⬆️ Updates Node.js to v20 - autoclosed

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
node	engines	major	>= 8.0.0 -> >= 20.8.1

---

Release Notes

nodejs/node (node)

v20.8.1

Compare Source

v18.18.2

Compare Source

v18.18.1

Compare Source

v18.18.0: 2023-09-18, Version 18.18.0 'Hydrogen' (LTS), @​ruyadorno

Compare Source

Notable Changes

• [7dc731d4bf] - build: sync libuv header change (Jiawen Geng) #​48078
• [490fc004b0] - crypto: update root certificates to NSS 3.93 (Node.js GitHub Bot) #​49341
• [dd8cd97d4d] - crypto: update root certificates to NSS 3.90 (Node.js GitHub Bot) #​48416
• [ea23870bec] - deps: add missing thread-common.c in uv.gyp (Santiago Gimeno) #​48078
• [88855e0b1b] - deps: upgrade to libuv 1.46.0 (Santiago Gimeno) #​48078
• [fb2b80fca0] - deps: upgrade to libuv 1.45.0 (Santiago Gimeno) #​48078
• [249879e46c] - doc: add atlowChemi to collaborators (atlowChemi) #​48757
• [e8dc7bde6a] - doc: add vmoroz to collaborators (Vladimir Morozov) #​48527
• [a30f2fbcc1] - doc: add kvakil to collaborators (Keyhan Vakil) #​48449
• [c39b7c240e] - (SEMVER-MINOR) esm: add --import flag (Moshe Atlow) #​43942
• [a68a67f54d] - (SEMVER-MINOR) events: allow safely adding listener to abortSignal (Chemi Atlow) #​48596
• [3a8586bee2] - fs, stream: initial Symbol.dispose and Symbol.asyncDispose support (Moshe Atlow) #​48518
• [863bdb785d] - net: add autoSelectFamily global getter and setter (Paolo Insogna) #​45777
• [c59ae86ba0] - (SEMVER-MINOR) url: add value argument to has and delete methods (Sankalp Shubham) #​47885

Commits

• [d1f43317ea] - benchmark: add bar.R (Rafael Gonzaga) #​47729
• [4f74be3c92] - benchmark: refactor crypto oneshot (Filip Skokan) #​48267
• [fe9da9df0f] - benchmark: add crypto.create*Key (Filip Skokan) #​48284
• [9cb18b3e9d] - build: do not pass target toolchain flags to host toolchain (Ivan Trubach) #​48597
• [7dc731d4bf] - build: sync libuv header change (Jiawen Geng) #​48078
• [211a4f88a9] - build: update action to close stale PRs (Michael Dawson) #​48196
• [cc33a1864b] - child_process: harden against prototype pollution (Livia Medeiros) #​48726
• [b5df084e1e] - child_process: use addAbortListener (atlowChemi) #​48550
• [611db8df1a] - child_process: support Symbol.dispose (Moshe Atlow) #​48551
• [490fc004b0] - crypto: update root certificates to NSS 3.93 (Node.js GitHub Bot) #​49341
• [dd8cd97d4d] - crypto: update root certificates to NSS 3.90 (Node.js GitHub Bot) #​48416
• [b2bc839d4c] - crypto: remove OPENSSL_FIPS guard for OpenSSL 3 (Richard Lau) #​48392
• [c8da8c80b9] - deps: update nghttp2 to 1.55.0 (Node.js GitHub Bot) #​48746
• [7e04242dcb] - deps: update minimatch to 9.0.3 (Node.js GitHub Bot) #​48704
• [ea23870bec] - deps: add missing thread-common.c in uv.gyp (Santiago Gimeno) #​48078
• [88855e0b1b] - deps: upgrade to libuv 1.46.0 (Santiago Gimeno) #​48078
• [fb2b80fca0] - deps: upgrade to libuv 1.45.0 (Santiago Gimeno) #​48078
• [59fca4e09a] - deps: update acorn to 8.10.0 (Node.js GitHub Bot) #​48713
• [bcb255d5a8] - deps: V8: cherry-pick cb00db4 (Keyhan Vakil) #​48671
• [65a6c90fc6] - deps: update acorn to 8.9.0 (Node.js GitHub Bot) #​48484
• [6b6d5d91e9] - deps: update zlib to 1.2.13.1-motley-f81f385 (Node.js GitHub Bot) #​48541
• [56249b0770] - deps: update googletest to ec4fed9 (Node.js GitHub Bot) #​48538
• [8914a5204a] - deps: update minimatch to 9.0.2 (Node.js GitHub Bot) #​48542
• [1b960d9988] - deps: update icu to 73.2 (Node.js GitHub Bot) #​48502
• [f0e2e3c549] - deps: update zlib to 1.2.13.1-motley-3ca9f16 (Node.js GitHub Bot) #​48413
• [9cf8fe6b93] - deps: upgrade npm to 9.8.1 (npm team) #​48838
• [d9ff473ff3] - deps: upgrade npm to 9.8.0 (npm team) #​48665
• [4a6177daad] - deps: upgrade npm to 9.7.2 (npm team) #​48514
• [104b58feb1] - deps: update ada to 2.6.0 (Node.js GitHub Bot) #​48896
• [7f7a125d78] - deps: update corepack to 0.19.0 (Node.js GitHub Bot) #​48540
• [5e1eb451d1] - deps: update corepack to 0.18.1 (Node.js GitHub Bot) #​48483
• [3be53358bc] - deps: add loong64 config into openssl gypi (Shi Pujin) #​48043
• [555982c59e] - deps: upgrade npm to 9.7.1 (npm team) #​48378
• [3c03ec0832] - deps: update simdutf to 3.2.14 (Node.js GitHub Bot) #​48344
• [a2964a4583] - deps: update ada to 2.5.1 (Node.js GitHub Bot) #​48319
• [38f6e0d8cd] - deps: update zlib to 982b036 (Node.js GitHub Bot) #​48327
• [f4617a4f81] - deps: add loongarch64 into openssl Makefile and gen openssl-loongarch64 (Shi Pujin) #​46401
• [573eb4be12] - dgram: socket add asyncDispose (atlowChemi) #​48717
• [f3c4300e00] - dgram: use addAbortListener (atlowChemi) #​48550
• [d3041df738] - doc: expand on squashing and rebasing to land a PR (Chengzhong Wu) #​48751
• [249879e46c] - doc: add atlowChemi to collaborators (atlowChemi) #​48757
• [42ecd46d1f] - doc: fix ambiguity in http.md and https.md (an5er) #​48692
• [e78824e053] - doc: add release key for Ulises Gascon (Ulises Gascón) #​49196
• [1aa798d69f] - doc: clarify transform._transform() callback argument logic (Rafael Sofi-zada) #​48680
• [d723e870a2] - doc: mention git node release prepare (Rafael Gonzaga) #​48644
• [a9a1394388] - doc: fix options order (Luigi Pinca) #​48617
• [989ea6858f] - doc: update security release stewards (Rafael Gonzaga) #​48569
• [f436ac1803] - doc: update return type for describe (Shrujal Shah) #​48572
• [fbe89e6320] - doc: run license-builder (github-actions[bot]) #​48552
• [f18b287bc3] - doc: add description of autoAllocateChunkSize in ReadableStream (Debadree Chatterjee) #​48004
• [e2f3ed1444] - doc: fix filename type in watch result (Dmitry Semigradsky) #​48032
• [1fe75dc2b0] - doc: unnest mime and MIMEParams from MIMEType constructor (Dmitry Semigradsky) #​47950
• [e1339d58e8] - doc: update security-release-process.md (Rafael Gonzaga) #​48504
• [e8dc7bde6a] - doc: add vmoroz to collaborators (Vladimir Morozov) #​48527
• [f8ba672c7b] - doc: link to Runtime Keys in export conditions (Jacob Hummer) #​48408
• [0056cb93e9] - doc: update fs flags documentation (sinkhaha) #​48463
• [3cf3fb9479] - doc: revise error.md introduction (Antoine du Hamel) #​48423
• [7575d8b90e] - doc: add preveen-stack to triagers (Preveen P) #​48387
• [820aa550a4] - doc: refine when file is undefined in test events (Moshe Atlow) #​48451
• [a30f2fbcc1] - doc: add kvakil to collaborators (Keyhan Vakil) #​48449
• [239b4ea66f] - doc: mark --import as experimental (Moshe Atlow) #​44067
• [2a561aefe2] - doc: add additional info on TSFN dispatch (Michael Dawson) #​48367
• [5cc6eee30d] - doc: add link for news from security wg (Michael Dawson) #​48396
• [ffece88452] - doc: fix typo in events.md (Darshan Sen) #​48436
• [06513585dc] - doc: run license-builder (github-actions[bot]) #​48336
• [d9a800ee5c] - esm: fix emit deprecation on legacy main resolve (Antoine du Hamel) #​48664
• [c39b7c240e] - (SEMVER-MINOR) esm: add --import flag (Moshe Atlow) #​43942
• [a00464ee06] - esm: fix specifier resolution and symlinks (Zack Newsham) #​47674
• [3b8ec348b0] - events: fix bug listenerCount don't compare wrapped listener (yuzheng14) #​48592
• [a68a67f54d] - (SEMVER-MINOR) events: allow safely adding listener to abortSignal (Chemi Atlow) #​48596
• [5354af3dab] - fs: call the callback with an error if writeSync fails (killa) #​47949
• [c3a27d1d3d] - fs: remove unneeded return statement (Luigi Pinca) #​48526
• [3a8586bee2] - fs, stream: initial Symbol.dispose and Symbol.asyncDispose support (Moshe Atlow) #​48518
• [01746c71df] - http: null the joinDuplicateHeaders property on cleanup (Luigi Pinca) #​48608
• [d47eb73a85] - http: remove useless ternary in test (geekreal) #​48481
• [977e9a38b4] - http: fix for handling on boot timers headers and request (Franciszek Koltuniuk) #​48291
• [be88f7cd22] - http2: use addAbortListener (atlowChemi) #​48550
• [7c7230a85c] - http2: send RST code 8 on AbortController signal (Devraj Mehta) #​48573
• [f74c2fc72a] - lib: use addAbortListener (atlowChemi) #​48550
• [db355d1f37] - lib: add option to force handling stopped events (Chemi Atlow) #​48301
• [5d682c55a5] - lib: reduce url getters on makeRequireFunction (Yagiz Nizipli) #​48492
• [5260f53e55] - lib: add support for inherited custom inspection methods (Antoine du Hamel) #​48306
• [69aaf8b1d1] - lib: remove invalid parameter to toASCII (Yagiz Nizipli) #​48878
• [51863b80e4] - meta: bump actions/checkout from 3.5.2 to 3.5.3 (dependabot[bot]) #​48625
• [7ec370991d] - meta: bump step-security/harden-runner from 2.4.0 to 2.4.1 (dependabot[bot]) #​48626
• [34b8e980d4] - meta: bump ossf/scorecard-action from 2.1.3 to 2.2.0 (dependabot[bot]) #​48628
• [dfed9a7da9] - meta: bump github/codeql-action from 2.3.6 to 2.20.1 (dependabot[bot]) #​48627
• [071eaadc5a] - module: add SourceMap.findOrigin (Isaac Z. Schlueter) #​47790
• [bf1525c549] - module: reduce url invocations in esm/load.js (Yagiz Nizipli) #​48337
• [f8921630a2] - net: server add asyncDispose (atlowChemi) #​48717
• [b5f53d9a0b] - net: fix family autoselection SSL connection handling (Paolo Insogna) #​48189
• [267439fc34] - net: rework autoSelectFamily implementation (Paolo Insogna) #​46587
• [d3637cdbbf] - net: fix address iteration with autoSelectFamily (Fedor Indutny) #​48258
• [e8289a83f1] - net: fix family autoselection timeout handling (Paolo Insogna) #​47860
• [863bdb785d] - net: add autoSelectFamily global getter and setter (Paolo Insogna) #​45777
• [04dc090bfa] - node-api: provide napi_define_properties fast path (Gabriel Schulhof) #​48440
• [feb6a54dc3] - node-api: implement external strings (Gabriel Schulhof) #​48339
• [121f74c463] - perf_hooks: convert maxSize to IDL value in setResourceTimingBufferSize (Chengzhong Wu) #​44902
• [804d880589] - permission: fix data types in PrintTree (Tobias Nießen) #​48770
• [7aaecce9bf] - permission: add debug log when inserting fs nodes (Rafael Gonzaga) #​48677
• [cb51ef2905] - readline: use addAbortListener (atlowChemi) #​48550
• [07065d0814] - report: disable js stack when no context is entered (Chengzhong Wu) #​48495
• [572b82ffef] - src: make BaseObject iteration order deterministic (Joyee Cheung) #​48702
• [3f65598a41] - src: remove kEagerCompile for CompileFunction (Keyhan Vakil) #​48671
• [f43eacac9b] - src: deduplicate X509 getter implementations (Tobias Nießen) #​48563
• [0c19621bdc] - src: fix uninitialized field access in AsyncHooks (Jan Olaf Krems) #​48566
• [0c38184d62] - src: fix Coverity issue regarding unnecessary copy (Yagiz Nizipli) #​48565
• [0d73009ba3] - src: refactor SplitString in util (Yagiz Nizipli) #​48491
• [6c72622df9] - src: handle wasm out of bound in osx will raise SIGBUS correctly (Congcong Cai) #​46561
• [e4261809b0] - src: replace idna functions with ada::idna (Yagiz Nizipli) #​47735
• [3dd82b1820] - stream: use addAbortListener (atlowChemi) #​48550
• [786fbdb824] - stream: fix premature pipeline end (Robert Nagy) #​48435
• [c224e1b255] - stream: fix deadlock when pipeing to full sink (Robert Nagy) #​48691
• [2c75b9ece2] - test: fix flaky test-string-decode.js on x86 (Stefan Stojanovic) #​48750
• [279c4f64c1] - test: mark test-http-regr-gh-2928 as flaky (Joyee Cheung) #​49565
• [01eacccd9a] - test: deflake test-net-throttle (Luigi Pinca) #​48599
• [33886b271c] - test: move test-net-throttle to parallel (Luigi Pinca) #​48599
• [a79112b5f4] - Revert "test: remove test-crypto-keygen flaky designation" (Luigi Pinca) #​48652
• [6ec57984db] - test: add missing assertions to test-runner-cli (Moshe Atlow) #​48593
• [dd1805e802] - test: remove test-crypto-keygen flaky designation (Luigi Pinca) #​48575
• [df9a9afc99] - test: remove test-timers-immediate-queue flaky designation (Luigi Pinca) #​48575
• [3ae96ae380] - test: make IsolateData per-isolate in cctest (Joyee Cheung) #​48450
• [f2ce8e0c06] - test: define NAPI_VERSION before including node_api.h (Chengzhong Wu) #​48376
• [13ac0a5e26] - test: remove unnecessary noop function args to mustNotCall() (Antoine du Hamel) #​48513
• [8fdd4c55b3] - test: skip test-runner-watch-mode on IBMi (Moshe Atlow) #​48473
• [9d90409241] - test: fix flaky test-watch-mode (Moshe Atlow) #​48147
• [27a4bc7c32] - test: add missing <algorithm> include for std::find (Sam James) #​48380
• [cb92c4b9fe] - test: update url web-platform tests (Yagiz Nizipli) #​48319
• [f35c4d3190] - test: ignore the copied entry_point.c (Luigi Pinca) #​48297
• [41d1e6888f] - test: refactor test-gc-http-client-timeout (Luigi Pinca) #​48292
• [125bca621a] - test: update encoding web-platform tests (Yagiz Nizipli) #​48320
• [e9ac111d02] - test: update FileAPI web-platform tests (Yagiz Nizipli) #​48322
• [3da57d17f5] - test: update user-timing web-platform tests (Yagiz Nizipli) #​48321
• [c728b8a29b] - test: fix test-net-autoselectfamily for kernel without IPv6 support (Livia Medeiros) #​45856
• [6de7aa1d19] - test: move test-tls-autoselectfamily-servername to test/internet (Antoine du Hamel) #​47029
• [2de9868292] - test: validate host with commas on url.parse (Yagiz Nizipli) #​48878
• [e7d2e8ef2a] - test: delete test-net-bytes-per-incoming-chunk-overhead (Michaël Zasso) #​48811
• [f5494fa1b0] - test_runner: fixed test shorthands return type (Shocker) #​48555
• [7051cafdfa] - test_runner: make --test-name-pattern recursive (Moshe Atlow) #​48382
• [f302286442] - test_runner: refactor coverage report output for readability (Damien Seguin) #​47791
• [7822a541e5] - timers: support Symbol.dispose (Moshe Atlow) #​48633
• [3eeca52db1] - tls: fix bugs of double TLS (rogertyang) #​48969
• [4826379516] - tools: run fetch_deps.py with Python 3 (Richard Lau) #​48729
• [e2688c8d79] - tools: update doc to unist-util-select@5.0.0 unist-util-visit@5.0.0 (Node.js GitHub Bot) #​48714
• [7399481096] - tools: update lint-md-dependencies to rollup@3.26.2 (Node.js GitHub Bot) #​48705
• [31c07153ce] - tools: update eslint to 8.44.0 (Node.js GitHub Bot) #​48632
• [4e53f51e24] - tools: update lint-md-dependencies to rollup@3.26.0 (Node.js GitHub Bot) #​48631
• [7d52950a96] - tools: update lint-md-dependencies (Node.js GitHub Bot) #​48544
• [e168eab3ee] - tools: update lint-md-dependencies (Node.js GitHub Bot) #​48486
• [9711bc24f6] - tools: replace sed with perl (Luigi Pinca) #​48499
• [9c1937c0a7] - tools: update eslint to 8.43.0 (Node.js GitHub Bot) #​48487
• [9449f05ab1] - tools: update doc to to-vfile@8.0.0 (Node.js GitHub Bot) #​48485
• [79dcd968b1] - tools: prepare tools/doc for to-vfile 8.0.0 (Rich Trott) #​48485
• [538f388ac0] - tools: update lint-md-dependencies (Node.js GitHub Bot) #​48417
• [01bc10dcd5] - tools: update create-or-update-pull-request-action (Richard Lau) #​48398
• [590a072657] - tools: update eslint-plugin-jsdoc (Richard Lau) #​48393
• [6a5805491e] - tools: update eslint to 8.42.0 (Node.js GitHub Bot) #​48328
• [2eb13e3986] - tools: disable jsdoc/no-defaults rule (Luigi Pinca) #​48328
• [3363cfa6c7] - typings: remove unused primordials (Yagiz Nizipli) #​48509
• [c59ae86ba0] - (SEMVER-MINOR) url: add value argument to has and delete methods (Sankalp Shubham) #​47885
• [f59c9636f4] - url: conform to origin getter spec changes (Yagiz Nizipli) #​48319
• [0beb5ab93d] - url: ensure getter access do not mutate observable symbols (Antoine du Hamel) #​48897
• [0a022c496d] - util: use primordials.ArrayPrototypeIndexOf instead of mutable method (DaisyDogs07) #​48586

v18.17.1: 2023-08-09, Version 18.17.1 'Hydrogen' (LTS), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

• CVE-2023-32002: Policies can be bypassed via Module._load (High)
• CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
• CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
• OpenSSL Security Releases
  • OpenSSL security advisory 14th July.
  • OpenSSL security advisory 19th July.
  • OpenSSL security advisory 31st July

More detailed information on each of the vulnerabilities can be found in August 2023 Security Releases blog post.

Commits

• [fe3abdf82e] - deps: update archs files for openssl-3.0.10+quic1 (Node.js GitHub Bot) #​49036
• [2c5a522d9c] - deps: upgrade openssl sources to quictls/openssl-3.0.10+quic1 (Node.js GitHub Bot) #​49036
• [15bced0bde] - policy: handle Module.constructor and main.extensions bypass (RafaelGSS) nodejs-private/node-private#417
• [d4570fae35] - policy: disable process.binding() when enabled (Tobias Nießen) nodejs-private/node-private#460

v18.17.0: 2023-07-18, Version 18.17.0 'Hydrogen' (LTS), @​danielleadams

Compare Source

Notable Changes

Ada 2.0

Node.js v18.17.0 comes with the latest version of the URL parser, Ada. This update brings significant performance improvements
to URL parsing, including enhancements to the url.domainToASCII and url.domainToUnicode functions in node:url.

Ada 2.0 has been integrated into the Node.js codebase, ensuring that all parts of the application can benefit from the
improved performance. Additionally, Ada 2.0 features a significant performance boost over its predecessor, Ada 1.0.4,
while also eliminating the need for the ICU requirement for URL hostname parsing.

Contributed by Yagiz Nizipli and Daniel Lemire in #​47339

Web Crypto API

Web Crypto API functions' arguments are now coerced and validated as per their WebIDL definitions like in other Web Crypto API implementations.
This further improves interoperability with other implementations of Web Crypto API.

Contributed by Filip Skokan in #​46067

• crypto:
  • update root certificates to NSS 3.89 (Node.js GitHub Bot) #​47659
• dns:
  • (SEMVER-MINOR) expose getDefaultResultOrder (btea) #​46973
• doc:
  • add ovflowd to collaborators (Claudio Wunder) #​47844
  • add KhafraDev to collaborators (Matthew Aitken) #​47510
• events:
  • (SEMVER-MINOR) add getMaxListeners method (Matthew Aitken) #​47039
• fs:
  • (SEMVER-MINOR) add support for mode flag to specify the copy behavior (Tetsuharu Ohzeki) #​47084
  • (SEMVER-MINOR) add recursive option to readdir and opendir (Ethan Arrowood) #​41439
  • (SEMVER-MINOR) add support for mode flag to specify the copy behavior (Tetsuharu Ohzeki) #​47084
  • (SEMVER-MINOR) implement byob mode for readableWebStream() (Debadree Chatterjee) #​46933
• http:
  • (SEMVER-MINOR) prevent writing to the body when not allowed by HTTP spec (Gerrard Lindsay) #​47732
  • (SEMVER-MINOR) remove internal error in assignSocket (Matteo Collina) #​47723
  • (SEMVER-MINOR) add highWaterMark opt in http.createServer (HinataKah0) #​47405
• lib:
  • (SEMVER-MINOR) add webstreams to Duplex.from() (Debadree Chatterjee) #​46190
  • (SEMVER-MINOR) implement AbortSignal.any() (Chemi Atlow) #​47821
• module:
  • change default resolver to not throw on unknown scheme (Gil Tayar) #​47824
• node-api:
  • (SEMVER-MINOR) define version 9 (Chengzhong Wu) #​48151
  • (SEMVER-MINOR) deprecate napi_module_register (Vladimir Morozov) #​46319
• stream:
  • (SEMVER-MINOR) preserve object mode in compose (Raz Luvaton) #​47413
  • (SEMVER-MINOR) add setter & getter for default highWaterMark (#​46929) (Robert Nagy) #​46929
• test:
  • unflake test-vm-timeout-escape-nexttick (Santiago Gimeno) #​48078
• test_runner:
  • (SEMVER-MINOR) add shorthands to test (Chemi Atlow) #​47909
  • (SEMVER-MINOR) support combining coverage reports (Colin Ihrig) #​47686
  • (SEMVER-MINOR) execute before hook on test (Chemi Atlow) #​47586
  • (SEMVER-MINOR) expose reporter for use in run api (Chemi Atlow) #​47238
• tools:
  • update LICENSE and license-builder.sh (Santiago Gimeno) #​48078
• url:
  • (SEMVER-MINOR) implement URL.canParse (Matthew Aitken) #​47179
• wasi:
  • (SEMVER-MINOR) no longer require flag to enable wasi (Michael Dawson) #​47286

Commits

• [2ba08ac002] - benchmark: use cluster.isPrimary instead of cluster.isMaster (Deokjin Kim) #​48002
• [60ca69d96c] - benchmark: add eventtarget creation bench (Rafael Gonzaga) #​47774
• [d8233d96bb] - benchmark: add a benchmark for defaultResolve (Antoine du Hamel) #​47543
• [a1aabb6912] - benchmark: fix invalid requirementsURL (Deokjin Kim) #​47378
• [394c61caf9] - bootstrap: support namespaced builtins in snapshot scripts (Joyee Cheung) #​47467
• [0165a765a0] - bootstrap: do not expand process.argv[1] for snapshot entry points (Joyee Cheung) #​47466
• [cca557cdd9] - buffer: combine checking range of sourceStart in buf.copy (Deokjin Kim) #​47758
• [4c69be467c] - buffer: use private properties for brand checks in File (Matthew Aitken) #​47154
• [d002f9b6e2] - build: revert unkonwn ruff selector (Moshe Atlow) #​48753
• [93f77cb762] - build: set v8_enable_webassembly=false when lite mode is enabled (Cheng Shao) #​48248
• [1662e894f3] - build: add action to close stale PRs (Michael Dawson) #​48051
• [5ca437b288] - build: use pathlib for paths (Mohammed Keyvanzadeh) #​47581
• [72443bc54b] - build: refactor configure.py (Mohammed Keyvanzadeh) #​47667
• [d4eecb5be9] - build: add devcontainer configuration (Tierney Cyren) #​40825
• [803ed41144] - build: bump ossf/scorecard-action from 2.1.2 to 2.1.3 (dependabot[bot]) #​47367
• [48468c4413] - build: replace Python linter flake8 with ruff (Christian Clauss) #​47519
• [3ceb2c4387] - build: add node-core-utils to setup (Jiawen Geng) #​47442
• [fdc59b8e14] - build: bump github/codeql-action from 2.2.6 to 2.2.9 (dependabot[bot]) #​47366
• [3924893023] - build: update stale action from v7 to v8 (Rich Trott) #​47357
• [753185c5b0] - build: remove Python pip --no-user option (Christian Clauss) #​47372
• [67af0a6a2b] - build: avoid usage of pipes library (Mohammed Keyvanzadeh) #​47271
• [db910dd6b2] - build, deps, tools: avoid excessive LTO (Konstantin Demin) #​47313
• [35d1def891] - child_process: use signal.reason in child process abort (Debadree Chatterjee) #​47817
• [7692d2e7b9] - cluster: use ObjectPrototypeHasOwnProperty (Daeyeon Jeong) #​48141
• [7617772762] - crypto: use openssl's own memory BIOs in crypto_context.cc (GauriSpears) #​47160
• [8cabfe7c6e] - crypto: fix setEngine() when OPENSSL_NO_ENGINE set (Tobias Nießen) #​47977
• [de1338da05] - crypto: fix webcrypto private/secret import with empty usages (Filip Skokan) #​47877
• [27a696fda9] - crypto: update root certificates to NSS 3.89 (Node.js GitHub Bot) #​47659
• [e2292f936e] - crypto: remove INT_MAX restriction in randomBytes (Tobias Nießen) #​47559
• [a5f214c00c] - crypto: replace THROW with CHECK for scrypt keylen (Tobias Nießen) #​47407
• [dd42214fd4] - crypto: unify validation of checkPrime checks (Tobias Nießen) #​47165
• [76e4d12fb3] - crypto: re-add padding for AES-KW wrapped JWKs (Filip Skokan) #​46563
• [9d894c17dd] - crypto: use WebIDL converters in WebCryptoAPI (Filip Skokan) #​46067
• [6f3a8b45a5] - deps: update ada to 2.5.0 (Node.js GitHub Bot) #​48223
• [075b6db919] - deps: update ada to 2.4.2 (Node.js GitHub Bot) #​48092
• [a4ee1f652c] - deps: update ada to 2.4.1 (Node.js GitHub Bot) #​48036
• [81b514d3f0] - deps: update ada to 2.4.0 (Node.js GitHub Bot) #​47922
• [575ddf694f] - deps: update ada to 2.3.1 (Node.js GitHub Bot) #​47893
• [2d03d5f458] - deps: update ada to 2.3.0 (Node.js GitHub Bot) #​47737
• [42e690f2d5] - deps: update ada to 2.2.0 (Node.js GitHub Bot) #​47678
• [08dd271521] - deps: update ada to 2.1.0 (Node.js GitHub Bot) #​47598
• [96c50ba71f] - deps: update ada to 2.0.0 (Node.js GitHub Bot) #​47339
• [4d1c38b758] - deps: update zlib to 337322d (Node.js GitHub Bot) #​48218
• [74206b2549] - deps: update histogram 0.11.8 (Marco Ippolito) #​47742
• [fbb4b3775d] - deps: update histogram to 0.11.7 (Marco Ippolito) #​47742
• [e88c079022] - deps: update simdutf to 3.2.12 (Node.js GitHub Bot) #​48118
• [48bd1248b9] - deps: update minimatch to 9.0.1 (Node.js GitHub Bot) #​48094
• [d4572d31fa] - deps: update corepack to 0.18.0 (Node.js GitHub Bot) #​48091
• [8090d29dc4] - deps: update uvwasi to 0.0.18 (Node.js GitHub Bot) #​47866
• [169c8eea2e] - deps: update uvwasi to 0.0.17 (Node.js GitHub Bot) #​47866
• [6acbb23380] - deps: upgrade npm to 9.6.7 (npm team) #​48062
• [e8f2c0a58b] - deps: update undici to 5.22.1 (Node.js GitHub Bot) #​47994
• [9309fd3120] - deps: update simdutf to 3.2.9 (Node.js GitHub Bot) #​47983
• [b796d3560a] - deps: upgrade npm to 9.6.6 (npm team) #​47862
• [cce372e14e] - deps: V8: cherry-pick c5ab3e4 (Richard Lau) #​47736
• [7283486adb] - deps: update undici to 5.22.0 (Node.js GitHub Bot) #​47679
• [2ea6e03003] - deps: add minimatch as a dependency (Moshe Atlow) #​47499
• [261e1d23d1] - deps: update ICU to 73.1 release (Steven R. Loomis) #​47456
• [f532f9df5f] - deps: update undici to 5.21.2 (Node.js GitHub Bot) #​47508
• [dcb8c038b9] - deps: update simdutf to 3.2.8 (Node.js GitHub Bot) #​47507
• [6c8456d61f] - deps: update undici to 5.21.1 (Node.js GitHub Bot) #​47488
• [d3b2e8a438] - deps: update simdutf to 3.2.7 (Node.js GitHub Bot) #​47473
• [64a5fe0499] - deps: update corepack to 0.17.2 (Node.js GitHub Bot) #​47474
• [6f0f61a7d3] - deps: upgrade npm to 9.6.4 (npm team) #​47432
• [443a72e207] - deps: update zlib to upstream 5edb52d (Luigi Pinca) #​47151
• [dc3bc46914] - deps: update simdutf to 3.2.3 (Node.js GitHub Bot) #​47331
• [b2f2bebbc2] - deps: update timezone to 2023c (Node.js GitHub Bot) #​47302
• [c10729ffa7] - deps: upgrade npm to 9.6.3 (npm team) #​47325
• [420deac1de] - deps: update corepack to 0.17.1 (Node.js GitHub Bot) #​47156
• [966ba28491] - deps: V8: cherry-pick 3e4952c (Richard Lau) #​47236
• [fc6ab26824] - deps: update timezone to 2023b (Node.js GitHub Bot) #​47256
• [2700e70215] - deps: upgrade npm to 9.6.2 (npm team) #​47108
• [29ba98a0a5] - deps: V8: cherry-pick 975ff4d (Debadree Chatterjee) #​47209
• [[be34777be8](https://togithub.com/nod

---

Configuration

📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" in timezone Europe/Moscow, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[viezly]

Pull request by bot. No need to analyze

[github-actions]

Thanks for the PR!

This section of the codebase is owner by https://github.com/AlexRogalskiy/ - if they write a comment saying "LGTM" then it will be merged.

[github-actions]

🏷️ [bumpr] Next version:v1.16.1 Changes:v1.16.0...AlexRogalskiy:renovate/node-20.x

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
Bin script shell injection	npm	6.14.11	Bin Script: which	@semantic-release/github@7.2.0, @semantic-release/npm@7.0.10, @semantic-release/release-notes-generator@9.0.1, semantic-release@17.3.9 via package.json

Next steps

What is bin script shell injection?

This package re-exports a well known shell command via an npm bin script. This is possibly a supply chain attack

Packages should not export bin scripts which conflict with well known shell commands

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm@6.14.11