 (Current), @RafaelGSS [Compare Source](https://togithub.com/nodejs/node/compare/v20.5.0...v20.5.1) This is a security release. ##### Notable Changes The following CVEs are fixed in this release: - [CVE-2023-32002](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32002): Policies can be bypassed via Module.\_load (High) - [CVE-2023-32558](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32558): process.binding() can bypass the permission model through path traversal (High) - [CVE-2023-32004](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32004): Permission model can be bypassed by specifying a path traversal sequence in a Buffer (High) - [CVE-2023-32006](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32006): Policies can be bypassed by module.constructor.createRequire (Medium) - [CVE-2023-32559](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32559): Policies can be bypassed via process.binding (Medium) - [CVE-2023-32005](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32005): fs.statfs can bypass the permission model (Low) - [CVE-2023-32003](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32003): fs.mkdtemp() and fs.mkdtempSync() can bypass the permission model (Low) - OpenSSL Security Releases - [OpenSSL security advisory 14th July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000264.html). - [OpenSSL security advisory 19th July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000265.html). - [OpenSSL security advisory 31st July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000267.html) More detailed information on each of the vulnerabilities can be found in [August 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/) blog post. ##### Commits - \[[`92300b51b4`](https://togithub.com/nodejs/node/commit/92300b51b4)] - **deps**: update archs files for openssl-3.0.10+quic1 (Node.js GitHub Bot) [#49036](https://togithub.com/nodejs/node/pull/49036) - \[[`559698abf2`](https://togithub.com/nodejs/node/commit/559698abf2)] - **deps**: upgrade openssl sources to quictls/openssl-3.0.10+quic1 (Node.js GitHub Bot) [#49036](https://togithub.com/nodejs/node/pull/49036) - \[[`1bf3429e8e`](https://togithub.com/nodejs/node/commit/1bf3429e8e)] - **lib,permission**: restrict process.binding when pm is enabled (RafaelGSS) [nodejs-private/node-private#438](https://togithub.com/nodejs-private/node-private/pull/438) - \[[`98a83a67e6`](https://togithub.com/nodejs/node/commit/98a83a67e6)] - **permission**: ensure to resolve path when calling mkdtemp (RafaelGSS) [nodejs-private/node-private#464](https://togithub.com/nodejs-private/node-private/pull/464) - \[[`1f0cde466b`](https://togithub.com/nodejs/node/commit/1f0cde466b)] - **permission**: handle buffer path on fs calls (RafaelGSS) [nodejs-private/node-private#439](https://togithub.com/nodejs-private/node-private/pull/439) - \[[`bd094d60ea`](https://togithub.com/nodejs/node/commit/bd094d60ea)] - **permission**: handle fstatfs and add pm supported list (RafaelGSS) [nodejs-private/node-private#441](https://togithub.com/nodejs-private/node-private/pull/441) - \[[`7337d21484`](https://togithub.com/nodejs/node/commit/7337d21484)] - **policy**: handle Module.constructor and main.extensions bypass (RafaelGSS) [nodejs-private/node-private#417](https://togithub.com/nodejs-private/node-private/pull/417) - \[[`cf348ec640`](https://togithub.com/nodejs/node/commit/cf348ec640)] - **policy**: disable process.binding() when enabled (Tobias Nießen) [nodejs-private/node-private#397](https://togithub.com/nodejs-private/node-private/pull/397)pnpm/pnpm (pnpm)
### [`v8.7.0`](https://togithub.com/pnpm/pnpm/releases/tag/v8.7.0) [Compare Source](https://togithub.com/pnpm/pnpm/compare/v8.6.12...v8.7.0) #### Minor Changes - Improve performance of installation by using a worker pool for extracting packages and writing them to the content-addressable store [#6850](https://togithub.com/pnpm/pnpm/pull/6850) - The default value of the `resolution-mode` setting is changed to `highest`. This setting was changed to `lowest-direct` in v8.0.0 and some users were [not happy with the change](https://togithub.com/pnpm/pnpm/issues/6463). A [twitter poll](https://twitter.com/pnpmjs/status/1693707270897517022) concluded that most of the users want the old behaviour (`resolution-mode` set to `highest` by default). This is a semi-breaking change but should not affect users that commit their lockfile [#6463](https://togithub.com/pnpm/pnpm/issues/6463). #### Patch Changes - Warn when linking a package with peerDependencies [#615](https://togithub.com/pnpm/pnpm/issues/615). - Add support for npm lockfile v3 in `pnpm import` [#6233](https://togithub.com/pnpm/pnpm/issues/6233). - Override peerDependencies in `pnpm.overrides` [#6759](https://togithub.com/pnpm/pnpm/issues/6759). - Respect workspace alias syntax in pkg graph [#6922](https://togithub.com/pnpm/pnpm/issues/6922) - Emit a clear error message when users attempt to specify an undownloadable node version [#6916](https://togithub.com/pnpm/pnpm/pull/6916). - `pnpm patch` should write patch files with a trailing newline [#6905](https://togithub.com/pnpm/pnpm/pull/6905). - Dedupe deps with the same alias in direct dependencies [6966](https://togithub.com/pnpm/pnpm/issues/6966) - Don't prefix install output for the dlx command. - Performance optimizations. Package tarballs are now download directly to memory and built to an ArrayBuffer. Hashing and other operations are avoided until the stream has been fully received [#6819](https://togithub.com/pnpm/pnpm/pull/6819). #### Our Gold Sponsorsvitest-dev/vitest (vitest)
### [`v0.34.3`](https://togithub.com/vitest-dev/vitest/releases/tag/v0.34.3) [Compare Source](https://togithub.com/vitest-dev/vitest/compare/v0.34.2...v0.34.3) ##### 🚀 Features - **coverage**: Add `allowExternal` option - by [@vojvodics](https://togithub.com/vojvodics) and [@AriPerkkio](https://togithub.com/AriPerkkio) in [https://github.com/vitest-dev/vitest/issues/3894](https://togithub.com/vitest-dev/vitest/issues/3894) [(c03fa)](https://togithub.com/vitest-dev/vitest/commit/c03faa22) - **vitest**: Export all reporters in `vitest/reporters` - by [@Dunqing](https://togithub.com/Dunqing) and [@sheremet-va](https://togithub.com/sheremet-va) in [https://github.com/vitest-dev/vitest/issues/3980](https://togithub.com/vitest-dev/vitest/issues/3980) [(5704b)](https://togithub.com/vitest-dev/vitest/commit/5704b341) ##### 🐞 Bug Fixes - Should remove mockPath from callstack whether success or failed - by [@miserylee](https://togithub.com/miserylee) and **lijifei** in [https://github.com/vitest-dev/vitest/issues/3971](https://togithub.com/vitest-dev/vitest/issues/3971) [(5eb85)](https://togithub.com/vitest-dev/vitest/commit/5eb8561c) - Add workspace config files to default coverage excludes - by [@FelixGraf](https://togithub.com/FelixGraf) and [@AriPerkkio](https://togithub.com/AriPerkkio) in [https://github.com/vitest-dev/vitest/issues/3973](https://togithub.com/vitest-dev/vitest/issues/3973) [(20263)](https://togithub.com/vitest-dev/vitest/commit/20263d9d) - Report file error as aConfiguration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate. View repository job log here.