nodejs/node (node)
### [`v16.20.2`](https://redirect.github.com/nodejs/node/releases/tag/v16.20.2): 2023-08-09, Version 16.20.2 'Gallium' (LTS), @RafaelGSS
[Compare Source](https://redirect.github.com/nodejs/node/compare/v16.20.1...v16.20.2)
This is a security release.
##### Notable Changes
The following CVEs are fixed in this release:
- [CVE-2023-32002](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32002): Policies can be bypassed via Module.\_load (High)
- [CVE-2023-32006](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32006): Policies can be bypassed by module.constructor.createRequire (Medium)
- [CVE-2023-32559](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32559): Policies can be bypassed via process.binding (Medium)
- OpenSSL Security Releases
- [OpenSSL security advisory 14th July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000264.html).
- [OpenSSL security advisory 19th July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000265.html).
- [OpenSSL security advisory 31st July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000267.html)
More detailed information on each of the vulnerabilities can be found in [August 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/) blog post.
##### Commits
- \[[`40c3958a5a`](https://redirect.github.com/nodejs/node/commit/40c3958a5a)] - **deps**: update archs files for OpenSSL-1.1.1v (RafaelGSS) [#49043](https://redirect.github.com/nodejs/node/pull/49043)
- \[[`a9ac9da89a`](https://redirect.github.com/nodejs/node/commit/a9ac9da89a)] - **deps**: fix openssl crypto clean (RafaelGSS) [#49043](https://redirect.github.com/nodejs/node/pull/49043)
- \[[`362d4c7494`](https://redirect.github.com/nodejs/node/commit/362d4c7494)] - **deps**: upgrade openssl sources to OpenSSL\_1\_1\_1v (RafaelGSS) [#49043](https://redirect.github.com/nodejs/node/pull/49043)
- \[[`d8ccfe9ad4`](https://redirect.github.com/nodejs/node/commit/d8ccfe9ad4)] - **policy**: handle Module.constructor and main.extensions bypass (RafaelGSS) [nodejs-private/node-private#445](https://redirect.github.com/nodejs-private/node-private/pull/445)
- \[[`242aaa0caa`](https://redirect.github.com/nodejs/node/commit/242aaa0caa)] - **policy**: disable process.binding() when enabled (Tobias Nießen) [nodejs-private/node-private#459](https://redirect.github.com/nodejs-private/node-private/pull/459)
### [`v16.20.1`](https://redirect.github.com/nodejs/node/releases/tag/v16.20.1): 2023-06-20, Version 16.20.1 'Gallium' (LTS), @RafaelGSS
[Compare Source](https://redirect.github.com/nodejs/node/compare/v16.20.0...v16.20.1)
This is a security release.
##### Notable Changes
The following CVEs are fixed in this release:
- [CVE-2023-30581](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30581): `mainModule.__proto__` Bypass Experimental Policy Mechanism (High)
- [CVE-2023-30585](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30585): Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
- [CVE-2023-30588](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30588): Process interuption due to invalid Public Key information in x509 certificates (Medium)
- [CVE-2023-30589](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30589): HTTP Request Smuggling via Empty headers separated by CR (Medium)
- [CVE-2023-30590](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30590): DiffieHellman does not generate keys after setting a private key (Medium)
- OpenSSL Security Releases
- [OpenSSL security advisory 28th March](https://www.openssl.org/news/secadv/20230328.txt).
- [OpenSSL security advisory 20th April](https://www.openssl.org/news/secadv/20230420.txt).
- [OpenSSL security advisory 30th May](https://www.openssl.org/news/secadv/20230530.txt)
- c-ares vulnerabilities:
- [GHSA-9g78-jv2r-p7vc](https://redirect.github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc)
- [GHSA-8r8p-23f3-64c2](https://redirect.github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2)
- [GHSA-54xr-f67r-4pc4](https://redirect.github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4)
- [GHSA-x6mf-cxr9-8q6v](https://redirect.github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v)
More detailed information on each of the vulnerabilities can be found in [June 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/) blog post.
##### Commits
- \[[`5a92ea7a3b`](https://redirect.github.com/nodejs/node/commit/5a92ea7a3b)] - **crypto**: handle cert with invalid SPKI gracefully (Tobias Nießen)
- \[[`5df04e893a`](https://redirect.github.com/nodejs/node/commit/5df04e893a)] - **deps**: set `CARES_RANDOM_FILE` for c-ares (Richard Lau) [#48156](https://redirect.github.com/nodejs/node/pull/48156)
- \[[`c171cbd124`](https://redirect.github.com/nodejs/node/commit/c171cbd124)] - **deps**: update c-ares to 1.19.1 (RafaelGSS) [#48115](https://redirect.github.com/nodejs/node/pull/48115)
- \[[`155d3aac02`](https://redirect.github.com/nodejs/node/commit/155d3aac02)] - **deps**: update archs files for OpenSSL-1.1.1u+quic (RafaelGSS) [#48369](https://redirect.github.com/nodejs/node/pull/48369)
- \[[`8d4c8f8ebe`](https://redirect.github.com/nodejs/node/commit/8d4c8f8ebe)] - **deps**: upgrade openssl sources to OpenSSL\_1\_1\_1u (RafaelGSS) [#48369](https://redirect.github.com/nodejs/node/pull/48369)
- \[[`1a5c9284eb`](https://redirect.github.com/nodejs/node/commit/1a5c9284eb)] - **doc,test**: clarify behavior of DH generateKeys (Tobias Nießen) [nodejs-private/node-private#426](https://redirect.github.com/nodejs-private/node-private/pull/426)
- \[[`e42ff4b018`](https://redirect.github.com/nodejs/node/commit/e42ff4b018)] - **http**: disable request smuggling via empty headers (Paolo Insogna) [nodejs-private/node-private#429](https://redirect.github.com/nodejs-private/node-private/pull/429)
- \[[`10042683c8`](https://redirect.github.com/nodejs/node/commit/10042683c8)] - **msi**: do not create AppData\Roaming\npm (Tobias Nießen) [nodejs-private/node-private#408](https://redirect.github.com/nodejs-private/node-private/pull/408)
- \[[`a6f4e87bc9`](https://redirect.github.com/nodejs/node/commit/a6f4e87bc9)] - **policy**: handle mainModule.\__proto\_\_ bypass (RafaelGSS) [nodejs-private/node-private#416](https://redirect.github.com/nodejs-private/node-private/pull/416)
- \[[`b77000f4d7`](https://redirect.github.com/nodejs/node/commit/b77000f4d7)] - **test**: allow SIGBUS in signal-handler abort test (Michaël Zasso) [#47851](https://redirect.github.com/nodejs/node/pull/47851)
### [`v16.20.0`](https://redirect.github.com/nodejs/node/releases/tag/v16.20.0): 2023-03-29, Version 16.20.0 'Gallium' (LTS), @BethGriggs
[Compare Source](https://redirect.github.com/nodejs/node/compare/v16.19.1...v16.20.0)
##### Notable Changes
- **deps:**
- update undici to 5.20.0 (Node.js GitHub Bot) [#46711](https://redirect.github.com/nodejs/node/pull/46711)
- update c-ares to 1.19.0 (Michaël Zasso) [#46415](https://redirect.github.com/nodejs/node/pull/46415)
- upgrade npm to 8.19.4 (npm team) [#46677](https://redirect.github.com/nodejs/node/pull/46677)
- update corepack to 0.17.0 (Node.js GitHub Bot) [#46842](https://redirect.github.com/nodejs/node/pull/46842)
- **(SEMVER-MINOR)** **src**: add support for externally shared js builtins (Michael Dawson) [#44376](https://redirect.github.com/nodejs/node/pull/44376)
##### Commits
- \[[`de6dd67790`](https://redirect.github.com/nodejs/node/commit/de6dd67790)] - **crypto**: avoid hang when no algorithm available (Richard Lau) [#46237](https://redirect.github.com/nodejs/node/pull/46237)
- \[[`4617512788`](https://redirect.github.com/nodejs/node/commit/4617512788)] - **crypto**: ensure auth tag set for chacha20-poly1305 (Ben Noordhuis) [#46185](https://redirect.github.com/nodejs/node/pull/46185)
- \[[`24972164fc`](https://redirect.github.com/nodejs/node/commit/24972164fc)] - **deps**: update undici to 5.20.0 (Node.js GitHub Bot) [#46711](https://redirect.github.com/nodejs/node/pull/46711)
- \[[`85f88c6a8d`](https://redirect.github.com/nodejs/node/commit/85f88c6a8d)] - **deps**: V8: cherry-pick [`90be99f`](https://redirect.github.com/nodejs/node/commit/90be99fab31c) (Michaël Zasso) [#46646](https://redirect.github.com/nodejs/node/pull/46646)
- \[[`b4ebe6d47b`](https://redirect.github.com/nodejs/node/commit/b4ebe6d47b)] - **deps**: update c-ares to 1.19.0 (Michaël Zasso) [#46415](https://redirect.github.com/nodejs/node/pull/46415)
- \[[`56cbc7fdda`](https://redirect.github.com/nodejs/node/commit/56cbc7fdda)] - **deps**: V8: cherry-pick [`c2792e5`](https://redirect.github.com/nodejs/node/commit/c2792e58035f) (Jiawen Geng) [#44961](https://redirect.github.com/nodejs/node/pull/44961)
- \[[`7af9bdb31e`](https://redirect.github.com/nodejs/node/commit/7af9bdb31e)] - **deps**: upgrade npm to 8.19.4 (npm team) [#46677](https://redirect.github.com/nodejs/node/pull/46677)
- \[[`962a7471b5`](https://redirect.github.com/nodejs/node/commit/962a7471b5)] - **deps**: update corepack to 0.17.0 (Node.js GitHub Bot) [#46842](https://redirect.github.com/nodejs/node/pull/46842)
- \[[`748bc96e35`](https://redirect.github.com/nodejs/node/commit/748bc96e35)] - **deps**: update corepack to 0.16.0 (Node.js GitHub Bot) [#46710](https://redirect.github.com/nodejs/node/pull/46710)
- \[[`a467782499`](https://redirect.github.com/nodejs/node/commit/a467782499)] - **deps**: update corepack to 0.15.3 (Node.js GitHub Bot) [#46037](https://redirect.github.com/nodejs/node/pull/46037)
- \[[`1913b6763d`](https://redirect.github.com/nodejs/node/commit/1913b6763d)] - **deps**: update corepack to 0.15.2 (Node.js GitHub Bot) [#45635](https://redirect.github.com/nodejs/node/pull/45635)
- \[[`809371a15f`](https://redirect.github.com/nodejs/node/commit/809371a15f)] - **module**: require.resolve.paths returns null with node schema (MURAKAMI Masahiko) [#45147](https://redirect.github.com/nodejs/node/pull/45147)
- \[[`086bb2f8d4`](https://redirect.github.com/nodejs/node/commit/086bb2f8d4)] - ***Revert*** "**src**: let http2 streams end after session close" (Rich Trott) [#46721](https://redirect.github.com/nodejs/node/pull/46721)
- \[[`6a01d39120`](https://redirect.github.com/nodejs/node/commit/6a01d39120)] - **(SEMVER-MINOR)** **src**: add support for externally shared js builtins (Michael Dawson) [#44376](https://redirect.github.com/nodejs/node/pull/44376)
- \[[`d081032a60`](https://redirect.github.com/nodejs/node/commit/d081032a60)] - **test**: fix test-net-connect-reset-until-connected (Vita Batrla) [#46781](https://redirect.github.com/nodejs/node/pull/46781)
- \[[`efe1be47ec`](https://redirect.github.com/nodejs/node/commit/efe1be47ec)] - **test**: skip test depending on `overlapped-checker` when not available (Antoine du Hamel) [#45015](https://redirect.github.com/nodejs/node/pull/45015)
- \[[`fc47d58abe`](https://redirect.github.com/nodejs/node/commit/fc47d58abe)] - **test**: remove cjs loader from stack traces (Geoffrey Booth) [#44197](https://redirect.github.com/nodejs/node/pull/44197)
- \[[`cf76d0790d`](https://redirect.github.com/nodejs/node/commit/cf76d0790d)] - **test**: fix WPT title when no META title is present (Filip Skokan) [#46804](https://redirect.github.com/nodejs/node/pull/46804)
- \[[`0d1485b924`](https://redirect.github.com/nodejs/node/commit/0d1485b924)] - **test**: fix default WPT titles (Filip Skokan) [#46778](https://redirect.github.com/nodejs/node/pull/46778)
- \[[`088e9cde3d`](https://redirect.github.com/nodejs/node/commit/088e9cde3d)] - **test**: add WPTRunner support for variants and generating WPT reports (Filip Skokan) [#46498](https://redirect.github.com/nodejs/node/pull/46498)
- \[[`908c4dff44`](https://redirect.github.com/nodejs/node/commit/908c4dff44)] - **test**: mark test-crypto-key-objects flaky on Linux (Richard Lau) [#46684](https://redirect.github.com/nodejs/node/pull/46684)
- \[[`768e56227e`](https://redirect.github.com/nodejs/node/commit/768e56227e)] - **tools**: make `utils.SearchFiles` deterministic (Bruno Pitrus) [#44496](https://redirect.github.com/nodejs/node/pull/44496)
### [`v16.19.1`](https://redirect.github.com/nodejs/node/releases/tag/v16.19.1): 2023-02-16, Version 16.19.1 'Gallium' (LTS), @richardlau
[Compare Source](https://redirect.github.com/nodejs/node/compare/v16.19.0...v16.19.1)
This is a security release.
##### Notable Changes
The following CVEs are fixed in this release:
- **[CVE-2023-23918](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918)**: Node.js Permissions policies can be bypassed via process.mainModule (High)
- **[CVE-2023-23919](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23919)**: Node.js OpenSSL error handling issues in nodejs crypto library (Medium)
- **[CVE-2023-23920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920)**: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low)
Fixed by an update to undici:
- **[CVE-2023-23936](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936)**: Fetch API in Node.js did not protect against CRLF injection in host headers (Medium)
- See for more information.
- **[CVE-2023-24807](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24807)**: Regular Expression Denial of Service in Headers in Node.js fetch API (Low)
- See for more information.
More detailed information on each of the vulnerabilities can be found in [February 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/) blog post.
This security release includes OpenSSL security updates as outlined in the recent
[OpenSSL security advisory](https://www.openssl.org/news/secadv/20230207.txt).
##### Commits
- \[[`7fef050447`](https://redirect.github.com/nodejs/node/commit/7fef050447)] - **build**: build ICU with ICU_NO_USER_DATA_OVERRIDE (RafaelGSS) [nodejs-private/node-private#374](https://redirect.github.com/nodejs-private/node-private/pull/374)
- \[[`b558e9f476`](https://redirect.github.com/nodejs/node/commit/b558e9f476)] - **crypto**: clear OpenSSL error on invalid ca cert (RafaelGSS) [nodejs-private/node-private#375](https://redirect.github.com/nodejs-private/node-private/pull/375)
- \[[`160adb7ffc`](https://redirect.github.com/nodejs/node/commit/160adb7ffc)] - **crypto**: clear OpenSSL error queue after calling X509\_check_private_key() (Filip Skokan) [#45495](https://redirect.github.com/nodejs/node/pull/45495)
- \[[`d0ece30948`](https://redirect.github.com/nodejs/node/commit/d0ece30948)] - **crypto**: clear OpenSSL error queue after calling X509\_verify() (Takuro Sato) [#45377](https://redirect.github.com/nodejs/node/pull/45377)
- \[[`2d9ae4f184`](https://redirect.github.com/nodejs/node/commit/2d9ae4f184)] - **deps**: update undici to v5.19.1 (Matteo Collina) [nodejs-private/node-private#388](https://redirect.github.com/nodejs-private/node-private/pull/388)
- \[[`d80e8312fd`](https://redirect.github.com/nodejs/node/commit/d80e8312fd)] - **deps**: cherry-pick Windows ARM64 fix for openssl (Richard Lau) [#46568](https://redirect.github.com/nodejs/node/pull/46568)
- \[[`de5c8d2c2f`](https://redirect.github.com/nodejs/node/commit/de5c8d2c2f)] - **deps**: update archs files for quictls/openssl-1.1.1t+quic (RafaelGSS) [#46568](https://redirect.github.com/nodejs/node/pull/46568)
- \[[`1a8ccfe908`](https://redirect.github.com/nodejs/node/commit/1a8ccfe908)] - **deps**: upgrade openssl sources to OpenSSL\_1\_1\_1t+quic (RafaelGSS) [#46568](https://redirect.github.com/nodejs/node/pull/46568)
- \[[`693789780b`](https://redirect.github.com/nodejs/node/commit/693789780b)] - **doc**: clarify release notes for Node.js 16.19.0 (Richard Lau) [#45846](https://redirect.github.com/nodejs/node/pull/45846)
- \[[`f95ef064f4`](https://redirect.github.com/nodejs/node/commit/f95ef064f4)] - **lib**: makeRequireFunction patch when experimental policy (RafaelGSS) [nodejs-private/node-private#358](https://redirect.github.com/nodejs-private/node-private/pull/358)
- \[[`b02d895137`](https://redirect.github.com/nodejs/node/commit/b02d895137)] - **policy**: makeRequireFunction on mainModule.require (RafaelGSS) [nodejs-private/node-private#358](https://redirect.github.com/nodejs-private/node-private/pull/358)
- \[[`d7f83c420c`](https://redirect.github.com/nodejs/node/commit/d7f83c420c)] - **test**: avoid left behind child processes (Richard Lau) [#46276](https://redirect.github.com/nodejs/node/pull/46276)
### [`v16.19.0`](https://redirect.github.com/nodejs/node/releases/tag/v16.19.0): 2022-12-13, Version 16.19.0 'Gallium' (LTS), @richardlau
[Compare Source](https://redirect.github.com/nodejs/node/compare/v16.18.1...v16.19.0)
##### Notable Changes
##### OpenSSL 1.1.1s
This update is a bugfix release and does not address any security
vulnerabilities.
##### Root certificates updated to NSS 3.85
Certificates added:
- Autoridad de Certificacion Firmaprofesional CIF [`A626340`](https://redirect.github.com/nodejs/node/commit/A62634068)
- Certainly Root E1
- Certainly Root R1
- D-TRUST BR Root CA 1 2020
- D-TRUST EV Root CA 1 2020
- DigiCert TLS ECC P384 Root G5
- DigiCert TLS RSA4096 Root G5
- E-Tugra Global Root CA ECC v3
- E-Tugra Global Root CA RSA v3
- HiPKI Root CA - G1
- ISRG Root X2
- Security Communication ECC RootCA1
- Security Communication RootCA3
- Telia Root CA v2
- vTrus ECC Root CA
- vTrus Root CA
Certificates removed:
- Cybertrust Global Root
- DST Root CA X3
- GlobalSign Root CA - R2
- Hellenic Academic and Research Institutions RootCA 2011
##### Time zone update to 2022f
Time zone data has been updated to 2022f. This includes changes to Daylight
Savings Time (DST) for Fiji and Mexico. For more information, see
.
##### Other Notable Changes
- \[[`33707dcd03`](https://redirect.github.com/nodejs/node/commit/33707dcd03)] - **dgram**: add dgram send queue info (theanarkh) [#44149](https://redirect.github.com/nodejs/node/pull/44149)
Dependency updates:
- \[[`3b2b70d792`](https://redirect.github.com/nodejs/node/commit/3b2b70d792)] - **deps**: upgrade npm to 8.19.3 (npm team) [#45322](https://redirect.github.com/nodejs/node/pull/45322)
Experimental features:
- \[[`1e0dcd1ee0`](https://redirect.github.com/nodejs/node/commit/1e0dcd1ee0)] - **cli**: add `--watch` (Moshe Atlow) [#44366](https://redirect.github.com/nodejs/node/pull/44366)
- \[[`8c73279ebb`](https://redirect.github.com/nodejs/node/commit/8c73279ebb)] - **util**: add default value option to parsearg (Manuel Spigolon) [#44631](https://redirect.github.com/nodejs/node/pull/44631)
##### Commits
- \[[`bbef3c42f6`](https://redirect.github.com/nodejs/node/commit/bbef3c42f6)] - **build**: add version info to timezone update PR (Darshan Sen) [#45021](https://redirect.github.com/nodejs/node/pull/45021)
- \[[`cc2c7648e0`](https://redirect.github.com/nodejs/node/commit/cc2c7648e0)] - **build**: support Python 3.11 (Luigi Pinca) [#45191](https://redirect.github.com/nodejs/node/pull/45191)
- \[[`ac24c80663`](https://redirect.github.com/nodejs/node/commit/ac24c80663)] - **build**: remove redundant condition from common.gypi (Richard Lau) [#45076](https://redirect.github.com/nodejs/node/pull/45076)
- \[[`03dcbe3030`](https://redirect.github.com/nodejs/node/commit/03dcbe3030)] - **build**: fix bad upstream merge (Stephen Gallagher) [#44642](https://redirect.github.com/nodejs/node/pull/44642)
- \[[`1e0dcd1ee0`](https://redirect.github.com/nodejs/node/commit/1e0dcd1ee0)] - **cli**: add `--watch` (Moshe Atlow) [#44366](https://redirect.github.com/nodejs/node/pull/44366)
- \[[`96d131665e`](https://redirect.github.com/nodejs/node/commit/96d131665e)] - **cluster**: use inspector utils (Moshe Atlow) [#44592](https://redirect.github.com/nodejs/node/pull/44592)
- \[[`704836033a`](https://redirect.github.com/nodejs/node/commit/704836033a)] - **crypto**: update root certificates (Luigi Pinca) [#45490](https://redirect.github.com/nodejs/node/pull/45490)
- \[[`5a776d4a69`](https://redirect.github.com/nodejs/node/commit/5a776d4a69)] - **deps**: update timezone to 2022f (Richard Lau) [#45613](https://redirect.github.com/nodejs/node/pull/45613)
- \[[`3b2b70d792`](https://redirect.github.com/nodejs/node/commit/3b2b70d792)] - **deps**: upgrade npm to 8.19.3 (npm team) [#45322](https://redirect.github.com/nodejs/node/pull/45322)
- \[[`9fbc8b21db`](https://redirect.github.com/nodejs/node/commit/9fbc8b21db)] - **deps**: update corepack to 0.15.1 (Node.js GitHub Bot) [#45331](https://redirect.github.com/nodejs/node/pull/45331)
- \[[`87e3d002ca`](https://redirect.github.com/nodejs/node/commit/87e3d002ca)] - **deps**: update corepack to 0.15.0 (Node.js GitHub Bot) [#45235](https://redirect.github.com/nodejs/node/pull/45235)
- \[[`e972ff7b13`](https://redirect.github.com/nodejs/node/commit/e972ff7b13)] - **deps**: V8: backport [`bbd800c`](https://redirect.github.com/nodejs/node/commit/bbd800c6e359) (Chengzhong Wu) [#44947](https://redirect.github.com/nodejs/node/pull/44947)
- \[[`af9d8217c0`](https://redirect.github.com/nodejs/node/commit/af9d8217c0)] - **deps**: V8: cherry-pick [`b953542`](https://redirect.github.com/nodejs/node/commit/b95354290941) (Chengzhong Wu) [#44947](https://redirect.github.com/nodejs/node/pull/44947)
- \[[`38202d321b`](https://redirect.github.com/nodejs/node/commit/38202d321b)] - **deps**: update undici to 5.12.0 (Node.js GitHub Bot) [#45236](https://redirect.github.com/nodejs/node/pull/45236)
- \[[`7c0da6adf9`](https://redirect.github.com/nodejs/node/commit/7c0da6adf9)] - **deps**: update archs files for OpenSSL-1.1.1s (RafaelGSS) [#45274](https://redirect.github.com/nodejs/node/pull/45274)
- \[[`1149ead6f7`](https://redirect.github.com/nodejs/node/commit/1149ead6f7)] - **deps**: upgrade openssl sources to OpenSSL\_1\_1\_1s (RafaelGSS) [#45274](https://redirect.github.com/nodejs/node/pull/45274)
- \[[`cd54bce4f5`](https://redirect.github.com/nodejs/node/commit/cd54bce4f5)] - **deps**: update timezone (Node.js GitHub Bot) [#44950](https://redirect.github.com/nodejs/node/pull/44950)
- \[[`2901abe4f0`](https://redirect.github.com/nodejs/node/commit/2901abe4f0)] - **deps**: update undici to 5.11.0 (Node.js GitHub Bot) [#44929](https://redirect.github.com/nodejs/node/pull/44929)
- \[[`c80cf97033`](https://redirect.github.com/nodejs/node/commit/c80cf97033)] - **deps**: update corepack to 0.14.2 (Node.js GitHub Bot) [#44775](https://redirect.github.com/nodejs/node/pull/44775)
- \[[`33707dcd03`](https://redirect.github.com/nodejs/node/commit/33707dcd03)] - **dgram**: add dgram send queue info (theanarkh) [#44149](https://redirect.github.com/nodejs/node/pull/44149)
- \[[`c708d9bb94`](https://redirect.github.com/nodejs/node/commit/c708d9bb94)] - **doc**: fix typo in parseArgs default value (Tobias Nießen) [#45083](https://redirect.github.com/nodejs/node/pull/45083)
- \[[`5a0efa05d2`](https://redirect.github.com/nodejs/node/commit/5a0efa05d2)] - **node-api**: handle no support for external buffers (Michael Dawson) [#45181](https://redirect.github.com/nodejs/node/pull/45181)
- \[[`db31de634e`](https://redirect.github.com/nodejs/node/commit/db31de634e)] - **readline**: refactor to avoid unsafe regex primordials (Antoine du Hamel) [#43475](https://redirect.github.com/nodejs/node/pull/43475)
- \[[`fbc52e5729`](https://redirect.github.com/nodejs/node/commit/fbc52e5729)] - **src**: disambiguate terms used to refer to builtins and addons (Joyee Cheung) [#44135](https://redirect.github.com/nodejs/node/pull/44135)
- \[[`953072d3db`](https://redirect.github.com/nodejs/node/commit/953072d3db)] - **src**: let http2 streams end after session close (Santiago Gimeno) [#45153](https://redirect.github.com/nodejs/node/pull/45153)
- \[[`54608d8dc3`](https://redirect.github.com/nodejs/node/commit/54608d8dc3)] - **src**: split property helpers from node::Environment (Chengzhong Wu) [#44056](https://redirect.github.com/nodejs/node/pull/44056)
- \[[`6733556783`](https://redirect.github.com/nodejs/node/commit/6733556783)] - **test**: add test to validate changelogs for releases (Richard Lau) [#45325](https://redirect.github.com/nodejs/node/pull/45325)
- \[[`821d832cef`](https://redirect.github.com/nodejs/node/commit/821d832cef)] - **test**: mark test-watch-mode\* as flaky on all platforms (Pierrick Bouvier) [#45049](https://redirect.github.com/nodejs/node/pull/45049)
- \[[`02a18eac69`](https://redirect.github.com/nodejs/node/commit/02a18eac69)] - **test**: fix test-runner-inspect (Moshe Atlow) [#44620](https://redirect.github.com/nodejs/node/pull/44620)
- \[[`197df63f74`](https://redirect.github.com/nodejs/node/commit/197df63f74)] - **test**: add a test to ensure the correctness of timezone upgrades (Darshan Sen) [#45299](https://redirect.github.com/nodejs/node/pull/45299)
- \[[`42e9d8016a`](https://redirect.github.com/nodejs/node/commit/42e9d8016a)] - **test**: fix textdecoder test for small-icu builds (Richard Lau) [#45225](https://redirect.github.com/nodejs/node/pull/45225)
- \[[`6d736a56d8`](https://redirect.github.com/nodejs/node/commit/6d736a56d8)] - **test**: fix watch mode test flake (Moshe Atlow) [#44739](https://redirect.github.com/nodejs/node/pull/44739)
- \[[`543d3d2bf3`](https://redirect.github.com/nodejs/node/commit/543d3d2bf3)] - **test**: deflake watch mode tests (Moshe Atlow) [#44621](https://redirect.github.com/nodejs/node/pull/44621)
- \[[`97f6caf4eb`](https://redirect.github.com/nodejs/node/commit/97f6caf4eb)] - **test**: split watch mode inspector tests to sequential (Moshe Atlow) [#44551](https://redirect.github.com/nodejs/node/pull/44551)
- \[[`499750ff7a`](https://redirect.github.com/nodejs/node/commit/499750ff7a)] - **test**: update list of known globals (Antoine du Hamel) [#45255](https://redirect.github.com/nodejs/node/pull/45255)
- \[[`64d343af74`](https://redirect.github.com/nodejs/node/commit/64d343af74)] - **test_runner**: support using `--inspect` with `--test` (Moshe Atlow) [#44520](https://redirect.github.com/nodejs/node/pull/44520)
- \[[`99ee5e484d`](https://redirect.github.com/nodejs/node/commit/99ee5e484d)] - **test_runner**: fix `duration_ms` to be milliseconds (Moshe Atlow) [#44450](https://redirect.github.com/nodejs/node/pull/44450)
- \[[`37e909251c`](https://redirect.github.com/nodejs/node/commit/37e909251c)] - **test_runner**: support programmatically running `--test` (Moshe Atlow) [#44241](https://redirect.github.com/nodejs/node/pull/44241)
- \[[`0ae5694f88`](https://redirect.github.com/nodejs/node/commit/0ae5694f88)] - **tools**: update certdata.txt (Luigi Pinca) [#45490](https://redirect.github.com/nodejs/node/pull/45490)
- \[[`891368cefd`](https://redirect.github.com/nodejs/node/commit/891368cefd)] - **tools**: remove faulty early termination logic from update-timezone.mjs (Darshan Sen) [#44870](https://redirect.github.com/nodejs/node/pull/44870)
- \[[`543493c242`](https://redirect.github.com/nodejs/node/commit/543493c242)] - **tools**: fix timezone update tool (Darshan Sen) [#44870](https://redirect.github.com/nodejs/node/pull/44870)
- \[[`c77f660b75`](https://redirect.github.com/nodejs/node/commit/c77f660b75)] - **tools**: fix `create-or-update-pull-request-action` hash on GHA (Antoine du Hamel) [#45166](https://redirect.github.com/nodejs/node/pull/45166)
- \[[`58c30dd049`](https://redirect.github.com/nodejs/node/commit/58c30dd049)] - **tools**: update gr2m/create-or-update-pull-request-action (Luigi Pinca) [#45022](https://redirect.github.com/nodejs/node/pull/45022)
- \[[`749a4b3e5e`](https://redirect.github.com/nodejs/node/commit/749a4b3e5e)] - **tools**: use Python 3.11 in GitHub Actions workflows (Luigi Pinca) [#45191](https://redirect.github.com/nodejs/node/pull/45191)
- \[[`6f541d99a5`](https://redirect.github.com/nodejs/node/commit/6f541d99a5)] - **tools**: have test-asan use ubuntu-20.04 (Filip Skokan) [#45581](https://redirect.github.com/nodejs/node/pull/45581)
- \[[`e7ed56f501`](https://redirect.github.com/nodejs/node/commit/e7ed56f501)] - **tools**: make license-builder.sh comply with shellcheck 0.8.0 (Rich Trott) [#41258](https://redirect.github.com/nodejs/node/pull/41258)
- \[[`cc819b4bf8`](https://redirect.github.com/nodejs/node/commit/cc819b4bf8)] - **tools**: fix typo in `avoid-prototype-pollution` lint rule (Antoine du Hamel) [#44446](https://redirect.github.com/nodejs/node/pull/44446)
- \[[`254358c81e`](https://redirect.github.com/nodejs/node/commit/254358c81e)] - **tools**: refactor `avoid-prototype-pollution` lint rule (Antoine du Hamel) [#43476](https://redirect.github.com/nodejs/node/pull/43476)
- \[[`8c73279ebb`](https://redirect.github.com/nodejs/node/commit/8c73279ebb)] - **util**: add default value option to parsearg (Manuel Spigolon) [#44631](https://redirect.github.com/nodejs/node/pull/44631)
### [`v16.18.1`](https://redirect.github.com/nodejs/node/releases/tag/v16.18.1): 2022-11-04, Version 16.18.1 'Gallium' (LTS), @BethGriggs
[Compare Source](https://redirect.github.com/nodejs/node/compare/v16.18.0...v16.18.1)
This is a security release.
##### Notable changes
The following CVEs are fixed in this release:
- **[CVE-2022-43548](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43548)**: DNS rebinding in --inspect via invalid octal IP address (Medium)
More detailed information on each of the vulnerabilities can be found in [November 2022 Security Releases](https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/) blog post.
##### Commits
- \[[`9ffddd7098`](https://redirect.github.com/nodejs/node/commit/9ffddd7098)] - **inspector**: harden IP address validation again (Tobias Nießen) [nodejs-private/node-private#354](https://redirect.github.com/nodejs-private/node-private/pull/354)
### [`v16.18.0`](https://redirect.github.com/nodejs/node/releases/tag/v16.18.0): 2022-10-12, Version 16.18.0 'Gallium' (LTS), @juanarbol
[Compare Source](https://redirect.github.com/nodejs/node/compare/v16.17.1...v16.18.0)
##### Notable changes
- \[[`1cc050eaa8`](https://redirect.github.com/nodejs/node/commit/1cc050eaa8)] - **(SEMVER-MINOR)** **assert**: add `getCalls` and `reset` to callTracker (Moshe Atlow) [#44191](https://redirect.github.com/nodejs/node/pull/44191)
- \[[`e5c9975f11`](https://redirect.github.com/nodejs/node/commit/e5c9975f11)] - **(SEMVER-MINOR)** **crypto**: allow zero-length secret KeyObject (Filip Skokan) [#44201](https://redirect.github.com/nodejs/node/pull/44201)
- \[[`317cd051ce`](https://redirect.github.com/nodejs/node/commit/317cd051ce)] - **(SEMVER-MINOR)** **crypto**: allow zero-length IKM in HKDF and in webcrypto PBKDF2 (Filip Skokan) [#44201](https://redirect.github.com/nodejs/node/pull/44201)
- \[[`f80bdc5ef3`](https://redirect.github.com/nodejs/node/commit/f80bdc5ef3)] - **(SEMVER-MINOR)** **doc**: deprecate modp1, modp2, and modp5 groups (Tobias Nießen) [#44588](https://redirect.github.com/nodejs/node/pull/44588)
- \[[`8398e98b1b`](https://redirect.github.com/nodejs/node/commit/8398e98b1b)] - **(SEMVER-MINOR)** **http**: make idle http parser count configurable (theanarkh) [#43974](https://redirect.github.com/nodejs/node/pull/43974)
- \[[`2cd2f56962`](https://redirect.github.com/nodejs/node/commit/2cd2f56962)] - **(SEMVER-MINOR)** **http**: throw error on content-length mismatch (sidwebworks) [#44378](https://redirect.github.com/nodejs/node/pull/44378)
- \[[`6be761e8a9`](https://redirect.github.com/nodejs/node/commit/6be761e8a9)] - **(SEMVER-MINOR)** **lib**: add diagnostics channel for process and worker (theanarkh) [#44045](https://redirect.github.com/nodejs/node/pull/44045)
- \[[`1400796cef`](https://redirect.github.com/nodejs/node/commit/1400796cef)] - **(SEMVER-MINOR)** **net,tls**: pass a valid socket on `tlsClientError` (Daeyeon Jeong) [#44021](https://redirect.github.com/nodejs/node/pull/44021)
- \[[`092239a7f1`](https://redirect.github.com/nodejs/node/commit/092239a7f1)] - **(SEMVER-MINOR)** **net**: add local family (theanarkh) [#43975](https://redirect.github.com/nodejs/node/pull/43975)
- \[[`381e11e18e`](https://redirect.github.com/nodejs/node/commit/381e11e18e)] - **(SEMVER-MINOR)** **report**: expose report public native apis (Chengzhong Wu) [#44255](https://redirect.github.com/nodejs/node/pull/44255)
- \[[`2ba547aa5b`](https://redirect.github.com/nodejs/node/commit/2ba547aa5b)] - **(SEMVER-MINOR)** **src**: expose environment RequestInterrupt api (Chengzhong Wu) [#44362](https://redirect.github.com/nodejs/node/pull/44362)
- \[[`6ed3367155`](https://redirect.github.com/nodejs/node/commit/6ed3367155)] - **(SEMVER-MINOR)** **stream**: add `ReadableByteStream.tee()` (Daeyeon Jeong) [#44505](https://redirect.github.com/nodejs/node/pull/44505)
- \[[`0fbedac6ce`](https://redirect.github.com/nodejs/node/commit/0fbedac6ce)] - **(SEMVER-MINOR)** **test_runner**: add before/after/each hooks (Moshe Atlow) [#43730](https://redirect.github.com/nodejs/node/pull/43730)
- \[[`70563b53c5`](https://redirect.github.com/nodejs/node/commit/70563b53c5)] - **(SEMVER-MINOR)** **util**: add `maxArrayLength` option to Set and Map (Kohei Ueno) [#43576](https://redirect.github.com/nodejs/node/pull/43576)
##### Commits
- \[[`1cc050eaa8`](https://redirect.github.com/nodejs/node/commit/1cc050eaa8)] - **(SEMVER-MINOR)** **assert**: add `getCalls` and `reset` to callTracker (Moshe Atlow) [#44191](https://redirect.github.com/nodejs/node/pull/44191)
- \[[`2e87cdd1e6`](https://redirect.github.com/nodejs/node/commit/2e87cdd1e6)] - **benchmark**: fix startup benchmark (Evan Lucas) [#44727](https://redirect.github.com/nodejs/node/pull/44727)
- \[[`29c0f9ef30`](https://redirect.github.com/nodejs/node/commit/29c0f9ef30)] - **benchmark**: add stream destroy benchmark (SindreXie) [#44533](https://redirect.github.com/nodejs/node/pull/44533)
- \[[`f01bb58c1e`](https://redirect.github.com/nodejs/node/commit/f01bb58c1e)] - **bootstrap**: update comments in bootstrap/node.js (Joyee Cheung) [#44726](https://redirect.github.com/nodejs/node/pull/44726)
- \[[`db151e182f`](https://redirect.github.com/nodejs/node/commit/db151e182f)] - **bootstrap**: stop delaying instantiation of maps in per-context scripts (Darshan Sen) [#42934](https://redirect.github.com/nodejs/node/pull/42934)
- \[[`f700074c57`](https://redirect.github.com/nodejs/node/commit/f700074c57)] - **buffer**: fix `atob` input validation (Austin Kelleher) [#42662](https://redirect.github.com/nodejs/node/pull/42662)
- \[[`e10095a759`](https://redirect.github.com/nodejs/node/commit/e10095a759)] - **build**: update timezone-update.yml (Alex) [#44717](https://redirect.github.com/nodejs/node/pull/44717)
- \[[`bec2ede687`](https://redirect.github.com/nodejs/node/commit/bec2ede687)] - **build**: remove redundant entry in crypto (Jiawen Geng) [#44604](https://redirect.github.com/nodejs/node/pull/44604)
- \[[`7b3a2c3353`](https://redirect.github.com/nodejs/node/commit/7b3a2c3353)] - **build**: rewritten the Android build system (BuShe Pie) [#44207](https://redirect.github.com/nodejs/node/pull/44207)
- \[[`e96bb14942`](https://redirect.github.com/nodejs/node/commit/e96bb14942)] - **build**: add --libdir flag to configure (Stephen Gallagher) [#44361](https://redirect.github.com/nodejs/node/pull/44361)
- \[[`2a4491b34d`](https://redirect.github.com/nodejs/node/commit/2a4491b34d)] - **build**: added NINJA env to customize ninja binary (Jeff Dickey) [#44293](https://redirect.github.com/nodejs/node/pull/44293)
- \[[`aaad7a64b4`](https://redirect.github.com/nodejs/node/commit/aaad7a64b4)] - **build**: enable pointer authentication for branch protection on arm64 (Jeremiah Gowdy) [#43200](https://redirect.github.com/nodejs/node/pull/43200)
- \[[`041bb54143`](https://redirect.github.com/nodejs/node/commit/041bb54143)] - **build**: add workflow to label flaky-test platform (Rafael Gonzaga) [#44042](https://redirect.github.com/nodejs/node/pull/44042)
- \[[`58d85c1109`](https://redirect.github.com/nodejs/node/commit/58d85c1109)] - **build**: optimized and fixed building configuration to Android (BuShe) [#44016](https://redirect.github.com/nodejs/node/pull/44016)
- \[[`5cd8b7bc8b`](https://redirect.github.com/nodejs/node/commit/5cd8b7bc8b)] - **build**: allow test-internet on forks if not scheduled (Rich Trott) [#44073](https://redirect.github.com/nodejs/node/pull/44073)
- \[[`9698be9347`](https://redirect.github.com/nodejs/node/commit/9698be9347)] - **build**: skip test-internet run on forks (Rich Trott) [#44054](https://redirect.github.com/nodejs/node/pull/44054)
- \[[`25e6f48e4a`](https://redirect.github.com/nodejs/node/commit/25e6f48e4a)] - **child_process**: remove lookup of undefined property (Colin Ihrig) [#44766](https://redirect.github.com/nodejs/node/pull/44766)
- \[[`a3bdd07321`](https://redirect.github.com/nodejs/node/commit/a3bdd07321)] - **cluster**: fix cluster rr distribute error (theanarkh) [#44202](https://redirect.github.com/nodejs/node/pull/44202)
- \[[`317cd051ce`](https://redirect.github.com/nodejs/node/commit/317cd051ce)] - **(SEMVER-MINOR)** **crypto**: allow zero-length IKM in HKDF and in webcrypto PBKDF2 (Filip Skokan) [#44201](https://redirect.github.com/nodejs/node/pull/44201)
- \[[`e5c9975f11`](https://redirect.github.com/nodejs/node/commit/e5c9975f11)] - **(SEMVER-MINOR)** **crypto**: allow zero-length secret KeyObject (Filip Skokan) [#44201](https://redirect.github.com/nodejs/node/pull/44201)
- \[[`7e705d8d74`](https://redirect.github.com/nodejs/node/commit/7e705d8d74)] - **crypto**: fix webcrypto deriveBits validations (Filip Skokan) [#44173](https://redirect.github.com/nodejs/node/pull/44173)
- \[[`7ad2a268b9`](https://redirect.github.com/nodejs/node/commit/7ad2a268b9)] - **crypto**: fix webcrypto EC key namedCurve validation errors (Filip Skokan) [#44172](https://redirect.github.com/nodejs/node/pull/44172)
- \[[`2c938d73ff`](https://redirect.github.com/nodejs/node/commit/2c938d73ff)] - **crypto**: fix webcrypto operation errors to be OperationError (Filip Skokan) [#44171](https://redirect.github.com/nodejs/node/pull/44171)
- \[[`a6e2cb40a6`](https://redirect.github.com/nodejs/node/commit/a6e2cb40a6)] - **crypto**: fix webcrypto generateKey() AES key length validation error (Filip Skokan) [#44170](https://redirect.github.com/nodejs/node/pull/44170)
- \[[`7e07cce24b`](https://redirect.github.com/nodejs/node/commit/7e07cce24b)] - **crypto**: use EVP_PKEY_CTX_set_dsa_paramgen_q_bits when available (David Benjamin) [#44561](https://redirect.github.com/nodejs/node/pull/44561)
- \[[`1fc6394741`](https://redirect.github.com/nodejs/node/commit/1fc6394741)] - **crypto**: restrict PBKDF2 args to signed int (Tobias Nießen) [#44575](https://redirect.github.com/nodejs/node/pull/44575)
- \[[`9a52ee7577`](https://redirect.github.com/nodejs/node/commit/9a52ee7577)] - **crypto**: handle invalid prepareAsymmetricKey JWK inputs (Filip Skokan) [#44475](https://redirect.github.com/nodejs/node/pull/44475)
- \[[`7100baee40`](https://redirect.github.com/nodejs/node/commit/7100baee40)] - **crypto**: use actual option name in error message (Tobias Nießen) [#44455](https://redirect.github.com/nodejs/node/pull/44455)
- \[[`579e066c3a`](https://redirect.github.com/nodejs/node/commit/579e066c3a)] - **crypto**: add digest name to INVALID_DIGEST errors (Tobias Nießen) [#44468](https://redirect.github.com/nodejs/node/pull/44468)
- \[[`566d80f622`](https://redirect.github.com/nodejs/node/commit/566d80f622)] - **crypto**: improve RSA-PSS digest error messages (Tobias Nießen) [#44307](https://redirect.github.com/nodejs/node/pull/44307)
- \[[`f717c1e06a`](https://redirect.github.com/nodejs/node/commit/f717c1e06a)] - **debugger**: decrease timeout used to wait for the port to be free (Joyee Cheung) [#44359](https://redirect.github.com/nodejs/node/pull/44359)
- \[[`0f2fcaf771`](https://redirect.github.com/nodejs/node/commit/0f2fcaf771)] - **deps**: update to ngtcp2 0.8.1 and nghttp3 0.7.0 (Tobias Nießen) [#44622](https://redirect.github.com/nodejs/node/pull/44622)
- \[[`1a8aada69d`](https://redirect.github.com/nodejs/node/commit/1a8aada69d)] - **deps**: update corepack to 0.14.1 (Node.js GitHub Bot) [#44704](https://redirect.github.com/nodejs/node/pull/44704)
- \[[`e4f18b4f34`](https://redirect.github.com/nodejs/node/commit/e4f18b4f34)] - **deps**: update ngtcp2 update instructions (Tobias Nießen) [#44619](https://redirect.github.com/nodejs/node/pull/44619)
- \[[`21b5ab1494`](https://redirect.github.com/nodejs/node/commit/21b5ab1494)] - **deps**: upgrade npm to 8.19.2 (npm team) [#44632](https://redirect.github.com/nodejs/node/pull/44632)
- \[[`916b319e7a`](https://redirect.github.com/nodejs/node/commit/916b319e7a)] - **deps**: update to uvwasi 0.0.13 (Colin Ihrig) [#44524](https://redirect.github.com/nodejs/node/pull/44524)
- \[[`67cbbcc902`](https://redirect.github.com/nodejs/node/commit/67cbbcc902)] - **deps**: update corepack to 0.14.0 (Node.js GitHub Bot) [#44509](https://redirect.github.com/nodejs/node/pull/44509)
- \[[`9f14dc1a8f`](https://redirect.github.com/nodejs/node/commit/9f14dc1a8f)] - **deps**: update Acorn to v8.8.0 (Michaël Zasso) [#44437](https://redirect.github.com/nodejs/node/pull/44437)
- \[[`1811a6aaa8`](https://redirect.github.com/nodejs/node/commit/1811a6aaa8)] - **deps**: update icu tzdata to 2022b (Matías Zúñiga) [#44283](https://redirect.github.com/nodejs/node/pull/44283)
- \[[`0c4953cbd1`](https://redirect.github.com/nodejs/node/commit/0c4953cbd1)] - **deps**: update undici to 5.9.1 (Node.js GitHub Bot) [#44319](https://redirect.github.com/nodejs/node/pull/44319)
- \[[`8a921fea74`](https://redirect.github.com/nodejs/node/commit/8a921fea74)] - **deps**: upgrade npm to 8.19.1 (npm team) [#44486](https://redirect.github.com/nodejs/node/pull/44486)
- \[[`763a63c14b`](https://redirect.github.com/nodejs/node/commit/763a63c14b)] - **deps**: update corepack to 0.13.0 (Node.js GitHub Bot) [#44318](https://redirect.github.com/nodejs/node/pull/44318)
- \[[`fdb699c84a`](https://redirect.github.com/nodejs/node/commit/fdb699c84a)] - **deps**: upgrade npm to 8.18.0 (npm team) [#44263](https://redirect.github.com/nodejs/node/pull/44263)
- \[[`2a44872f96`](https://redirect.github.com/nodejs/node/commit/2a44872f96)] - **deps**: update corepack to 0.12.3 (Node.js GitHub Bot) [#44229](https://redirect.github.com/nodejs/node/pull/44229)
- \[[`48967e4b34`](https://redirect.github.com/nodejs/node/commit/48967e4b34)] - **deps**: upgrade npm to 8.17.0 (npm team) [#44205](https://redirect.github.com/nodejs/node/pull/44205)
- \[[`0484122f71`](https://redirect.github.com/nodejs/node/commit/0484122f71)] - **deps**: update undici to 5.8.2 (Node.js GitHub Bot) [#44187](https://redirect.github.com/nodejs/node/pull/44187)
- \[[`e404ac7eed`](https://redirect.github.com/nodejs/node/commit/e404ac7eed)] - **deps**: update undici to 5.8.1 (Node.js GitHub Bot) [#44158](https://redirect.github.com/nodejs/node/pull/44158)
- \[[`9a5ee5e9e3`](https://redirect.github.com/nodejs/node/commit/9a5ee5e9e3)] - **deps**: update corepack to 0.12.2 (Node.js GitHub Bot) [#44159](https://redirect.github.com/nodejs/node/pull/44159)
- \[[`3657cb277b`](https://redirect.github.com/nodejs/node/commit/3657cb277b)] - **deps**: remove unnecessary file (Brian White) [#44133](https://redirect.github.com/nodejs/node/pull/44133)
- \[[`d66a807596`](https://redirect.github.com/nodejs/node/commit/d66a807596)] - **deps**: upgrade npm to 8.16.0 (npm team) [#44119](https://redirect.github.com/nodejs/node/pull/44119)
- \[[`ec998be61c`](https://redirect.github.com/nodejs/node/commit/ec998be61c)] - **deps**: upgrade npm to 8.15.1 (npm team) [#44013](https://redirect.github.com/nodejs/node/pull/44013)
- \[[`e9e856ae95`](https://redirect.github.com/nodejs/node/commit/e9e856ae95)] - **deps**: upgrade base64 to [`dc6a41c`](https://redirect.github.com/nodejs/node/commit/dc6a41ce36e) (Brian White) [#44032](https://redirect.github.com/nodejs/node/pull/44032)
- \[[`8ea9a71b15`](https://redirect.github.com/nodejs/node/commit/8ea9a71b15)] - **deps,src**: use SIMD for normal base64 encoding (Brian White) [#39775](https://redirect.github.com/nodejs/node/pull/39775)
- \[[`969a12be4b`](https://redirect.github.com/nodejs/node/commit/969a12be4b)] - **doc**: remove "currently" and comma splice from child_process.md (Rich Trott) [#44789](https://redirect.github.com/nodejs/node/pull/44789)
- \[[`5e4a2e94a1`](https://redirect.github.com/nodejs/node/commit/5e4a2e94a1)] - **doc**: mention git node backport (RafaelGSS) [#44764](https://redirect.github.com/nodejs/node/pull/44764)
- \[[`618c9c8260`](https://redirect.github.com/nodejs/node/commit/618c9c8260)] - **doc**: ensure to revert node_version changes (Rafael Gonzaga) [#44760](https://redirect.github.com/nodejs/node/pull/44760)
- \[[`e0fe11c189`](https://redirect.github.com/nodejs/node/commit/e0fe11c189)] - **doc**: fix description for `napi_get_cb_info()` in `n-api.md` (Daeyeon Jeong) [#44761](https://redirect.github.com/nodejs/node/pull/44761)
- \[[`895719da65`](https://redirect.github.com/nodejs/node/commit/895719da65)] - **doc**: fix v16.17.1 security release changelog (Ruy Adorno) [#44759](https://redirect.github.com/nodejs/node/pull/44759)
- \[[`fe832a0647`](https://redirect.github.com/nodejs/node/commit/fe832a0647)] - **doc**: update the deprecation for exit code to clarify its scope (Daeyeon Jeong) [#44714](https://redirect.github.com/nodejs/node/pull/44714)
- \[[`3872abd9a6`](https://redirect.github.com/nodejs/node/commit/3872abd9a6)] - **doc**: update guidance for adding new modules (Michael Dawson) [#44576](https://redirect.github.com/nodejs/node/pull/44576)
- \[[`f381a1e86a`](https://redirect.github.com/nodejs/node/commit/f381a1e86a)] - **doc**: add registry number for Electron 22 (Keeley Hammond) [#44748](https://redirect.github.com/nodejs/node/pull/44748)
- \[[`8d3cb6c08a`](https://redirect.github.com/nodejs/node/commit/8d3cb6c08a)] - **doc**: include code examples for webstreams consumers (Lucas Santos) [#44387](https://redirect.github.com/nodejs/node/pull/44387)
- \[[`9e83c00e0b`](https://redirect.github.com/nodejs/node/commit/9e83c00e0b)] - **doc**: mention where to push security commits (RafaelGSS) [#44691](https://redirect.github.com/nodejs/node/pull/44691)
- \[[`bc9f8d24ce`](https://redirect.github.com/nodejs/node/commit/bc9f8d24ce)] - **doc**: remove extra space on threadpool usage (Connor Burton) [#44734](https://redirect.github.com/nodejs/node/pull/44734)
- \[[`3e38ba53cc`](https://redirect.github.com/nodejs/node/commit/3e38ba53cc)] - **doc**: make legacy banner slightly less bright (Rich Trott) [#44665](https://redirect.github.com/nodejs/node/pull/44665)
- \[[`0f88588f52`](https://redirect.github.com/nodejs/node/commit/0f88588f52)] - **doc**: improve building doc for Windows Powershell (Brian Muenzenmeyer) [#44625](https://redirect.github.com/nodejs/node/pull/44625)
- \[[`5ee0127540`](https://redirect.github.com/nodejs/node/commit/5ee0127540)] - **doc**: maintain only one list of MODP groups (Tobias Nießen) [#44644](https://redirect.github.com/nodejs/node/pull/44644)
- \[[`6881ecb0e2`](https://redirect.github.com/nodejs/node/commit/6881ecb0e2)] - **doc**: add legendecas to TSC list (Michael Dawson) [#44662](https://redirect.github.com/nodejs/node/pull/44662)
- \[[`3614f5ace3`](https://redirect.github.com/nodejs/node/commit/3614f5ace3)] - **doc**: remove comma in README.md (Taha-Chaudhry) [#44599](https://redirect.github.com/nodejs/node/pull/44599)
- \[[`c9af43616c`](https://redirect.github.com/nodejs/node/commit/c9af43616c)] - **doc**: use serial comma in report docs (Daeyeon Jeong) [#44608](https://redirect.github.com/nodejs/node/pull/44608)
- \[[`ff9ef61646`](https://redirect.github.com/nodejs/node/commit/ff9ef61646)] - **doc**: use serial comma in stream docs (Daeyeon Jeong) [#44609](https://redirect.github.com/nodejs/node/pull/44609)
- \[[`90eaae3ef1`](https://redirect.github.com/nodejs/node/commit/90eaae3ef1)] - **doc**: remove empty line in YAML block (Claudio Wunder) [#44617](https://redirect.github.com/nodejs/node/pull/44617)
- \[[`f80bdc5ef3`](https://redirect.github.com/nodejs/node/commit/f80bdc5ef3)] - **(SEMVER-MINOR)** **doc**: deprecate modp1, modp2, and modp5 groups (Tobias Nießen) [#44588](https://redirect.github.com/nodejs/node/pull/44588)
- \[[`9fac6dd1c1`](https://redirect.github.com/nodejs/node/commit/9fac6dd1c1)] - **doc**: remove old OpenSSL ENGINE constants (Tobias Nießen) [#44589](https://redirect.github.com/nodejs/node/pull/44589)
- \[[`53543c6d81`](https://redirect.github.com/nodejs/node/commit/53543c6d81)] - **doc**: fix heading levels for test runner hooks (Fabian Meyer) [#44603](https://redirect.github.com/nodejs/node/pull/44603)
- \[[`2084ad61a7`](https://redirect.github.com/nodejs/node/commit/2084ad61a7)] - **doc**: fix errors in http.md (Luigi Pinca) [#44587](https://redirect.github.com/nodejs/node/pull/44587)
- \[[`cc55e84ddc`](https://redirect.github.com/nodejs/node/commit/cc55e84ddc)] - **doc**: fix vm.Script createCachedData example (Chengzhong Wu) [#44487](https://redirect.github.com/nodejs/node/pull/44487)
- \[[`8187f03834`](https://redirect.github.com/nodejs/node/commit/8187f03834)] - **doc**: mention how to get commit release (Rafael Gonzaga) [#44572](https://redirect.github.com/nodejs/node/pull/44572)
- \[[`d068978933`](https://redirect.github.com/nodejs/node/commit/d068978933)] - **doc**: fix link in `process.md` (Antoine du Hamel) [#44594](https://redirect.github.com/nodejs/node/pull/44594)
- \[[`0747facb63`](https://redirect.github.com/nodejs/node/commit/0747facb63)] - **doc**: do not use weak MODP group in example (Tobias Nießen) [#44585](https://redirect.github.com/nodejs/node/pull/44585)
- \[[`e26d95ef9a`](https://redirect.github.com/nodejs/node/commit/e26d95ef9a)] - **doc**: remove ebpf from supported tooling list (Rafael Gonzaga) [#44549](https://redirect.github.com/nodejs/node/pull/44549)
- \[[`9d24c7a8c7`](https://redirect.github.com/nodejs/node/commit/9d24c7a8c7)] - **doc**: emphasize that createCipher is never secure (Tobias Nießen) [#44538](https://redirect.github.com/nodejs/node/pull/44538)
- \[[`6d881b8611`](https://redirect.github.com/nodejs/node/commit/6d881b8611)] - **doc**: document attribute Script.cachedDataRejected (Chengzhong Wu) [#44451](https://redirect.github.com/nodejs/node/pull/44451)
- \[[`d846e5bac5`](https://redirect.github.com/nodejs/node/commit/d846e5bac5)] - **doc**: move policy docs to the permissions scope (Rafael Gonzaga) [#44222](https://redirect.github.com/nodejs/node/pull/44222)
- \[[`5c721a33c3`](https://redirect.github.com/nodejs/node/commit/5c721a33c3)] - **doc**: add performance note to `--enable-source-maps` docs (Saurabh Daware) [#43817](https://redirect.github.com/nodejs/node/pull/43817)
- \[[`1998bc80b5`](https://redirect.github.com/nodejs/node/commit/1998bc80b5)] - **doc**: fix release guide example consistency (Ruy Adorno) [#44385](https://redirect.github.com/nodejs/node/pull/44385)
- \[[`7b691729b1`](https://redirect.github.com/nodejs/node/commit/7b691729b1)] - **doc**: note on release guide to update `main` branch (Ruy Adorno) [#44384](https://redirect.github.com/nodejs/node/pull/44384)
- \[[`7ec097fa99`](https://redirect.github.com/nodejs/node/commit/7ec097fa99)] - **doc**: mention cherry-pick edge-case on release (RafaelGSS) [#44408](https://redirect.github.com/nodejs/node/pull/44408)
- \[[`4a4025181c`](https://redirect.github.com/nodejs/node/commit/4a4025181c)] - **doc**: fix spacing issue in `--build-snapshot` help text (Shohei YOSHIDA) [#44435](https://redirect.github.com/nodejs/node/pull/44435)
- \[[`a5906a09dc`](https://redirect.github.com/nodejs/node/commit/a5906a09dc)] - **doc**: apply scroll-margin-top to h2, h3 elements (metonym) [#44414](https://redirect.github.com/nodejs/node/pull/44414)
- \[[`0e99139df4`](https://redirect.github.com/nodejs/node/commit/0e99139df4)] - **doc**: use serial comma in addons docs (Tobias Nießen) [#44482](https://redirect.github.com/nodejs/node/pull/44482)
- \[[`8ea3e6f839`](https://redirect.github.com/nodejs/node/commit/8ea3e6f839)] - **doc**: do not use "Returns:" for crypto.constants (Tobias Nießen) [#44481](https://redirect.github.com/nodejs/node/pull/44481)
- \[[`a1dbe4bc79`](https://redirect.github.com/nodejs/node/commit/a1dbe4bc79)] - **doc**: add history for net.createServer() options (Luigi Pinca) [#44326](https://redirect.github.com/nodejs/node/pull/44326)
- \[[`eb90d650d4`](https://redirect.github.com/nodejs/node/commit/eb90d650d4)] - **doc**: fix typo in test runner code examples (Moshe Atlow) [#44351](https://redirect.github.com/nodejs/node/pull/44351)
- \[[`17c5b978a5`](https://redirect.github.com/nodejs/node/commit/17c5b978a5)] - **doc**: add daeyeon to collaborators (Daeyeon Jeong) [#44355](https://redirect.github.com/nodejs/node/pull/44355)
- \[[`c1458063ee`](https://redirect.github.com/nodejs/node/commit/c1458063ee)] - **doc**: fix style of n-api.md (theanarkh) [#44377](https://redirect.github.com/nodejs/node/pull/44377)
- \[[`cf60c6bc74`](https://redirect.github.com/nodejs/node/commit/cf60c6bc74)] - **doc**: add missing imports in events sample code (Brian Evans) [#44337](https://redirect.github.com/nodejs/node/pull/44337)
- \[[`89e5ac9676`](https://redirect.github.com/nodejs/node/commit/89e5ac9676)] - **doc**: add missing parenthesis in TLSSocket section (Tobias Nießen) [#44512](https://redirect.github.com/nodejs/node/pull/44512)
- \[[`5ac344b2a2`](https://redirect.github.com/nodejs/node/commit/5ac344b2a2)] - **doc**: fix optionality of callback arg of checkPrime (Tobias Nießen) [#44311](https://redirect.github.com/nodejs/node/pull/44311)
- \[[`87cc487e28`](https://redirect.github.com/nodejs/node/commit/87cc487e28)] - **doc**: fix typo (Hana) [#44262](https://redirect.github.com/nodejs/node/pull/44262)
- \[[`5978eb1ae8`](https://redirect.github.com/nodejs/node/commit/5978eb1ae8)] - **doc**: add TypeScript execution requirements (Michael Dawson) [#44030](https://redirect.github.com/nodejs/node/pull/44030)
- \[[`42948364e2`](https://redirect.github.com/nodejs/node/commit/42948364e2)] - **doc**: add cola119 to collaborators (cola119) [#44248](https://redirect.github.com/nodejs/node/pull/44248)
- \[[`6196bcedd0`](https://redirect.github.com/nodejs/node/commit/6196bcedd0)] - **doc**: improved building doc for Android (BuShe) [#44166](https://redirect.github.com/nodejs/node/pull/44166)
- \[[`afe6c87bb5`](https://redirect.github.com/nodejs/node/commit/afe6c87bb5)] - **doc**: add MoLow to collaborators (Moshe Atlow) [#44214](https://redirect.github.com/nodejs/node/pull/44214)
- \[[`82ff3dabc5`](https://redirect.github.com/nodejs/node/commit/82ff3dabc5)] - **doc**: update tags in adding-new-napi-api.md (Chengzhong Wu) [#44190](https://redirect.github.com/nodejs/node/pull/44190)
- \[[`16d6d45ee8`](https://redirect.github.com/nodejs/node/commit/16d6d45ee8)] -
Configuration
📅 Schedule: Branch creation - "after 10:30 before 18:00 every weekday except after 13:00 before 14:00" in timezone America/Lima, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
12.22.7
->16.20.2
^13.13.50
->^16.18.113
:warning: MAJOR MAJOR MAJOR :warning:
Release Notes
nodejs/node (node)
### [`v16.20.2`](https://redirect.github.com/nodejs/node/releases/tag/v16.20.2): 2023-08-09, Version 16.20.2 'Gallium' (LTS), @RafaelGSS [Compare Source](https://redirect.github.com/nodejs/node/compare/v16.20.1...v16.20.2) This is a security release. ##### Notable Changes The following CVEs are fixed in this release: - [CVE-2023-32002](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32002): Policies can be bypassed via Module.\_load (High) - [CVE-2023-32006](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32006): Policies can be bypassed by module.constructor.createRequire (Medium) - [CVE-2023-32559](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32559): Policies can be bypassed via process.binding (Medium) - OpenSSL Security Releases - [OpenSSL security advisory 14th July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000264.html). - [OpenSSL security advisory 19th July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000265.html). - [OpenSSL security advisory 31st July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000267.html) More detailed information on each of the vulnerabilities can be found in [August 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/) blog post. ##### Commits - \[[`40c3958a5a`](https://redirect.github.com/nodejs/node/commit/40c3958a5a)] - **deps**: update archs files for OpenSSL-1.1.1v (RafaelGSS) [#49043](https://redirect.github.com/nodejs/node/pull/49043) - \[[`a9ac9da89a`](https://redirect.github.com/nodejs/node/commit/a9ac9da89a)] - **deps**: fix openssl crypto clean (RafaelGSS) [#49043](https://redirect.github.com/nodejs/node/pull/49043) - \[[`362d4c7494`](https://redirect.github.com/nodejs/node/commit/362d4c7494)] - **deps**: upgrade openssl sources to OpenSSL\_1\_1\_1v (RafaelGSS) [#49043](https://redirect.github.com/nodejs/node/pull/49043) - \[[`d8ccfe9ad4`](https://redirect.github.com/nodejs/node/commit/d8ccfe9ad4)] - **policy**: handle Module.constructor and main.extensions bypass (RafaelGSS) [nodejs-private/node-private#445](https://redirect.github.com/nodejs-private/node-private/pull/445) - \[[`242aaa0caa`](https://redirect.github.com/nodejs/node/commit/242aaa0caa)] - **policy**: disable process.binding() when enabled (Tobias Nießen) [nodejs-private/node-private#459](https://redirect.github.com/nodejs-private/node-private/pull/459) ### [`v16.20.1`](https://redirect.github.com/nodejs/node/releases/tag/v16.20.1): 2023-06-20, Version 16.20.1 'Gallium' (LTS), @RafaelGSS [Compare Source](https://redirect.github.com/nodejs/node/compare/v16.20.0...v16.20.1) This is a security release. ##### Notable Changes The following CVEs are fixed in this release: - [CVE-2023-30581](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30581): `mainModule.__proto__` Bypass Experimental Policy Mechanism (High) - [CVE-2023-30585](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30585): Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium) - [CVE-2023-30588](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30588): Process interuption due to invalid Public Key information in x509 certificates (Medium) - [CVE-2023-30589](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30589): HTTP Request Smuggling via Empty headers separated by CR (Medium) - [CVE-2023-30590](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30590): DiffieHellman does not generate keys after setting a private key (Medium) - OpenSSL Security Releases - [OpenSSL security advisory 28th March](https://www.openssl.org/news/secadv/20230328.txt). - [OpenSSL security advisory 20th April](https://www.openssl.org/news/secadv/20230420.txt). - [OpenSSL security advisory 30th May](https://www.openssl.org/news/secadv/20230530.txt) - c-ares vulnerabilities: - [GHSA-9g78-jv2r-p7vc](https://redirect.github.com/c-ares/c-ares/security/advisories/GHSA-9g78-jv2r-p7vc) - [GHSA-8r8p-23f3-64c2](https://redirect.github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2) - [GHSA-54xr-f67r-4pc4](https://redirect.github.com/c-ares/c-ares/security/advisories/GHSA-54xr-f67r-4pc4) - [GHSA-x6mf-cxr9-8q6v](https://redirect.github.com/c-ares/c-ares/security/advisories/GHSA-x6mf-cxr9-8q6v) More detailed information on each of the vulnerabilities can be found in [June 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/june-2023-security-releases/) blog post. ##### Commits - \[[`5a92ea7a3b`](https://redirect.github.com/nodejs/node/commit/5a92ea7a3b)] - **crypto**: handle cert with invalid SPKI gracefully (Tobias Nießen) - \[[`5df04e893a`](https://redirect.github.com/nodejs/node/commit/5df04e893a)] - **deps**: set `CARES_RANDOM_FILE` for c-ares (Richard Lau) [#48156](https://redirect.github.com/nodejs/node/pull/48156) - \[[`c171cbd124`](https://redirect.github.com/nodejs/node/commit/c171cbd124)] - **deps**: update c-ares to 1.19.1 (RafaelGSS) [#48115](https://redirect.github.com/nodejs/node/pull/48115) - \[[`155d3aac02`](https://redirect.github.com/nodejs/node/commit/155d3aac02)] - **deps**: update archs files for OpenSSL-1.1.1u+quic (RafaelGSS) [#48369](https://redirect.github.com/nodejs/node/pull/48369) - \[[`8d4c8f8ebe`](https://redirect.github.com/nodejs/node/commit/8d4c8f8ebe)] - **deps**: upgrade openssl sources to OpenSSL\_1\_1\_1u (RafaelGSS) [#48369](https://redirect.github.com/nodejs/node/pull/48369) - \[[`1a5c9284eb`](https://redirect.github.com/nodejs/node/commit/1a5c9284eb)] - **doc,test**: clarify behavior of DH generateKeys (Tobias Nießen) [nodejs-private/node-private#426](https://redirect.github.com/nodejs-private/node-private/pull/426) - \[[`e42ff4b018`](https://redirect.github.com/nodejs/node/commit/e42ff4b018)] - **http**: disable request smuggling via empty headers (Paolo Insogna) [nodejs-private/node-private#429](https://redirect.github.com/nodejs-private/node-private/pull/429) - \[[`10042683c8`](https://redirect.github.com/nodejs/node/commit/10042683c8)] - **msi**: do not create AppData\Roaming\npm (Tobias Nießen) [nodejs-private/node-private#408](https://redirect.github.com/nodejs-private/node-private/pull/408) - \[[`a6f4e87bc9`](https://redirect.github.com/nodejs/node/commit/a6f4e87bc9)] - **policy**: handle mainModule.\__proto\_\_ bypass (RafaelGSS) [nodejs-private/node-private#416](https://redirect.github.com/nodejs-private/node-private/pull/416) - \[[`b77000f4d7`](https://redirect.github.com/nodejs/node/commit/b77000f4d7)] - **test**: allow SIGBUS in signal-handler abort test (Michaël Zasso) [#47851](https://redirect.github.com/nodejs/node/pull/47851) ### [`v16.20.0`](https://redirect.github.com/nodejs/node/releases/tag/v16.20.0): 2023-03-29, Version 16.20.0 'Gallium' (LTS), @BethGriggs [Compare Source](https://redirect.github.com/nodejs/node/compare/v16.19.1...v16.20.0) ##### Notable Changes - **deps:** - update undici to 5.20.0 (Node.js GitHub Bot) [#46711](https://redirect.github.com/nodejs/node/pull/46711) - update c-ares to 1.19.0 (Michaël Zasso) [#46415](https://redirect.github.com/nodejs/node/pull/46415) - upgrade npm to 8.19.4 (npm team) [#46677](https://redirect.github.com/nodejs/node/pull/46677) - update corepack to 0.17.0 (Node.js GitHub Bot) [#46842](https://redirect.github.com/nodejs/node/pull/46842) - **(SEMVER-MINOR)** **src**: add support for externally shared js builtins (Michael Dawson) [#44376](https://redirect.github.com/nodejs/node/pull/44376) ##### Commits - \[[`de6dd67790`](https://redirect.github.com/nodejs/node/commit/de6dd67790)] - **crypto**: avoid hang when no algorithm available (Richard Lau) [#46237](https://redirect.github.com/nodejs/node/pull/46237) - \[[`4617512788`](https://redirect.github.com/nodejs/node/commit/4617512788)] - **crypto**: ensure auth tag set for chacha20-poly1305 (Ben Noordhuis) [#46185](https://redirect.github.com/nodejs/node/pull/46185) - \[[`24972164fc`](https://redirect.github.com/nodejs/node/commit/24972164fc)] - **deps**: update undici to 5.20.0 (Node.js GitHub Bot) [#46711](https://redirect.github.com/nodejs/node/pull/46711) - \[[`85f88c6a8d`](https://redirect.github.com/nodejs/node/commit/85f88c6a8d)] - **deps**: V8: cherry-pick [`90be99f`](https://redirect.github.com/nodejs/node/commit/90be99fab31c) (Michaël Zasso) [#46646](https://redirect.github.com/nodejs/node/pull/46646) - \[[`b4ebe6d47b`](https://redirect.github.com/nodejs/node/commit/b4ebe6d47b)] - **deps**: update c-ares to 1.19.0 (Michaël Zasso) [#46415](https://redirect.github.com/nodejs/node/pull/46415) - \[[`56cbc7fdda`](https://redirect.github.com/nodejs/node/commit/56cbc7fdda)] - **deps**: V8: cherry-pick [`c2792e5`](https://redirect.github.com/nodejs/node/commit/c2792e58035f) (Jiawen Geng) [#44961](https://redirect.github.com/nodejs/node/pull/44961) - \[[`7af9bdb31e`](https://redirect.github.com/nodejs/node/commit/7af9bdb31e)] - **deps**: upgrade npm to 8.19.4 (npm team) [#46677](https://redirect.github.com/nodejs/node/pull/46677) - \[[`962a7471b5`](https://redirect.github.com/nodejs/node/commit/962a7471b5)] - **deps**: update corepack to 0.17.0 (Node.js GitHub Bot) [#46842](https://redirect.github.com/nodejs/node/pull/46842) - \[[`748bc96e35`](https://redirect.github.com/nodejs/node/commit/748bc96e35)] - **deps**: update corepack to 0.16.0 (Node.js GitHub Bot) [#46710](https://redirect.github.com/nodejs/node/pull/46710) - \[[`a467782499`](https://redirect.github.com/nodejs/node/commit/a467782499)] - **deps**: update corepack to 0.15.3 (Node.js GitHub Bot) [#46037](https://redirect.github.com/nodejs/node/pull/46037) - \[[`1913b6763d`](https://redirect.github.com/nodejs/node/commit/1913b6763d)] - **deps**: update corepack to 0.15.2 (Node.js GitHub Bot) [#45635](https://redirect.github.com/nodejs/node/pull/45635) - \[[`809371a15f`](https://redirect.github.com/nodejs/node/commit/809371a15f)] - **module**: require.resolve.paths returns null with node schema (MURAKAMI Masahiko) [#45147](https://redirect.github.com/nodejs/node/pull/45147) - \[[`086bb2f8d4`](https://redirect.github.com/nodejs/node/commit/086bb2f8d4)] - ***Revert*** "**src**: let http2 streams end after session close" (Rich Trott) [#46721](https://redirect.github.com/nodejs/node/pull/46721) - \[[`6a01d39120`](https://redirect.github.com/nodejs/node/commit/6a01d39120)] - **(SEMVER-MINOR)** **src**: add support for externally shared js builtins (Michael Dawson) [#44376](https://redirect.github.com/nodejs/node/pull/44376) - \[[`d081032a60`](https://redirect.github.com/nodejs/node/commit/d081032a60)] - **test**: fix test-net-connect-reset-until-connected (Vita Batrla) [#46781](https://redirect.github.com/nodejs/node/pull/46781) - \[[`efe1be47ec`](https://redirect.github.com/nodejs/node/commit/efe1be47ec)] - **test**: skip test depending on `overlapped-checker` when not available (Antoine du Hamel) [#45015](https://redirect.github.com/nodejs/node/pull/45015) - \[[`fc47d58abe`](https://redirect.github.com/nodejs/node/commit/fc47d58abe)] - **test**: remove cjs loader from stack traces (Geoffrey Booth) [#44197](https://redirect.github.com/nodejs/node/pull/44197) - \[[`cf76d0790d`](https://redirect.github.com/nodejs/node/commit/cf76d0790d)] - **test**: fix WPT title when no META title is present (Filip Skokan) [#46804](https://redirect.github.com/nodejs/node/pull/46804) - \[[`0d1485b924`](https://redirect.github.com/nodejs/node/commit/0d1485b924)] - **test**: fix default WPT titles (Filip Skokan) [#46778](https://redirect.github.com/nodejs/node/pull/46778) - \[[`088e9cde3d`](https://redirect.github.com/nodejs/node/commit/088e9cde3d)] - **test**: add WPTRunner support for variants and generating WPT reports (Filip Skokan) [#46498](https://redirect.github.com/nodejs/node/pull/46498) - \[[`908c4dff44`](https://redirect.github.com/nodejs/node/commit/908c4dff44)] - **test**: mark test-crypto-key-objects flaky on Linux (Richard Lau) [#46684](https://redirect.github.com/nodejs/node/pull/46684) - \[[`768e56227e`](https://redirect.github.com/nodejs/node/commit/768e56227e)] - **tools**: make `utils.SearchFiles` deterministic (Bruno Pitrus) [#44496](https://redirect.github.com/nodejs/node/pull/44496) ### [`v16.19.1`](https://redirect.github.com/nodejs/node/releases/tag/v16.19.1): 2023-02-16, Version 16.19.1 'Gallium' (LTS), @richardlau [Compare Source](https://redirect.github.com/nodejs/node/compare/v16.19.0...v16.19.1) This is a security release. ##### Notable Changes The following CVEs are fixed in this release: - **[CVE-2023-23918](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23918)**: Node.js Permissions policies can be bypassed via process.mainModule (High) - **[CVE-2023-23919](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23919)**: Node.js OpenSSL error handling issues in nodejs crypto library (Medium) - **[CVE-2023-23920](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23920)**: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low) Fixed by an update to undici: - **[CVE-2023-23936](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23936)**: Fetch API in Node.js did not protect against CRLF injection in host headers (Medium) - SeeConfiguration
📅 Schedule: Branch creation - "after 10:30 before 18:00 every weekday except after 13:00 before 14:00" in timezone America/Lima, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.