Log message:
nodejs18: updated to 18.19.1

Version 18.19.1 'Hydrogen' (LTS)

Notable changes

CVE-2024-21892 - Code injection and privilege escalation through Linux \ 
capabilities- (High)
CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk \ 
extension allows DoS attacks- (High)
CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of \ 
the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli \ 
decoding - (Medium)
undici version 5.28.3
npm version 10.2.4

Log message:
nodejs18: updated to 18.19.0

Version 18.19.0 'Hydrogen' (LTS)

Notable Changes

npm updated to v10

After two months of baking time in Node.js 20, npm 10 is backported, so that all \ 
release lines include a supported version of npm. This release includes npm \ 
v10.2.3.

ESM and customization hook changes

Leverage loaders when resolving subsequent loaders

Loaders now apply to subsequent loaders, for example: --experimental-loader \ 
ts-node --experimental-loader loader-written-in-typescript.

New node:module API register for module customization hooks; new initialize hook

There is a new API register available on node:module to specify a file that \ 
exports module customization hooks, and pass data to the hooks, and establish \ 
communication channels with them. The “define the file with the hooks” part \ 
was previously handled by a flag --experimental-loader, but when the hooks moved \ 
into a dedicated thread in 20.0.0 there was a need to provide a way to \ 
communicate between the main (application) thread and the hooks thread. This can \ 
now be done by calling register from the main thread and passing data, including \ 
MessageChannel instances.

We encourage users to migrate to an approach that uses --import with register, \ 
such as:

node --import ./file-that-calls-register.js ./app.js
Using --import ensures that the customization hooks are registered before any \ 
application code runs, even the entry point.

import.meta.resolve unflagged

In ES modules, import.meta.resolve(specifier) can be used to get an absolute URL \ 
string to which specifier resolves, similar to require.resolve in CommonJS. This \ 
aligns Node.js with browsers and other server-side runtimes.

--experimental-default-type flag to flip module defaults

The new flag --experimental-default-type can be used to flip the default module \ 
system used by Node.js. Input that is already explicitly defined as ES modules \ 
or CommonJS, such as by a package.json "type" field or .mjs/.cjs file \ 
extension or the --input-type flag, is unaffected. What is currently implicitly \ 
CommonJS would instead be interpreted as ES modules under \ 
--experimental-default-type=module:

String input provided via --eval or STDIN, if --input-type is unspecified.

Files ending in .js or with no extension, if there is no package.json file \ 
present in the same folder or any parent folder.

Files ending in .js or with no extension, if the nearest parent package.json \ 
field lacks a type field; unless the folder is inside a node_modules folder.

In addition, extensionless files are interpreted as Wasm if \ 
--experimental-wasm-modules is passed and the file contains the "magic \ 
bytes" Wasm header.

Log message:
nodejs*: Consolidate and fix python includes.

Ensures that PYTHON_FOR_BUILD_ONLY is set prior to including pyversion.mk,
and ensures python and its dependencies are not buildlinked.

Log message:
*: recursive bump for icu 74.1

Log message:
nodejs18: allow build with Python 3.12

Log message:
*: bump for openssl 3

Log message:
nodejs18: updated to 18.18.2

Version 18.18.2 'Hydrogen' (LTS)

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

* CVE-2023-44487: `nghttp2` Security Release (High)
* CVE-2023-45143: `undici` Security Release (High)
* CVE-2023-38552:  Integrity checks according to policies can be circumvented \ 
(Medium)
* CVE-2023-39333: Code injection via WebAssembly export names (Low)

Log message:
nodejs18: updated to 18.18.1

Version 18.18.1 'Hydrogen' (LTS)

Notable Changes

This release addresses some regressions that appeared in Node.js 18.18.0:

* (Windows) FS can not handle certain characters in file name
* 18 and 20 node images give error - Text file busy (after re-build images)
* libuv update in 18.18.0 breaks webpack's thread-loader

Log message:
nodejs18: updated to 18.18.0

Version 18.18.0 'Hydrogen' (LTS)

Notable Changes

- **build**: sync libuv header change (Jiawen Geng)
- **crypto**: update root certificates to NSS 3.93 (Node.js GitHub Bot)
- **crypto**: update root certificates to NSS 3.90 (Node.js GitHub Bot)
- **deps**: add missing thread-common.c in uv.gyp (Santiago Gimeno)
- **deps**: upgrade to libuv 1.46.0 (Santiago Gimeno)
- **deps**: upgrade to libuv 1.45.0 (Santiago Gimeno)
- **doc**: add atlowChemi to collaborators (atlowChemi)
- **doc**: add vmoroz to collaborators (Vladimir Morozov)
- **doc**: add kvakil to collaborators (Keyhan Vakil)
- **(SEMVER-MINOR)** **esm**: add `--import` flag (Moshe Atlow)
- **(SEMVER-MINOR)** **events**: allow safely adding listener to abortSignal \ 
(Chemi Atlow)
- **fs, stream**: initial `Symbol.dispose` and `Symbol.asyncDispose` support \ 
(Moshe Atlow)
- **net**: add autoSelectFamily global getter and setter (Paolo Insogna)
- **(SEMVER-MINOR)** **url**: add value argument to has and delete methods \ 
(Sankalp Shubham)

Log message:
*: recursive bump for Python 3.11 as new default