2023-10-16 21:15:17 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
nodejs: updated to 20.8.1
Version 20.8.1 (Current)
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
CVE-2023-44487: nghttp2 Security Release (High)
CVE-2023-45143: undici Security Release (High)
CVE-2023-39332: Path traversal through path stored in Uint8Array (High)
CVE-2023-39331: Permission model improperly protects against path traversal (High)
CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium)
CVE-2023-39333: Code injection via WebAssembly export names (Low)
|
2023-10-12 13:37:44 by Adam Ciarcinski | Files touched by this commit (27) |
Log message:
nodejs14: removed; life ended on 2023-04-30
|
2023-10-01 18:00:13 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
nodejs: updated to 20.8.0
Version 20.8.0 (Current)
Notable Changes
Stream performance improvements
Performance improvements to writable and readable streams, improving the \
creation and destruction by ±15% and reducing the memory overhead each stream \
takes in Node.js
Performance improvements for readable webstream, improving readable stream async \
iterator consumption by ±140% and improving readable stream pipeTo consumption \
by ±60%
Rework of memory management in vm APIs with the importModuleDynamically option
This rework addressed a series of long-standing memory leaks and use-after-free \
issues in the following APIs that support importModuleDynamically:
vm.Script
vm.compileFunction
vm.SyntheticModule
vm.SourceTextModule
This should enable affected users to upgrade from older versions of Node.js.
|
2023-09-20 13:21:59 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message:
nodejs: updated to 20.7.0
Version 20.7.0 (Current)
Notable Changes
- src: support multiple --env-file declarations (Yagiz Nizipli)
- crypto: update root certificates to NSS 3.93 (Node.js GitHub Bot)
- deps: upgrade npm to 10.1.0 (npm team)
- (SEMVER-MINOR) deps: upgrade npm to 10.0.0 (npm team)
- doc: move and rename loaders section (Geoffrey Booth)
- doc: add release key for Ulises Gascon (Ulises Gascón)
- (SEMVER-MINOR) lib: add api to detect whether source-maps are enabled (翠 / green)
- src,permission: add multiple allow-fs-* flags (Carlos Espa)
- (SEMVER-MINOR) test_runner: expose location of tests (Colin Ihrig)
|
2023-09-13 11:55:45 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
nodejs: updated to 20.6.1
Version 20.6.1 (Current)
esm: fix loading of CJS modules from ESM
|
2023-09-06 21:28:21 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message:
nodejs: updated to 20.6.0
Version 20.6.0 (Current)
Notable changes
built-in .env file support
Starting from Node.js v20.6.0, Node.js supports .env files for configuring \
environment variables.
Your configuration file should follow the INI file format, with each line \
containing a key-value pair for an environment variable. To initialize your \
Node.js application with predefined configurations, use the following CLI \
command: node --env-file=config.env index.js.
For example, you can access the following environment variable using \
process.env.PASSWORD when your application is initialized:
PASSWORD=nodejs
In addition to environment variables, this change allows you to define your \
NODE_OPTIONS directly in the .env file, eliminating the need to include it in \
your package.json.
import.meta.resolve unflagged
In ES modules, import.meta.resolve(specifier) can be used to get an absolute URL \
string to which specifier resolves, similar to require.resolve in CommonJS. This \
aligns Node.js with browsers and other server-side runtimes.
New node:module API register for module customization hooks; new initialize hook
There is a new API register available on node:module to specify a file that \
exports module customization hooks, and pass data to the hooks, and establish \
communication channels with them. The “define the file with the hooks” part \
was previously handled by a flag --experimental-loader, but when the hooks moved \
into a dedicated thread in 20.0.0 there was a need to provide a way to \
communicate between the main (application) thread and the hooks thread. This can \
now be done by calling register from the main thread and passing data, including \
MessageChannel instances.
We encourage users to migrate to an approach that uses --import with register, \
such as:
node --import ./file-that-calls-register.js ./app.js
Using --import ensures that the customization hooks are registered before any \
application code runs, even the entry point.
Module customization load hook can now support CommonJS
|
2023-08-14 07:25:36 by Thomas Klausner | Files touched by this commit (1247) |
Log message:
*: recursive bump for Python 3.11 as new default
|
2023-08-11 07:25:17 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message:
nodejs: updated to 20.5.1
Version 20.5.1 (Current)
Notable Changes
The following CVEs are fixed in this release:
CVE-2023-32002: Policies can be bypassed via Module._load (High)
CVE-2023-32558: process.binding() can bypass the permission model through path \
traversal (High)
CVE-2023-32004: Permission model can be bypassed by specifying a path traversal \
sequence in a Buffer (High)
CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
CVE-2023-32005: fs.statfs can bypass the permission model (Low)
CVE-2023-32003: fs.mkdtemp() and fs.mkdtempSync() can bypass the permission \
model (Low)
OpenSSL Security Releases
|
2023-07-27 10:43:16 by Jonathan Perkin | Files touched by this commit (1) |
Log message:
nodejs: Add missing CONFLICTS/SUPERSEDES for npm.
|
2023-07-25 08:42:43 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message:
nodejs: updated to 20.5.0
Version 20.5.0 (Current)
Notable Changes
doc: add atlowChemi to collaborators (atlowChemi)
(SEMVER-MINOR) events: allow safely adding listener to abortSignal (Chemi Atlow)
fs: add a fast-path for readFileSync utf-8 (Yagiz Nizipli)
(SEMVER-MINOR) test_runner: add shards support (Raz Luvaton)
|