Log message:
nodejs: updated to 20.8.1

Version 20.8.1 (Current)

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

CVE-2023-44487: nghttp2 Security Release (High)
CVE-2023-45143: undici Security Release (High)
CVE-2023-39332: Path traversal through path stored in Uint8Array (High)
CVE-2023-39331: Permission model improperly protects against path traversal (High)
CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium)
CVE-2023-39333: Code injection via WebAssembly export names (Low)

Log message:
nodejs14: removed; life ended on 2023-04-30

Log message:
nodejs: updated to 20.8.0

Version 20.8.0 (Current)

Notable Changes

Stream performance improvements

Performance improvements to writable and readable streams, improving the \ 
creation and destruction by ±15% and reducing the memory overhead each stream \ 
takes in Node.js

Performance improvements for readable webstream, improving readable stream async \ 
iterator consumption by ±140% and improving readable stream pipeTo consumption \ 
by ±60%

Rework of memory management in vm APIs with the importModuleDynamically option

This rework addressed a series of long-standing memory leaks and use-after-free \ 
issues in the following APIs that support importModuleDynamically:

vm.Script
vm.compileFunction
vm.SyntheticModule
vm.SourceTextModule
This should enable affected users to upgrade from older versions of Node.js.

Log message:
nodejs: updated to 20.7.0

Version 20.7.0 (Current)

Notable Changes

- src: support multiple --env-file declarations (Yagiz Nizipli)
- crypto: update root certificates to NSS 3.93 (Node.js GitHub Bot)
- deps: upgrade npm to 10.1.0 (npm team)
- (SEMVER-MINOR) deps: upgrade npm to 10.0.0 (npm team)
- doc: move and rename loaders section (Geoffrey Booth)
- doc: add release key for Ulises Gascon (Ulises Gascón)
- (SEMVER-MINOR) lib: add api to detect whether source-maps are enabled (翠 / green)
- src,permission: add multiple allow-fs-* flags (Carlos Espa)
- (SEMVER-MINOR) test_runner: expose location of tests (Colin Ihrig)

Log message:
nodejs: updated to 20.6.1

Version 20.6.1 (Current)
esm: fix loading of CJS modules from ESM

Log message:
nodejs: updated to 20.6.0

Version 20.6.0 (Current)

Notable changes

built-in .env file support

Starting from Node.js v20.6.0, Node.js supports .env files for configuring \ 
environment variables.

Your configuration file should follow the INI file format, with each line \ 
containing a key-value pair for an environment variable. To initialize your \ 
Node.js application with predefined configurations, use the following CLI \ 
command: node --env-file=config.env index.js.

For example, you can access the following environment variable using \ 
process.env.PASSWORD when your application is initialized:

PASSWORD=nodejs
In addition to environment variables, this change allows you to define your \ 
NODE_OPTIONS directly in the .env file, eliminating the need to include it in \ 
your package.json.

import.meta.resolve unflagged

In ES modules, import.meta.resolve(specifier) can be used to get an absolute URL \ 
string to which specifier resolves, similar to require.resolve in CommonJS. This \ 
aligns Node.js with browsers and other server-side runtimes.

New node:module API register for module customization hooks; new initialize hook

There is a new API register available on node:module to specify a file that \ 
exports module customization hooks, and pass data to the hooks, and establish \ 
communication channels with them. The “define the file with the hooks” part \ 
was previously handled by a flag --experimental-loader, but when the hooks moved \ 
into a dedicated thread in 20.0.0 there was a need to provide a way to \ 
communicate between the main (application) thread and the hooks thread. This can \ 
now be done by calling register from the main thread and passing data, including \ 
MessageChannel instances.

We encourage users to migrate to an approach that uses --import with register, \ 
such as:

node --import ./file-that-calls-register.js ./app.js
Using --import ensures that the customization hooks are registered before any \ 
application code runs, even the entry point.

Module customization load hook can now support CommonJS

Log message:
*: recursive bump for Python 3.11 as new default

Log message:
nodejs: updated to 20.5.1

Version 20.5.1 (Current)

Notable Changes

The following CVEs are fixed in this release:

CVE-2023-32002: Policies can be bypassed via Module._load (High)
CVE-2023-32558: process.binding() can bypass the permission model through path \ 
traversal (High)
CVE-2023-32004: Permission model can be bypassed by specifying a path traversal \ 
sequence in a Buffer (High)
CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
CVE-2023-32005: fs.statfs can bypass the permission model (Low)
CVE-2023-32003: fs.mkdtemp() and fs.mkdtempSync() can bypass the permission \ 
model (Low)
OpenSSL Security Releases

Log message:
nodejs: Add missing CONFLICTS/SUPERSEDES for npm.

Log message:
nodejs: updated to 20.5.0

Version 20.5.0 (Current)

Notable Changes

doc: add atlowChemi to collaborators (atlowChemi)
(SEMVER-MINOR) events: allow safely adding listener to abortSignal (Chemi Atlow)
fs: add a fast-path for readFileSync utf-8 (Yagiz Nizipli)
(SEMVER-MINOR) test_runner: add shards support (Raz Luvaton)