basilbot
commented
3 years ago Deploy preview for basiljs2 ready!
Built with commit 0b37af4f16913cf72946b10da7d882d6a8e7a37e
Open renovate[bot] opened 3 years ago
basilbot
commented
3 years ago Deploy preview for basiljs2 ready!
Built with commit 0b37af4f16913cf72946b10da7d882d6a8e7a37e
renovate[bot]
commented
1 year ago Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.
You can manually request rebase by checking the rebase/retry box above.
⚠️ Warning: custom changes will be lost.
This PR contains the following updates:
10.22.0->10.24.1Release Notes
nodejs/node
### [`v10.24.1`](https://togithub.com/nodejs/node/releases/tag/v10.24.1): 2021-04-06, Version 10.24.1 'Dubnium' (LTS), @mylesborins [Compare Source](https://togithub.com/nodejs/node/compare/v10.24.0...v10.24.1) This is a security release. ##### Notable Changes Vulerabilties fixed: - **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509\_V_FLAG_X509\_STRICT (High) - This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt - Impacts: - All versions of the 15.x, 14.x, 12.x and 10.x releases lines - **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High) - This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt - Impacts: - All versions of the 15.x, 14.x, 12.x and 10.x releases lines - **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High) - This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh - Impacts: - All versions of the 14.x, 12.x and 10.x releases lines ##### Commits - \[[`5e526b96ce`](https://togithub.com/nodejs/node/commit/5e526b96ce)] - **deps**: upgrade npm to 6.14.12 (Ruy Adorno) [#37918](https://togithub.com/nodejs/node/pull/37918) - \[[`781cb6df5c`](https://togithub.com/nodejs/node/commit/781cb6df5c)] - **deps**: update archs files for OpenSSL-1.1.1k (Tobias Nießen) [#37940](https://togithub.com/nodejs/node/pull/37940) - \[[`5db0a05a90`](https://togithub.com/nodejs/node/commit/5db0a05a90)] - **deps**: upgrade openssl sources to 1.1.1k (Tobias Nießen) [#37940](https://togithub.com/nodejs/node/pull/37940) ### [`v10.24.0`](https://togithub.com/nodejs/node/releases/tag/v10.24.0): 2021-02-23, Version 10.24.0 'Dubnium' (LTS), @richardlau [Compare Source](https://togithub.com/nodejs/node/compare/v10.23.3...v10.24.0) This is a security release. ##### Notable changes Vulnerabilities fixed: - **CVE-2021-22883**: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion - Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory. - **CVE-2021-22884**: DNS rebinding in --inspect - Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160. - **CVE-2021-23840**: OpenSSL - Integer overflow in CipherUpdate - This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt ##### Commits - \[[`0afcb4f6bb`](https://togithub.com/nodejs/node/commit/0afcb4f6bb)] - **deps**: update archs files for OpenSSL-1.1.1j (Daniel Bevenius) [#37415](https://togithub.com/nodejs/node/pull/37415) - \[[`447be941cd`](https://togithub.com/nodejs/node/commit/447be941cd)] - **deps**: upgrade openssl sources to 1.1.1j (Daniel Bevenius) [#37415](https://togithub.com/nodejs/node/pull/37415) - \[[`3f2e9dc40c`](https://togithub.com/nodejs/node/commit/3f2e9dc40c)] - **(SEMVER-MINOR)** **http2**: add unknownProtocol timeout (Daniel Bevenius) [nodejs-private/node-private#246](https://togithub.com/nodejs-private/node-private/pull/246) - \[[`d1cf6a9b0f`](https://togithub.com/nodejs/node/commit/d1cf6a9b0f)] - **src**: drop localhost6 as allowed host for inspector (Matteo Collina) [nodejs-private/node-private#244](https://togithub.com/nodejs-private/node-private/pull/244) ### [`v10.23.3`](https://togithub.com/nodejs/node/releases/tag/v10.23.3): 2021-02-09, Version 10.23.3 'Dubnium' (LTS), @richardlau [Compare Source](https://togithub.com/nodejs/node/compare/v10.23.2...v10.23.3) ##### Notable changes The update to npm 6.14.11 has been relanded so that npm correctly reports its version. ##### Commits - \[[`953a85035d`](https://togithub.com/nodejs/node/commit/953a85035d)] - **crypto**: fix crash when calling digest after piping (Tobias Nießen) [#28251](https://togithub.com/nodejs/node/pull/28251) - \[[`fe2c98003e`](https://togithub.com/nodejs/node/commit/fe2c98003e)] - **deps**: upgrade npm to 6.14.11 (Ruy Adorno) [#37173](https://togithub.com/nodejs/node/pull/37173) - \[[`7b7fb43b8a`](https://togithub.com/nodejs/node/commit/7b7fb43b8a)] - ***Revert*** "**deps**: upgrade npm to 6.14.11" (Richard Lau) [#37278](https://togithub.com/nodejs/node/pull/37278) - \[[`1c6fbd6ffe`](https://togithub.com/nodejs/node/commit/1c6fbd6ffe)] - **test**: add test that verifies crypto stream pipeline (Evan Lucas) [#37009](https://togithub.com/nodejs/node/pull/37009) ### [`v10.23.2`](https://togithub.com/nodejs/node/releases/tag/v10.23.2): 2021-01-26, Version 10.23.2 'Dubnium' (LTS), @richardlau [Compare Source](https://togithub.com/nodejs/node/compare/v10.23.1...v10.23.2) ##### Notable changes Release keys have been synchronized with the main branch. - **deps**: - upgrade npm to 6.14.11 (Darcy Clarke) [#36838](https://togithub.com/nodejs/node/pull/36838) ##### Commits - \[[`cc6b69557a`](https://togithub.com/nodejs/node/commit/cc6b69557a)] - **deps**: upgrade npm to 6.14.11 (Darcy Clarke) [#36838](https://togithub.com/nodejs/node/pull/36838) - \[[`aefb66528a`](https://togithub.com/nodejs/node/commit/aefb66528a)] - **doc**: update contact information for [@BethGriggs](https://togithub.com/BethGriggs) (Beth Griggs) [#35451](https://togithub.com/nodejs/node/pull/35451) - \[[`08931481d8`](https://togithub.com/nodejs/node/commit/08931481d8)] - **doc**: update contact information for richardlau (Richard Lau) [#35450](https://togithub.com/nodejs/node/pull/35450) - \[[`bc0617f4ea`](https://togithub.com/nodejs/node/commit/bc0617f4ea)] - **doc**: update release key for Danielle Adams (Danielle Adams) [#36793](https://togithub.com/nodejs/node/pull/36793) - \[[`d7c09fcfd3`](https://togithub.com/nodejs/node/commit/d7c09fcfd3)] - **doc**: add release key for Danielle Adams (Danielle Adams) [#35545](https://togithub.com/nodejs/node/pull/35545) - \[[`ac49d415b0`](https://togithub.com/nodejs/node/commit/ac49d415b0)] - **doc**: add release key for Ruy Adorno (Ruy Adorno) [#34628](https://togithub.com/nodejs/node/pull/34628) - \[[`b8426ae3ce`](https://togithub.com/nodejs/node/commit/b8426ae3ce)] - **doc**: add release key for Richard Lau (Richard Lau) [#34397](https://togithub.com/nodejs/node/pull/34397) ### [`v10.23.1`](https://togithub.com/nodejs/node/releases/tag/v10.23.1): 2021-01-04, Version 10.23.1 'Dubnium' (LTS), @richardlau [Compare Source](https://togithub.com/nodejs/node/compare/v10.23.0...v10.23.1) ##### Notable changes This is a security release. Vulnerabilities fixed: - **CVE-2020-8265**: use-after-free in TLSWrap (High) Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits - **CVE-2020-8287**: HTTP Request Smuggling in nodejs Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html). - **CVE-2020-1971**: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High) This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt ##### Commits - \[[`bd44b0ee7f`](https://togithub.com/nodejs/node/commit/bd44b0ee7f)] - **build,win**: accept Python 3 if 2 is not available (João Reis) [#29236](https://togithub.com/nodejs/node/pull/29236) - \[[`d5c9b09bdc`](https://togithub.com/nodejs/node/commit/d5c9b09bdc)] - **build,win**: find Python in paths with spaces (João Reis) [#29236](https://togithub.com/nodejs/node/pull/29236) - \[[`323a6f114a`](https://togithub.com/nodejs/node/commit/323a6f114a)] - **deps**: update http-parser to [http-parser@`ec8b5ee`](https://togithub.com/http-parser/node/commit/ec8b5ee63f) (Richard Lau) [nodejs-private/node-private#235](https://togithub.com/nodejs-private/node-private/pull/235) - \[[`f08d0fef64`](https://togithub.com/nodejs/node/commit/f08d0fef64)] - **deps**: upgrade npm to 6.14.10 (Ruy Adorno) [#36571](https://togithub.com/nodejs/node/pull/36571) - \[[`b0608b574a`](https://togithub.com/nodejs/node/commit/b0608b574a)] - **deps**: update archs files for OpenSSL-1.1.1i (Richard Lau) [#36541](https://togithub.com/nodejs/node/pull/36541) - \[[`d936e1833f`](https://togithub.com/nodejs/node/commit/d936e1833f)] - **deps**: upgrade openssl sources to 1.1.1i (Myles Borins) [#36541](https://togithub.com/nodejs/node/pull/36541) - \[[`9c4970715c`](https://togithub.com/nodejs/node/commit/9c4970715c)] - **deps**: upgrade npm to 6.14.9 (Myles Borins) [#36450](https://togithub.com/nodejs/node/pull/36450) - \[[`aa6b97fb99`](https://togithub.com/nodejs/node/commit/aa6b97fb99)] - **http**: add test for http transfer encoding smuggling (Richard Lau) [nodejs-private/node-private#235](https://togithub.com/nodejs-private/node-private/pull/235) - \[[`fc70ce08f5`](https://togithub.com/nodejs/node/commit/fc70ce08f5)] - **http**: unset `F_CHUNKED` on new `Transfer-Encoding` (Fedor Indutny) [nodejs-private/node-private#235](https://togithub.com/nodejs-private/node-private/pull/235) - \[[`7f178663eb`](https://togithub.com/nodejs/node/commit/7f178663eb)] - **src**: use unique_ptr for WriteWrap (Daniel Bevenius) [nodejs-private/node-private#238](https://togithub.com/nodejs-private/node-private/pull/238) - \[[`357e2857c8`](https://togithub.com/nodejs/node/commit/357e2857c8)] - **test**: add test-tls-use-after-free-regression (Daniel Bevenius) [nodejs-private/node-private#238](https://togithub.com/nodejs-private/node-private/pull/238) ### [`v10.23.0`](https://togithub.com/nodejs/node/releases/tag/v10.23.0): 2020-10-27, Version 10.23.0 'Dubnium' (LTS), @richardlau [Compare Source](https://togithub.com/nodejs/node/compare/v10.22.1...v10.23.0) ##### Notable changes - **deps**: - upgrade npm to 6.14.8 (Ruy Adorno) [#34834](https://togithub.com/nodejs/node/pull/34834) - **n-api**: - create N-API version 7 (Gabriel Schulhof) [#35199](https://togithub.com/nodejs/node/pull/35199) - expose napi_build_version variable (NickNaso) [#27835](https://togithub.com/nodejs/node/pull/27835) - **tools**: - add debug entitlements for macOS 10.15+ (Gabriele Greco) [#34378](https://togithub.com/nodejs/node/pull/34378) ##### Commits - \[[`b83f9a56fc`](https://togithub.com/nodejs/node/commit/b83f9a56fc)] - **build**: expose napi_build_version variable (NickNaso) [#27835](https://togithub.com/nodejs/node/pull/27835) - \[[`020ba1a2b8`](https://togithub.com/nodejs/node/commit/020ba1a2b8)] - **build**: enable backtrace when V8 is built for PPC and S390x (Michaël Zasso) [#32113](https://togithub.com/nodejs/node/pull/32113) - \[[`eee9412a8c`](https://togithub.com/nodejs/node/commit/eee9412a8c)] - **deps**: upgrade npm to 6.14.8 (Ruy Adorno) [#34834](https://togithub.com/nodejs/node/pull/34834) - \[[`038593d5ff`](https://togithub.com/nodejs/node/commit/038593d5ff)] - **deps**: upgrade npm to 6.14.7 (claudiahdz) [#34468](https://togithub.com/nodejs/node/pull/34468) - \[[`3564424625`](https://togithub.com/nodejs/node/commit/3564424625)] - **deps**: V8: cherry-pick [`eec10a2`](https://togithub.com/nodejs/node/commit/eec10a2fd8fa) (Stephen Belanger) [#33778](https://togithub.com/nodejs/node/pull/33778) - \[[`e9e86e1b60`](https://togithub.com/nodejs/node/commit/e9e86e1b60)] - **http2**: support non-empty DATA frame with END_STREAM flag (Carlos Lopez) [#33875](https://togithub.com/nodejs/node/pull/33875) - \[[`751820b6c2`](https://togithub.com/nodejs/node/commit/751820b6c2)] - **http2,doc**: minor fixes (Alba Mendez) [#28044](https://togithub.com/nodejs/node/pull/28044) - \[[`54c2bc2e62`](https://togithub.com/nodejs/node/commit/54c2bc2e62)] - **(SEMVER-MINOR)** **n-api**: create N-API version 7 (Gabriel Schulhof) [#35199](https://togithub.com/nodejs/node/pull/35199) - \[[`2eb627301c`](https://togithub.com/nodejs/node/commit/2eb627301c)] - **src**: allows escaping NODE_OPTIONS with backslashes (Maël Nison) [#24065](https://togithub.com/nodejs/node/pull/24065) - \[[`5170d14b36`](https://togithub.com/nodejs/node/commit/5170d14b36)] - **test**: fix test-linux-perf flakiness (Matheus Marchini) [#27615](https://togithub.com/nodejs/node/pull/27615) - \[[`21b86d7f19`](https://togithub.com/nodejs/node/commit/21b86d7f19)] - **test,v8**: skip less and stabilize test-linux-perf.js (Refael Ackermann) [#27364](https://togithub.com/nodejs/node/pull/27364) - \[[`ee11ab50a7`](https://togithub.com/nodejs/node/commit/ee11ab50a7)] - **tools**: add debug entitlements for macOS 10.15+ (Gabriele Greco) [#34378](https://togithub.com/nodejs/node/pull/34378) ### [`v10.22.1`](https://togithub.com/nodejs/node/releases/tag/v10.22.1): 2020-09-15, Version 10.22.1 'Dubnium' (LTS), @BethGriggs [Compare Source](https://togithub.com/nodejs/node/compare/v10.22.0...v10.22.1) ##### Notable changes This is a security release. Vulnerabilities fixed: - **CVE-2020-8252**: fs.realpath.native on may cause buffer overflow (Medium). ##### Commits - \[[`57badcf93e`](https://togithub.com/nodejs/node/commit/57badcf93e)] - **deps**: libuv: cherry-pick [`0e6e862`](https://togithub.com/nodejs/node/commit/0e6e8620) (Colin Ihrig) [libuv/libuv#2966](https://togithub.com/libuv/libuv/pull/2966)Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.