Skip to content

Releases: nodejs/node

2024-09-03, Version 22.8.0 (Current), @RafaelGSS

03 Sep 13:46
@RafaelGSS RafaelGSS
v22.8.0
This tag was signed with the committer’s verified signature.
RafaelGSS Rafael Gonzaga
GPG key ID: 8BEAB4DFCF555EF4
Learn about vigilant mode.
78ee90e
Compare
Choose a tag to compare
2024-09-03, Version 22.8.0 (Current), @RafaelGSS Latest
Latest

New JS API for compile cache

This release adds a new API module.enableCompileCache() that can be used to enable on-disk code caching of all modules loaded after this API is called.
Previously this could only be enabled by the NODE_COMPILE_CACHE environment variable, so it could only set by end-users.
This API allows tooling and library authors to enable caching of their own code.
This is a built-in alternative to the v8-compile-cache/v8-compile-cache-lib packages,
but have better performance and supports ESM.

Thanks to Joyee Cheung for working on this.

New option for vm.createContext() to create a context with a freezable globalThis

Node.js implements a flavor of vm.createContext() and friends that creates a context without contextifying its global
object when vm.constants.DONT_CONTEXTIFY is used. This is suitable when users want to freeze the context
(impossible when the global is contextified i.e. has interceptors installed) or speed up the global access if they
don't need the interceptor behavior.

Thanks to Joyee Cheung for working on this.

Support for coverage thresholds

Node.js now supports requiring code coverage to meet a specific threshold before the process exits successfully.
To use this feature, you need to enable the --experimental-test-coverage flag.

You can set thresholds for the following types of coverage:

  • Branch coverage: Use --test-coverage-branches=<threshold>
  • Function coverage: Use --test-coverage-functions=<threshold>
  • Line coverage: Use --test-coverage-lines=<threshold>

<threshold> should be an integer between 0 and 100. If an invalid value is provided, a TypeError will be thrown.

If the code coverage fails to meet the specified thresholds for any category, the process will exit with code 1.

For instance, to enforce a minimum of 80% line coverage and 60% branch coverage, you can run:

$ node --experimental-test-coverage --test-coverage-lines=80 --test-coverage-branches=60 example.js

Thanks Aviv Keller for working on this.

Other Notable Changes

  • [1f2cc2fa47] - (SEMVER-MINOR) src,lib: add performance.uvMetricsInfo (Rafael Gonzaga) #54413
  • [1e01bdc0d0] - (SEMVER-MINOR) net: exclude ipv6 loopback addresses from server.listen (Giovanni Bucci) #54264
  • [97fa075c2e] - (SEMVER-MINOR) test_runner: support running tests in process (Colin Ihrig) #53927
  • [858b583c88] - (SEMVER-MINOR) test_runner: defer inheriting hooks until run() (Colin Ihrig) #53927

Commits

  • [94985df9d6] - benchmark: fix benchmark for file path and URL conversion (Early Riser) #54190
  • [ac178b094b] - buffer: truncate instead of throw when writing beyond buffer (Robert Nagy) #54524
  • [afd8c1eb4f] - buffer: allow invalid encoding in from (Robert Nagy) #54533
  • [6f0cf35cd3] - build: reclaim disk space on macOS GHA runner (jakecastelli) #54658
  • [467ac3aec4] - build: don't clean obj.target directory if it doesn't exist (Joyee Cheung) #54337
  • [71fdf961df] - build: update required python version to 3.8 (Aviv Keller) #54358
  • [73604cf1c5] - deps: update nghttp2 to 1.63.0 (Node.js GitHub Bot) #54589
  • [b00c087285] - deps: V8: cherry-pick e74d0f437fcd (Joyee Cheung) #54279
  • [33a6b3c7a9] - deps: backport ICU-22787 to fix ClangCL on Windows (Stefan Stojanovic) #54502
  • [fe56949cbb] - deps: update c-ares to v1.33.1 (Node.js GitHub Bot) #54549
  • [290f6ce619] - deps: update amaro to 0.1.8 (Node.js GitHub Bot) #54520
  • [b5843568b4] - deps: update amaro to 0.1.7 (Node.js GitHub Bot) #54473
  • [9c709209b4] - deps: update undici to 6.19.8 (Node.js GitHub Bot) #54456
  • [a5ce24181b] - deps: sqlite: fix Windows compilation (Colin Ihrig) #54433
  • [3caf29ea88] - deps: update sqlite to 3.46.1 (Node.js GitHub Bot) #54433
  • [68758d4b08] - doc: add support me link for anonrig (Yagiz Nizipli) #54611
  • [f5c5529266] - doc: add alert on REPL from TCP socket (Rafael Gonzaga) #54594
  • [bf824483cd] - doc: fix typo in styleText description (Rafael Gonzaga) #54616
  • [825d933fd4] - doc: add getHeapStatistics() property descriptions (Benji Marinacci) #54584
  • [80e5150160] - doc: fix module compile cache description (沈鸿飞) #54625
  • [7fd033fe56] - doc: run license-builder (github-actions[bot]) #54562
  • [c499913732] - doc: fix information about including coverage files (Aviv Keller) #54527
  • [c3dc83befc] - doc: support collaborators - talk amplification (Michael Dawson) #54508
  • [fc57beaad3] - doc: add note about shasum generation failure (Marco Ippolito) #54487
  • [1800a58f49] - doc: update websocket flag description to reflect stable API status (Yelim Koo) #54482
  • [61affd77a7] - doc: fix capitalization in module.md (shallow-beach) #54488
  • [25419915c7] - doc: add esm examples to node:https (Alfredo GonzΓ‘lez) #54399
  • [83b5efeb54] - doc: reserve ABI 130 for Electron 33 (Calvin) #54383
  • [6ccbd32ae8] - doc, meta: add missing , to BUILDING.md (Aviv Keller) #54409
  • [fc08a9b0cd] - fs: refactor handleTimestampsAndMode to remove redundant call (HEESEUNG) #54369
  • [4a664b5fcb] - lib: respect terminal capabilities on styleText (Rafael Gonzaga) #54389
  • [a9ce2b6a28] - lib: fix emit warning for debuglog.time when disabled (Vinicius LourenΓ§o) #54275
  • [b5a23c9783] - meta: remind users to use a supported version in bug reports (Aviv Keller) #54481
  • [0d7171d8e9] - meta: add more labels to dep-updaters (Aviv Keller) #54454
  • [c4996c189f] - meta: run coverage-windows when vcbuild.bat updated (Aviv Keller) #54412
  • [3cf645768e] - module: use amaro default transform values (Marco Ippolito) #54517
  • [336496b90e] - module: add sourceURL magic comment hint...
Read more
Assets 2
Loading

2024-08-22, Version 22.7.0 (Current), @RafaelGSS

22 Aug 14:18
@RafaelGSS RafaelGSS
v22.7.0
This tag was signed with the committer’s verified signature.
RafaelGSS Rafael Gonzaga
GPG key ID: 8BEAB4DFCF555EF4
Learn about vigilant mode.
65eff1e
Compare
Choose a tag to compare
2024-08-22, Version 22.7.0 (Current), @RafaelGSS

Experimental transform types support

With the new flag --experimental-transform-types it is possible to enable the
transformation of TypeScript-only syntax into JavaScript code.

This feature allows Node.js to support TypeScript syntax such as Enum and namespace.

Thanks to Marco Ippolito for making this work on #54283.

Module syntax detection is now enabled by default.

Module syntax detection (the --experimental-detect-module flag) is now
enabled by default. Use --no-experimental-detect-module to disable it if
needed.

Syntax detection attempts to run ambiguous files as CommonJS, and if the module
fails to parse as CommonJS due to ES module syntax, Node.js tries again and runs
the file as an ES module.
Ambiguous files are those with a .js or no extension, where the nearest parent
package.json has no "type" field (either "type": "module" or
"type": "commonjs").
Syntax detection should have no performance impact on CommonJS modules, but it
incurs a slight performance penalty for ES modules; add "type": "module" to
the nearest parent package.json file to eliminate the performance cost.
A use case unlocked by this feature is the ability to use ES module syntax in
extensionless scripts with no nearby package.json.

Thanks to Geoffrey Booth for making this work on #53619.

Performance Improvements to Buffer

Performance of Node.js Buffers have been optimized through multiple PR's with significant
improvements to the Buffer.copy and Buffer.write methods. These are used throughout
the codebase and should give a nice boost across the board.

Thanks to Robert Nagy for making this work on #54311,
#54324, and #54087.

Other Notable Changes

  • [911de7dd6d] - (SEMVER-MINOR) inspector: support Network.loadingFailed event (Kohei Ueno) #54246
  • [9ee4b16bd8] - (SEMVER-MINOR) lib: rewrite AsyncLocalStorage without async_hooks (Stephen Belanger) #48528

Commits

Read more
Assets 2
Loading

2024-08-21, Version 20.17.0 'Iron' (LTS), @marco-ippolito

21 Aug 16:32
@marco-ippolito marco-ippolito
v20.17.0
This tag was signed with the committer’s verified signature.
marco-ippolito Marco Ippolito
GPG key ID: 27F5E38D5B0A215F
Learn about vigilant mode.
efbec04
This commit was signed with the committer’s verified signature.
marco-ippolito Marco Ippolito
GPG key ID: 27F5E38D5B0A215F
Learn about vigilant mode.
Compare
Choose a tag to compare
2024-08-21, Version 20.17.0 'Iron' (LTS), @marco-ippolito

module: support require()ing synchronous ESM graphs

This release adds require() support for synchronous ESM graphs under
the flag --experimental-require-module.

If --experimental-require-module is enabled, and the ECMAScript
module being loaded by require() meets the following requirements:

  • Explicitly marked as an ES module with a "type": "module" field in the closest package.json or a .mjs extension.
  • Fully synchronous (contains no top-level await).

require() will load the requested module as an ES Module, and return
the module name space object. In this case it is similar to dynamic
import() but is run synchronously and returns the name space object
directly.

Contributed by Joyee Cheung in #51977

path: add matchesGlob method

Glob patterns can now be tested against individual paths via the path.matchesGlob(path, pattern) method.

Contributed by Aviv Keller in #52881

stream: expose DuplexPair API

The function duplexPair returns an array with two items,
each being a Duplex stream connected to the other side:

const [ sideA, sideB ] = duplexPair();

Whatever is written to one stream is made readable on the other. It provides
behavior analogous to a network connection, where the data written by the client
becomes readable by the server, and vice-versa.

Contributed by Austin Wright in #34111

Other Notable Changes

  • [8e64c02b19] - (SEMVER-MINOR) http: add diagnostics channel http.client.request.error (Kohei Ueno) #54054
  • [ae30674991] - meta: add jake to collaborators (jakecastelli) #54004
  • [4a3ecbfc9b] - (SEMVER-MINOR) stream: implement min option for ReadableStreamBYOBReader.read (Mattias Buelens) #50888

Commits

Read more
Assets 2
Loading

2024-08-06, Version 22.6.0 (Current), @RafaelGSS

06 Aug 18:04
@RafaelGSS RafaelGSS
v22.6.0
This tag was signed with the committer’s verified signature.
RafaelGSS Rafael Gonzaga
GPG key ID: 8BEAB4DFCF555EF4
Learn about vigilant mode.
b096e41
Compare
Choose a tag to compare
2024-08-06, Version 22.6.0 (Current), @RafaelGSS

Experimental TypeScript support via strip types

Node.js introduces the --experimental-strip-types flag for initial TypeScript support.
This feature strips type annotations from .ts files, allowing them to run
without transforming TypeScript-specific syntax. Current limitations include:

  • Supports only inline type annotations, not features like enums or namespaces.
  • Requires explicit file extensions in import and require statements.
  • Enforces the use of the type keyword for type imports to avoid runtime errors.
  • Disabled for TypeScript in node_modules by default.

Thanks Marco Ippolito for working on this.

Experimental Network Inspection Support in Node.js

This update introduces the initial support for network inspection in Node.js.
Currently, this is an experimental feature, so you need to enable it using the --experimental-network-inspection flag.
With this feature enabled, you can inspect network activities occurring within a JavaScript application.

To use network inspection, start your Node.js application with the following command:

$ node --inspect-wait --experimental-network-inspection index.js

Please note that the network inspection capabilities are in active development.
We are actively working on enhancing this feature and will continue to expand its functionality in future updates.

Thanks Kohei Ueno for working on this.

Other Notable Changes

  • [15a94e67b1] - lib,src: drop --experimental-network-imports (Rafael Gonzaga) #53822
  • [68e444d2d8] - (SEMVER-MINOR) http: add diagnostics channel http.client.request.error (Kohei Ueno) #54054
  • [2d982d3dee] - (SEMVER-MINOR) deps: V8: backport 7857eb34db42 (Stephen Belanger) #53997
  • [15816bd0dd] - (SEMVER-MINOR) stream: expose DuplexPair API (Austin Wright) #34111
  • [893c864542] - (SEMVER-MINOR) test_runner: fix support watch with run(), add globPatterns option (Matteo Collina) #53866
  • [048d421ad1] - meta: add jake to collaborators (jakecastelli) #54004
  • [6ad6e01bf3] - (SEMVER-MINOR) test_runner: refactor snapshots to get file from context (Colin Ihrig) #53853
  • [698e44f8e7] - (SEMVER-MINOR) test_runner: add context.filePath (Colin Ihrig) #53853

Commits

  • [063f46dc2a] - assert: use isError instead of instanceof in innerOk (Pietro Marchini) #53980
  • [10bea42f81] - build: update gcovr to 7.2 and codecov config (Benjamin E. Coe) #54019
  • [7c417c6cf4] - build: avoid compiling with VS v17.10 (HΓΌseyin AΓ§acak) #53863
  • [ee97c045b4] - build: ensure v8_pointer_compression_sandbox is enabled on 64bit (Shelley Vohr) #53884
  • [bfbed0afd5] - build: fix conflict gyp configs (Chengzhong Wu) #53605
  • [0f1fe63e32] - build: trigger coverage ci when updating codecov (Yagiz Nizipli) #53929
  • [ad62b945f0] - build: update codecov coverage build count (Yagiz Nizipli) #53929
  • [3c40868fd3] - build: disable test-asan workflow (MichaΓ«l Zasso) #53844
  • [2a62d6ca57] - build, tools: drop leading / from r2dir (Richard Lau) #53951
  • [9c7b009f47] - build,tools: simplify upload of shasum signatures (MichaΓ«l Zasso) #53892
  • [057bd44f9f] - child_process: fix incomplete prototype pollution hardening (Liran Tal) #53781
  • [66f7c595c7] - cli: document --inspect port 0 behavior (Aviv Keller) #53782
  • [fad3e74b47] - console: fix issues with frozen intrinsics (Vinicius LourenΓ§o) #54070
  • [e685ecd7ae] - deps: update corepack to 0.29.3 (Node.js GitHub Bot) #54072
  • [e5f7250e6d] - deps: update amaro to 0.0.6 (Node.js GitHub Bot) #54199
  • [2c1e9082e8] - deps: update amaro to 0.0.5 (Node.js GitHub Bot) #54199
  • [2d982d3dee] - (SEMVER-MINOR) deps: V8: backport 7857eb34db42 (Stephen Belanger) #53997
  • [1061898462] - deps: update c-ares to v1.32.3 (Node.js GitHub Bot) #54020
  • [f4a7ac5e18] - deps: V8: cherry-pick 35888fee7bba (Joyee Cheung) #53728
  • [1176310226] - deps: add gn build files for ncrypto (Cheng) #53940
  • [7a1d5a4f84] - deps: update c-ares to v1.32.2 (Node.js GitHub Bot) #53865
  • [66f6a2aec9] - deps: V8: cherry-pick 9812cb486e2b (MichaΓ«l Zasso) #53966
  • [8e66a18ef0] - deps: start working on ncrypto dep (James M Snell) #53803
  • [c114082b12] - deps: fix include_dirs of nbytes (Cheng) #53862
  • [b7315281be] - doc: move numCPUs require to top of file in cluster CJS example (Alfredo GonzΓ‘lez) #53932
  • [8e7c30c2a4] - doc: update security-release process to automated one (Rafael Gonzaga) #53877
  • [52a4206be2] - doc: fix typo in technical-priorities.md (YoonSoo_Shin) #54094
  • [30e18a04a3] - doc: fix typo in diagnostic tooling support tiers document (Taejin Kim) #54058
  • [58aebfd31e] - doc: move GeoffreyBooth to TSC regular member (Geoffrey Booth) #54047
  • [c1634c7213] - doc: correct typescript stdin support (Marco Ippolito) #54036
  • [64812d5c22] - doc: fix typo in recognizing-contributors (Marco Ippolito) #53990
  • [6b35994b6f] - doc: fix documentation for --run (Aviv Keller) #53976
  • [04d203a233] - doc: update boxstarter README (Aviv Keller) #53785
  • [86fa46db1c] - doc: add info about prefix-only modules to module.builtinModules (Grigory) #53954
  • [defdc3c568] - doc: remove scroll-behavior: smooth; (Cloyd Lau) #53942
    *...
Read more
Assets 2
Loading

2024-07-24, Version 20.16.0 'Iron' (LTS), @marco-ippolito

24 Jul 12:14
@marco-ippolito marco-ippolito
v20.16.0
This tag was signed with the committer’s verified signature.
marco-ippolito Marco Ippolito
GPG key ID: 27F5E38D5B0A215F
Learn about vigilant mode.
1968ef3
This commit was signed with the committer’s verified signature.
marco-ippolito Marco Ippolito
GPG key ID: 27F5E38D5B0A215F
Learn about vigilant mode.
Compare
Choose a tag to compare
2024-07-24, Version 20.16.0 'Iron' (LTS), @marco-ippolito

process: add process.getBuiltinModule(id)

process.getBuiltinModule(id) provides a way to load built-in modules
in a globally available function. ES Modules that need to support
other environments can use it to conditionally load a Node.js built-in
when it is run in Node.js, without having to deal with the resolution
error that can be thrown by import in a non-Node.js environment or
having to use dynamic import() which either turns the module into
an asynchronous module, or turns a synchronous API into an asynchronous one.

if (globalThis.process?.getBuiltinModule) {
  // Run in Node.js, use the Node.js fs module.
  const fs = globalThis.process.getBuiltinModule('fs');
  // If `require()` is needed to load user-modules, use createRequire()
  const module = globalThis.process.getBuiltinModule('module');
  const require = module.createRequire(import.meta.url);
  const foo = require('foo');
}

If id specifies a built-in module available in the current Node.js process,
process.getBuiltinModule(id) method returns the corresponding built-in
module. If id does not correspond to any built-in module, undefined
is returned.

process.getBuiltinModule(id) accepts built-in module IDs that are recognized
by module.isBuiltin(id).

The references returned by process.getBuiltinModule(id) always point to
the built-in module corresponding to id even if users modify
require.cache so that require(id) returns something else.

Contributed by Joyee Cheung in #52762

doc: doc-only deprecate OpenSSL engine-based APIs

OpenSSL 3 deprecated support for custom engines with a recommendation to switch to its new provider model.
The clientCertEngine option for https.request(), tls.createSecureContext(), and tls.createServer(); the privateKeyEngine and privateKeyIdentifier for tls.createSecureContext(); and crypto.setEngine() all depend on this functionality from OpenSSL.

Contributed by Richard Lau in #53329

inspector: fix disable async hooks on Debugger.setAsyncCallStackDepth

Debugger.setAsyncCallStackDepth was previously calling the enable function by mistake. As a result, when profiling using Chrome DevTools, the async hooks won't be turned off properly after receiving Debugger.setAsyncCallStackDepth with depth 0.

Contributed by Joyee Cheung in #53473

Other Notable Changes

  • [09e2191432] - (SEMVER-MINOR) buffer: add .bytes() method to Blob (Matthew Aitken) #53221
  • [394e00f41c] - (SEMVER-MINOR) doc: add context.assert docs (Colin Ihrig) #53169
  • [a8601efa5e] - (SEMVER-MINOR) doc: improve explanation about built-in modules (Joyee Cheung) #52762
  • [5e76c258f7] - doc: add StefanStojanovic to collaborators (StefanStojanovic) #53118
  • [5e694026f1] - doc: add Marco Ippolito to TSC (Rafael Gonzaga) #53008
  • [f3ba1eb72f] - (SEMVER-MINOR) net: add new net.server.listen tracing channel (Paolo Insogna) #53136
  • [2bcce3255b] - (SEMVER-MINOR) src,permission: --allow-wasi & prevent WASI exec (Rafael Gonzaga) #53124
  • [a03a4c7bdd] - (SEMVER-MINOR) test_runner: add context.fullName (Colin Ihrig) #53169
  • [69b828f5a5] - (SEMVER-MINOR) util: support --no- for argument with boolean type for parseArgs (Zhenwei Jin) #53107

Commits

Read more
Assets 2
Loading

2024-07-19, Version 22.5.1 (Current), @richardlau

19 Jul 13:55
@richardlau richardlau
v22.5.1
This tag was signed with the committer’s verified signature.
richardlau Richard Lau
GPG key ID: C43CEC45C17AB93C
Learn about vigilant mode.
fd9233a
This commit was signed with the committer’s verified signature.
richardlau Richard Lau
GPG key ID: C43CEC45C17AB93C
Learn about vigilant mode.
Compare
Choose a tag to compare
2024-07-19, Version 22.5.1 (Current), @richardlau

Notable Changes

This release fixes a regression introduced in Node.js 22.5.0. The problem is known to display the following symptoms:

  • Crash with FATAL ERROR: v8::Object::GetCreationContextChecked No creation context available #53902
  • npm errors with npm error Exit handler never called! npm/cli#7657
  • yarn hangs or outputs Usage Error: Couldn't find the node_modules state file - running an install might help (findPackageLocation) yarnpkg/berry#6398

Commits

Assets 2
Loading

2024-07-17, Version 22.5.0 (Current), @RafaelGSS prepared by @aduh95

17 Jul 16:08
@RafaelGSS RafaelGSS
v22.5.0
This tag was signed with the committer’s verified signature.
RafaelGSS Rafael Gonzaga
GPG key ID: 8BEAB4DFCF555EF4
Learn about vigilant mode.
34de839
This commit was signed with the committer’s verified signature.
aduh95 Antoine du Hamel
GPG key ID: 21D900FFDB233756
Learn about vigilant mode.
Compare
Choose a tag to compare
2024-07-17, Version 22.5.0 (Current), @RafaelGSS prepared by @aduh95

Notable Changes

  • [1367c5558e] - (SEMVER-MINOR) http: expose websockets (Natalia Venditto) #53721
  • [b31394920d] - (SEMVER-MINOR) lib: add node:sqlite module (Colin Ihrig) #53752
  • [aa7df9551d] - module: add __esModule to require()'d ESM (Joyee Cheung) #52166
  • [8743c4d65a] - (SEMVER-MINOR) path: add matchesGlob method (Aviv Keller) #52881
  • [77936c3d24] - (SEMVER-MINOR) process: port on-exit-leak-free to core (Vinicius LourenΓ§o) #53239
  • [82d88a83f8] - (SEMVER-MINOR) stream: pipeline wait for close before calling the callback (jakecastelli) #53462
  • [3a0fcbb17a] - test_runner: support glob matching coverage files (Aviv Keller) #53553
  • [22ca334090] - (SEMVER-MINOR) worker: add postMessageToThread (Paolo Insogna) #53682

Commits

Read more
Assets 2
Loading

2024-07-08, Version 22.4.1 (Current), @RafaelGSS

08 Jul 18:28
@RafaelGSS RafaelGSS
v22.4.1
This tag was signed with the committer’s verified signature.
RafaelGSS Rafael Gonzaga
GPG key ID: 8BEAB4DFCF555EF4
Learn about vigilant mode.
8512434
Compare
Choose a tag to compare
2024-07-08, Version 22.4.1 (Current), @RafaelGSS

This is a security release.

Notable Changes

  • CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
  • CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
  • CVE-2024-22018 - fs.lstat bypasses permission model (Low)
  • CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)
  • CVE-2024-37372 - Permission model improperly processes UNC paths (Low)

Commits

Assets 2
Loading

2024-07-08, Version 20.15.1 'Iron' (LTS), @RafaelGSS

08 Jul 18:27
@RafaelGSS RafaelGSS
v20.15.1
This tag was signed with the committer’s verified signature.
RafaelGSS Rafael Gonzaga
GPG key ID: 8BEAB4DFCF555EF4
Learn about vigilant mode.
a407d1f
Compare
Choose a tag to compare
2024-07-08, Version 20.15.1 'Iron' (LTS), @RafaelGSS

This is a security release.

Notable Changes

  • CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
  • CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
  • CVE-2024-22018 - fs.lstat bypasses permission model (Low)
  • CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)
  • CVE-2024-37372 - Permission model improperly processes UNC paths (Low)

Commits

Assets 2
Loading

2024-07-08, Version 18.20.4 'Hydrogen' (LTS), @RafaelGSS

08 Jul 18:26
@RafaelGSS RafaelGSS
v18.20.4
This tag was signed with the committer’s verified signature.
RafaelGSS Rafael Gonzaga
GPG key ID: 8BEAB4DFCF555EF4
Learn about vigilant mode.
e922fb6
Compare
Choose a tag to compare
2024-07-08, Version 18.20.4 'Hydrogen' (LTS), @RafaelGSS

This is a security release.

Notable Changes

  • CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
  • CVE-2024-22020 - Bypass network import restriction via data URL (Medium)

Commits

Assets 2
Loading