./lang/nodejs18, V8 JavaScript for clients and servers

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 18.20.4nb2, Package name: nodejs-18.20.4nb2, Maintainer: pkgsrc-users

Node.js is an evented I/O framework for the V8 JavaScript engine. It is
intended for writing scalable network programs such as web servers.

This package holds the 18.x LTS release.



Package options: openssl

Master sites:

Filesize: 39497.793 KB

Version history: (Expand)


CVS history: (Expand)


   2024-04-11 16:49:35 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
nodejs18: updated to 18.20.2

Version 18.20.2 'Hydrogen' (LTS)

Notable Changes
CVE-2024-27980 - Command injection via args parameter of child_process.spawn \ 
without shell option enabled on Windows
   2024-04-05 07:32:14 by Adam Ciarcinski | Files touched by this commit (4) | Package updated
Log message:
nodejs18: updated to 18.20.1

Version 18.20.1 'Hydrogen' (LTS)

Notable Changes
CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() \ 
leads to HTTP/2 server crash- (High)
CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
llhttp version 9.2.1
undici version 5.28.4
   2024-02-14 22:26:59 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
nodejs18: updated to 18.19.1

Version 18.19.1 'Hydrogen' (LTS)

Notable changes

CVE-2024-21892 - Code injection and privilege escalation through Linux \ 
capabilities- (High)
CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk \ 
extension allows DoS attacks- (High)
CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of \ 
the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli \ 
decoding - (Medium)
undici version 5.28.3
npm version 10.2.4
   2024-01-11 10:42:46 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
nodejs18: updated to 18.19.0

Version 18.19.0 'Hydrogen' (LTS)

Notable Changes

npm updated to v10

After two months of baking time in Node.js 20, npm 10 is backported, so that all \ 
release lines include a supported version of npm. This release includes npm \ 
v10.2.3.

ESM and customization hook changes

Leverage loaders when resolving subsequent loaders

Loaders now apply to subsequent loaders, for example: --experimental-loader \ 
ts-node --experimental-loader loader-written-in-typescript.

New node:module API register for module customization hooks; new initialize hook

There is a new API register available on node:module to specify a file that \ 
exports module customization hooks, and pass data to the hooks, and establish \ 
communication channels with them. The “define the file with the hooks” part \ 
was previously handled by a flag --experimental-loader, but when the hooks moved \ 
into a dedicated thread in 20.0.0 there was a need to provide a way to \ 
communicate between the main (application) thread and the hooks thread. This can \ 
now be done by calling register from the main thread and passing data, including \ 
MessageChannel instances.

We encourage users to migrate to an approach that uses --import with register, \ 
such as:

node --import ./file-that-calls-register.js ./app.js
Using --import ensures that the customization hooks are registered before any \ 
application code runs, even the entry point.

import.meta.resolve unflagged

In ES modules, import.meta.resolve(specifier) can be used to get an absolute URL \ 
string to which specifier resolves, similar to require.resolve in CommonJS. This \ 
aligns Node.js with browsers and other server-side runtimes.

--experimental-default-type flag to flip module defaults

The new flag --experimental-default-type can be used to flip the default module \ 
system used by Node.js. Input that is already explicitly defined as ES modules \ 
or CommonJS, such as by a package.json "type" field or .mjs/.cjs file \ 
extension or the --input-type flag, is unaffected. What is currently implicitly \ 
CommonJS would instead be interpreted as ES modules under \ 
--experimental-default-type=module:

String input provided via --eval or STDIN, if --input-type is unspecified.

Files ending in .js or with no extension, if there is no package.json file \ 
present in the same folder or any parent folder.

Files ending in .js or with no extension, if the nearest parent package.json \ 
field lacks a type field; unless the folder is inside a node_modules folder.

In addition, extensionless files are interpreted as Wasm if \ 
--experimental-wasm-modules is passed and the file contains the "magic \ 
bytes" Wasm header.
   2023-11-23 17:57:37 by Jonathan Perkin | Files touched by this commit (5)
Log message:
nodejs*: Consolidate and fix python includes.

Ensures that PYTHON_FOR_BUILD_ONLY is set prior to including pyversion.mk,
and ensures python and its dependencies are not buildlinked.
   2023-11-08 14:21:43 by Thomas Klausner | Files touched by this commit (2377)
Log message:
*: recursive bump for icu 74.1
   2023-11-02 14:20:35 by Adam Ciarcinski | Files touched by this commit (4)
Log message:
nodejs18: allow build with Python 3.12
   2023-10-25 00:11:51 by Thomas Klausner | Files touched by this commit (2298)
Log message:
*: bump for openssl 3