chore(deps): update dependency node to v16.20.2
This PR contains the following updates:
| Package | Update | Change |
|---|---|---|
| node (source) | minor | 16.19.1 -> 16.20.2 |
Release Notes
nodejs/node (node)
v16.20.2: 2023-08-09, Version 16.20.2 'Gallium' (LTS), @RafaelGSS
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
- CVE-2023-32002: Policies can be bypassed via Module._load (High)
- CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
- CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
- OpenSSL Security Releases
More detailed information on each of the vulnerabilities can be found in August 2023 Security Releases blog post.
Commits
- [
40c3958a5a] - deps: update archs files for OpenSSL-1.1.1v (RafaelGSS) #49043 - [
a9ac9da89a] - deps: fix openssl crypto clean (RafaelGSS) #49043 - [
362d4c7494] - deps: upgrade openssl sources to OpenSSL_1_1_1v (RafaelGSS) #49043 - [
d8ccfe9ad4] - policy: handle Module.constructor and main.extensions bypass (RafaelGSS) nodejs-private/node-private#445 - [
242aaa0caa] - policy: disable process.binding() when enabled (Tobias Nießen) nodejs-private/node-private#459
v16.20.1: 2023-06-20, Version 16.20.1 'Gallium' (LTS), @RafaelGSS
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
-
CVE-2023-30581:
mainModule.__proto__Bypass Experimental Policy Mechanism (High) - CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
- CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
- CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
- CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
- OpenSSL Security Releases
- c-ares vulnerabilities:
More detailed information on each of the vulnerabilities can be found in June 2023 Security Releases blog post.
Commits
- [
5a92ea7a3b] - crypto: handle cert with invalid SPKI gracefully (Tobias Nießen) - [
5df04e893a] - deps: setCARES_RANDOM_FILEfor c-ares (Richard Lau) #48156 - [
c171cbd124] - deps: update c-ares to 1.19.1 (RafaelGSS) #48115 - [
155d3aac02] - deps: update archs files for OpenSSL-1.1.1u+quic (RafaelGSS) #48369 - [
8d4c8f8ebe] - deps: upgrade openssl sources to OpenSSL_1_1_1u (RafaelGSS) #48369 - [
1a5c9284eb] - doc,test: clarify behavior of DH generateKeys (Tobias Nießen) nodejs-private/node-private#426 - [
e42ff4b018] - http: disable request smuggling via empty headers (Paolo Insogna) nodejs-private/node-private#429 - [
10042683c8] - msi: do not create AppData\Roaming\npm (Tobias Nießen) nodejs-private/node-private#408 - [
a6f4e87bc9] - policy: handle mainModule.__proto__ bypass (RafaelGSS) nodejs-private/node-private#416 - [
b77000f4d7] - test: allow SIGBUS in signal-handler abort test (Michaël Zasso) #47851
v16.20.0: 2023-03-29, Version 16.20.0 'Gallium' (LTS), @BethGriggs
Notable Changes
- deps:
- (SEMVER-MINOR) src: add support for externally shared js builtins (Michael Dawson) #44376
Commits
- [
de6dd67790] - crypto: avoid hang when no algorithm available (Richard Lau) #46237 - [
4617512788] - crypto: ensure auth tag set for chacha20-poly1305 (Ben Noordhuis) #46185 - [
24972164fc] - deps: update undici to 5.20.0 (Node.js GitHub Bot) #46711 - [
85f88c6a8d] - deps: V8: cherry-pick90be99f(Michaël Zasso) #46646 - [
b4ebe6d47b] - deps: update c-ares to 1.19.0 (Michaël Zasso) #46415 - [
56cbc7fdda] - deps: V8: cherry-pickc2792e5(Jiawen Geng) #44961 - [
7af9bdb31e] - deps: upgrade npm to 8.19.4 (npm team) #46677 - [
962a7471b5] - deps: update corepack to 0.17.0 (Node.js GitHub Bot) #46842 - [
748bc96e35] - deps: update corepack to 0.16.0 (Node.js GitHub Bot) #46710 - [
a467782499] - deps: update corepack to 0.15.3 (Node.js GitHub Bot) #46037 - [
1913b6763d] - deps: update corepack to 0.15.2 (Node.js GitHub Bot) #45635 - [
809371a15f] - module: require.resolve.paths returns null with node schema (MURAKAMI Masahiko) #45147 - [
086bb2f8d4] - Revert "src: let http2 streams end after session close" (Rich Trott) #46721 - [
6a01d39120] - (SEMVER-MINOR) src: add support for externally shared js builtins (Michael Dawson) #44376 - [
d081032a60] - test: fix test-net-connect-reset-until-connected (Vita Batrla) #46781 - [
efe1be47ec] - test: skip test depending onoverlapped-checkerwhen not available (Antoine du Hamel) #45015 - [
fc47d58abe] - test: remove cjs loader from stack traces (Geoffrey Booth) #44197 - [
cf76d0790d] - test: fix WPT title when no META title is present (Filip Skokan) #46804 - [
0d1485b924] - test: fix default WPT titles (Filip Skokan) #46778 - [
088e9cde3d] - test: add WPTRunner support for variants and generating WPT reports (Filip Skokan) #46498 - [
908c4dff44] - test: mark test-crypto-key-objects flaky on Linux (Richard Lau) #46684 - [
768e56227e] - tools: makeutils.SearchFilesdeterministic (Bruno Pitrus) #44496
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.