changeset-bot[bot]
commented
1 year ago ⚠️ No Changeset found
Latest commit: 296612e2446fb0f67b1a7be80421a2b4762a28ce
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver typesClick here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
This PR contains the following updates:
18.16.0->18.16.1Release Notes
nodejs/node
### [`v18.16.1`](https://togithub.com/nodejs/node/releases/tag/v18.16.1): 2023-06-20, Version 18.16.1 'Hydrogen' (LTS), @RafaelGSS [Compare Source](https://togithub.com/nodejs/node/compare/v18.16.0...v18.16.1) This is a security release. ##### Notable Changes The following CVEs are fixed in this release: - [CVE-2023-30581](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30581): `mainModule.__proto__` Bypass Experimental Policy Mechanism (High) - [CVE-2023-30585](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30585): Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium) - [CVE-2023-30588](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30588): Process interuption due to invalid Public Key information in x509 certificates (Medium) - [CVE-2023-30589](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30589): HTTP Request Smuggling via Empty headers separated by CR (Medium) - [CVE-2023-30590](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30590): DiffieHellman does not generate keys after setting a private key (Medium) - OpenSSL Security Releases - [OpenSSL security advisory 28th March](https://www.openssl.org/news/secadv/20230328.txt). - [OpenSSL security advisory 20th April](https://www.openssl.org/news/secadv/20230420.txt). - [OpenSSL security advisory 30th May](https://www.openssl.org/news/secadv/20230530.txt) - c-ares vulnerabilities: - [GHSA-9g78-jv2r-p7vc](https://togithub.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc) - [GHSA-8r8p-23f3-64c2](https://togithub.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2) - [GHSA-54xr-f67r-4pc4](https://togithub.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4) - [GHSA-x6mf-cxr9-8q6v](https://togithub.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v) More detailed information on each of the vulnerabilities can be found in [June 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/) blog post. ##### Commits - \[[`bf3e2c8928`](https://togithub.com/nodejs/node/commit/bf3e2c8928)] - **crypto**: handle cert with invalid SPKI gracefully (Tobias Nießen) [nodejs-private/node-private#393](https://togithub.com/nodejs-private/node-private/pull/393) - \[[`70f9449072`](https://togithub.com/nodejs/node/commit/70f9449072)] - **deps**: set `CARES_RANDOM_FILE` for c-ares (Richard Lau) [#48156](https://togithub.com/nodejs/node/pull/48156) - \[[`35d4efb57b`](https://togithub.com/nodejs/node/commit/35d4efb57b)] - **deps**: update c-ares to 1.19.1 (RafaelGSS) [#48115](https://togithub.com/nodejs/node/pull/48115) - \[[`392dfedc77`](https://togithub.com/nodejs/node/commit/392dfedc77)] - **deps**: update archs files for openssl-3.0.9-quic1 (Node.js GitHub Bot) [#48402](https://togithub.com/nodejs/node/pull/48402) - \[[`46cd5fe38b`](https://togithub.com/nodejs/node/commit/46cd5fe38b)] - **deps**: upgrade openssl sources to quictls/openssl-3.0.9-quic1 (Node.js GitHub Bot) [#48402](https://togithub.com/nodejs/node/pull/48402) - \[[`7e3d2d85c2`](https://togithub.com/nodejs/node/commit/7e3d2d85c2)] - **doc,test**: clarify behavior of DH generateKeys (Tobias Nießen) [nodejs-private/node-private#426](https://togithub.com/nodejs-private/node-private/pull/426) - \[[`4ff6ba050a`](https://togithub.com/nodejs/node/commit/4ff6ba050a)] - **http**: disable request smuggling via rempty headers (Paolo Insogna) [nodejs-private/node-private#428](https://togithub.com/nodejs-private/node-private/pull/428) - \[[`ab269129a6`](https://togithub.com/nodejs/node/commit/ab269129a6)] - **msi**: do not create AppData\Roaming\npm (Tobias Nießen) [nodejs-private/node-private#408](https://togithub.com/nodejs-private/node-private/pull/408) - \[[`925e8f5619`](https://togithub.com/nodejs/node/commit/925e8f5619)] - **policy**: handle mainModule.\__proto\_\_ bypass (RafaelGSS) [nodejs-private/node-private#416](https://togithub.com/nodejs-private/node-private/pull/416) - \[[`d6fae8e47e`](https://togithub.com/nodejs/node/commit/d6fae8e47e)] - **test**: allow SIGBUS in signal-handler abort test (Michaël Zasso) [#47851](https://togithub.com/nodejs/node/pull/47851)Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.