./lang/nodejs20, V8 JavaScript for clients and servers

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 20.18.0nb2, Package name: nodejs-20.18.0nb2, Maintainer: pkgsrc-users

Node.js is an evented I/O framework for the V8 JavaScript engine. It is
intended for writing scalable network programs such as web servers.

This package holds the latest release.



Package options: openssl

Master sites:

Filesize: 40954.242 KB

Version history: (Expand)


CVS history: (Expand)


   2024-04-11 16:50:02 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
nodejs20: updated to 20.12.2

Version 20.12.2 'Iron' (LTS)

Notable Changes
CVE-2024-27980 - Command injection via args parameter of child_process.spawn \ 
without shell option enabled on Windows
   2024-04-05 07:31:45 by Adam Ciarcinski | Files touched by this commit (4) | Package updated
Log message:
nodejs20: updated to 20.12.1

Version 20.12.1 'Iron' (LTS)

Notable Changes
CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() \ 
leads to HTTP/2 server crash- (High)
CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
llhttp version 9.2.1
undici version 5.28.4
   2024-02-14 22:16:23 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
nodejs20: updated to 20.11.1

Version 20.11.1 'Iron' (LTS)

Notable changes

CVE-2024-21892 - Code injection and privilege escalation through Linux \ 
capabilities- (High)
CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk \ 
extension allows DoS attacks- (High)
CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High)
CVE-2024-22017 - setuid() does not drop all privileges due to io_uring - (High)
CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of \ 
the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
CVE-2024-21891 - Multiple permission model bypasses due to improper path \ 
traversal sequence sanitization - (Medium)
CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and \ 
--allow-fs-write (Medium)
CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli \ 
decoding - (Medium)
undici version 5.28.3
libuv version 1.48.0
OpenSSL version 3.0.13+quic1
   2024-01-11 10:33:42 by Adam Ciarcinski | Files touched by this commit (6) | Package updated
Log message:
nodejs20: updated to 20.11.0

Version 20.11.0 'Iron' (LTS)

Notable Changes

- crypto: update root certificates to NSS 3.95 (Node.js GitHub Bot)
- doc: add MrJithil to collaborators (Jithil P Ponnan)
- doc: add Ethan-Arrowood as a collaborator (Ethan Arrowood)
- (SEMVER-MINOR) esm: add import.meta.dirname and import.meta.filename (James \ 
Sumners)
- fs: add c++ fast path for writeFileSync utf8 (CanadaHonk)
- (SEMVER-MINOR) module: remove useCustomLoadersIfPresent flag (Chengzhong Wu)
- (SEMVER-MINOR) module: bootstrap module loaders in shadow realm (Chengzhong Wu)
- (SEMVER-MINOR) src: add --disable-warning option (Ethan Arrowood)
- (SEMVER-MINOR) src: create per isolate proxy env template (Chengzhong Wu)
- (SEMVER-MINOR) src: make process binding data weak (Chengzhong Wu)
- stream: use Array for Readable buffer (Robert Nagy)
- stream: optimize creation (Robert Nagy)
- (SEMVER-MINOR) test_runner: adds built in lcov reporter (Phil Nash)
- (SEMVER-MINOR) test_runner: add Date to the supported mock APIs (Lucas Santos)
- (SEMVER-MINOR) test_runner, cli: add --test-timeout flag (Shubham Pandey)
   2023-11-26 08:55:53 by Adam Ciarcinski | Files touched by this commit (3) | Package updated
Log message:
nodejs20: updated to 20.10.0

Version 20.10.0 'Iron' (LTS)

--experimental-default-type flag to flip module defaults

The new flag --experimental-default-type can be used to flip the default module \ 
system used by Node.js. Input that is already explicitly defined as ES modules \ 
or CommonJS, such as by a package.json "type" field or .mjs/.cjs file \ 
extension or the --input-type flag, is unaffected. What is currently implicitly \ 
CommonJS would instead be interpreted as ES modules under \ 
--experimental-default-type=module:

String input provided via --eval or STDIN, if --input-type is unspecified.

Files ending in .js or with no extension, if there is no package.json file \ 
present in the same folder or any parent folder.

Files ending in .js or with no extension, if the nearest parent package.json \ 
field lacks a type field; unless the folder is inside a node_modules folder.

In addition, extensionless files are interpreted as Wasm if \ 
--experimental-wasm-modules is passed and the file contains the "magic \ 
bytes" Wasm header.

Detect ESM syntax in ambiguous JavaScript

The new flag --experimental-detect-module can be used to automatically run ES \ 
modules when their syntax can be detected. For “ambiguous” files, which are \ 
.js or extensionless files with no package.json with a type field, Node.js will \ 
parse the file to detect ES module syntax; if found, it will run the file as an \ 
ES module, otherwise it will run the file as a CommonJS module. The same applies \ 
to string input via --eval or STDIN.

We hope to make detection enabled by default in a future version of Node.js. \ 
Detection increases startup time, so we encourage everyone—especially package \ 
authors—to add a type field to package.json, even for the default \ 
"type": "commonjs". The presence of a type field, or \ 
explicit extensions such as .mjs or .cjs, will opt out of detection.

New flush option in file system functions

When writing to files, it is possible that data is not immediately flushed to \ 
permanent storage. This allows subsequent read operations to see stale data. \ 
This PR adds a 'flush' option to the fs.writeFile family of functions which \ 
forces the data to be flushed at the end of a successful write operation.

Experimental WebSocket client

Adds a --experimental-websocket flag that adds a WebSocket global, as \ 
standardized by WHATWG.

vm: fix V8 compilation cache support for vm.Script

Previously repeated compilation of the same source code using vm.Script stopped \ 
hitting the V8 compilation cache after v16.x when support for \ 
importModuleDynamically was added to vm.Script, resulting in a performance \ 
regression that blocked users (in particular Jest users) from upgrading from \ 
v16.x.

The recent fixes allow the compilation cache to be hit again for vm.Script when \ 
--experimental-vm-modules is not used even in the presence of the \ 
importModuleDynamically option, so that users affected by the performance \ 
regression can now upgrade. Ongoing work is also being done to enable \ 
compilation cache support for vm.CompileFunction.
   2023-11-23 17:57:37 by Jonathan Perkin | Files touched by this commit (5)
Log message:
nodejs*: Consolidate and fix python includes.

Ensures that PYTHON_FOR_BUILD_ONLY is set prior to including pyversion.mk,
and ensures python and its dependencies are not buildlinked.
   2023-11-08 14:21:43 by Thomas Klausner | Files touched by this commit (2377)
Log message:
*: recursive bump for icu 74.1
   2023-11-02 14:22:01 by Adam Ciarcinski | Files touched by this commit (3)
Log message:
nodejs20: cleanup