Subject: CVS commit: pkgsrc/lang/nodejs12
From: Adam Ciarcinski
Date: 2021-04-07 08:21:06
Message id: 20210407062106.4887CFA95@cvs.NetBSD.org
Log Message:
nodejs12: updated to 12.22.1

Version 12.22.1 'Erbium' (LTS)

This is a security release.

Notable Changes

Vulnerabilities fixed:

CVE-2021-3450: OpenSSL - CA certificate check bypass with \ 
X509_V_FLAG_X509_STRICT (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You \ 
can read more about it in https://www.openssl.org/news/secadv/20210325.txt
Impacts:
All versions of the 15.x, 14.x, 12.x and 10.x releases lines

CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You \ 
can read more about it in https://www.openssl.org/news/secadv/20210325.txt
Impacts:
All versions of the 15.x, 14.x, 12.x and 10.x releases lines

CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
This is a vulnerability in the y18n npm module which may be exploited by \ 
prototype pollution. You can read more about it in \ 
https://github.com/advisories/GHSA-c4w7-xm78-47vh
Impacts:
All versions of the 14.x, 12.x and 10.x releases lines

Version 12.22.0 'Erbium' (LTS)

Notable changes

The legacy HTTP parser is runtime deprecated

The legacy HTTP parser, selected by the --http-parser=legacy command line \ 
option, is deprecated with the pending End-of-Life of Node.js 10.x (where it is \ 
the only HTTP parser implementation provided) at the end of April 2021. It will \ 
now warn on use but otherwise continue to function and may be removed in a \ 
future Node.js 12.x release.

The default HTTP parser based on llhttp is not affected. By default it is \ 
stricter than the now deprecated legacy HTTP parser. If interoperability with \ 
HTTP implementations that send invalid HTTP headers is required, the HTTP parser \ 
can be started in a less secure mode with the --insecure-http-parser command \ 
line option.

ES Modules

ES Modules are now considered stable.

node-api

Updated to node-api version 8 and added an experimental API to allow retrieval \ 
of the add-on file name.

New API's to control code coverage data collection

v8.stopCoverage() and v8.takeCoverage() have been added.

New API to monitor event loop utilization by Worker threads

worker.performance.eventLoopUtilization() has been added.
Files:
RevisionActionfile
1.32modifypkgsrc/lang/nodejs12/Makefile
1.23modifypkgsrc/lang/nodejs12/distinfo