Update Node to April 2024 security release

[gioccher]

The version of Node 20 included in the runner is several security releases behind. Current: 20.8.1 (August 2023) Latest: 20.12.1 (April 2024)

Here are the announcements of each Node security release: https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/ https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/ https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/

and the list of fixed CVEs:

undici - Cookie headers are not cleared in cross-domain redirect in undici-fetch (Low) - (CVE-2023-45143)
nghttp2 - HTTP/2 Rapid Reset (High) - (CVE-2023-44487)
Permission model improperly protects against path traversal (High) - (CVE-2023-39331)
Path traversal through path stored in Uint8Array (High) - (CVE-2023-39332)
Integrity checks according to policies can be circumvented (Medium) - (CVE-2023-38552)
Code injection via WebAssembly export names (Low) - (CVE-2023-39333)
OpenSSL Security updates
Code injection and privilege escalation through Linux capabilities (CVE-2024-21892) - (High)
Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks (CVE-2024-22019) - (High)
Path traversal by monkey-patching Buffer internals (CVE-2024-21896) - (High)
setuid() does not drop all privileges due to io_uring (CVE-2024-22017) - (High)
Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) (CVE-2023-46809) - (Medium)
Multiple permission model bypasses due to improper path traversal sequence sanitization (CVE-2024-21891) - (Medium)
Improper handling of wildcards in --allow-fs-read and --allow-fs-write (CVE-2024-21890) - (Medium)
Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash (CVE-2024-27983) - (High)
HTTP Request Smuggling via Content Length Obfuscation - (CVE-2024-27982) - (Medium)