chore(deps): update node.js to 18.20

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
node (source)	engines	minor	18.13 -> 18.20

---

Release Notes

nodejs/node (node)

v18.20.3: 2024-05-21, Version 18.20.3 'Hydrogen' (LTS), @​richardlau

Compare Source

Notable Changes

This release fixes a regression introduced in Node.js 18.19.0 where http.server.close() was incorrectly closing idle connections.

A fix has also been included for compiling Node.js from source with newer versions of Clang.

The list of keys used to sign releases has been synchronized with the current list from the main branch.

Updated dependencies

• acorn updated to 8.11.3.
• acorn-walk updated to 8.3.2.
• ada updated to 2.7.8.
• c-ares updated to 1.28.1.
• corepack updated to 0.28.0.
• nghttp2 updated to 1.61.0.
• ngtcp2 updated to 1.3.0.
• npm updated to 10.7.0. Includes a fix from npm@10.5.1 to limit the number of open connections npm/cli#7324.
• simdutf updated to 5.2.4.
• zlib updated to 1.3.0.1-motley-7d77fb7.

Commits

• [0c260e10e7] - deps: update zlib to 1.3.0.1-motley-7d77fb7 (Node.js GitHub Bot) #​52516
• [1152d7f919] - deps: update zlib to 1.3.0.1-motley-24c07df (Node.js GitHub Bot) #​52199
• [755399db9d] - deps: update zlib to 1.3.0.1-motley-24342f6 (Node.js GitHub Bot) #​52123
• [af3e32073b] - deps: update ada to 2.7.8 (Node.js GitHub Bot) #​52517
• [e4ea2db58b] - deps: update c-ares to 1.28.1 (Node.js GitHub Bot) #​52285
• [14e857bea2] - deps: update corepack to 0.28.0 (Node.js GitHub Bot) #​52616
• [7f5dd44ca6] - deps: upgrade npm to 10.7.0 (npm team) #​52767
• [78f84ebb09] - deps: update ngtcp2 to 1.3.0 (Node.js GitHub Bot) #​51796
• [1f489a3753] - deps: update ngtcp2 to 1.2.0 (Node.js GitHub Bot) #​51584
• [3034968225] - deps: update ngtcp2 to 1.1.0 (Node.js GitHub Bot) #​51319
• [1aa9da467f] - deps: add nghttp3/**/.deps to .gitignore (Luigi Pinca) #​51400
• [28c0c78c9a] - deps: update ngtcp2 and nghttp3 (James M Snell) #​51291
• [8fd5a35364] - deps: upgrade npm to 10.5.2 (npm team) #​52458
• [2c53ff31c9] - deps: update acorn-walk to 8.3.2 (Node.js GitHub Bot) #​51457
• [12f28f33c2] - deps: update acorn to 8.11.3 (Node.js GitHub Bot) #​51317
• [dddb7eb3e0] - deps: update acorn-walk to 8.3.1 (Node.js GitHub Bot) #​50457
• [c86550e607] - deps: update acorn-walk to 8.3.0 (Node.js GitHub Bot) #​50457
• [9500817f66] - deps: update acorn to 8.11.2 (Node.js GitHub Bot) #​50460
• [7a8c7b6275] - deps: update ada to 2.7.7 (Node.js GitHub Bot) #​52028
• [b199889943] - deps: update corepack to 0.26.0 (Node.js GitHub Bot) #​52027
• [052b0ba0c6] - deps: upgrade npm to 10.5.1 (npm team) #​52351
• [209823d3af] - deps: update simdutf to 5.2.4 (Node.js GitHub Bot) #​52473
• [5114cbe18a] - deps: update simdutf to 5.2.3 (Yagiz Nizipli) #​52381
• [be30309ea0] - deps: update simdutf to 5.0.0 (Daniel Lemire) #​52138
• [b56f66e250] - deps: update simdutf to 4.0.9 (Node.js GitHub Bot) #​51655
• [a9f3b9d9d1] - deps: update nghttp2 to 1.61.0 (Node.js GitHub Bot) #​52395
• [1b6fa70620] - deps: update nghttp2 to 1.60.0 (Node.js GitHub Bot) #​51948
• [3c9dbbf4d4] - deps: update nghttp2 to 1.59.0 (Node.js GitHub Bot) #​51581
• [e28316da54] - deps: update nghttp2 to 1.58.0 (Node.js GitHub Bot) #​50441
• [678641f470] - deps: V8: cherry-pick d15d49b (Bo Anderson) #​52337
• [1147fee7d9] - doc: remove ableist language from crypto (Jamie King) #​52063
• [5e93eae972] - doc: add release key for marco-ippolito (marco-ippolito) #​52257
• [6689a98488] - http: remove closeIdleConnections function while calling server close (Kumar Rishav) #​52336
• [71616e8a8a] - node-api: make tsfn accept napi_finalize once more (Gabriel Schulhof) #​51801
• [d9d9e62474] - src: avoid draining platform tasks at FreeEnvironment (Chengzhong Wu) #​51290
• [e5fc8ec9fc] - test: skip v8-updates/test-linux-perf (Michaël Zasso) #​49639
• [351ef189ca] - test: v8: Add test-linux-perf-logger test suite (Luke Albao) #​50352
• [5cec2efc31] - test: reduce the number of requests and parsers (Luigi Pinca) #​50240
• [5186e453d9] - test: deflake test-http-regr-gh-2928 (Luigi Pinca) #​49574
• [c60cd67e1c] - test: skip test for dynamically linked OpenSSL (Richard Lau) #​52542

v18.20.2: 2024-04-10, Version 18.20.2 'Hydrogen' (LTS), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

• CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows

Commits

• [6627222409] - src: disallow direct .bat and .cmd file spawning (Ben Noordhuis) nodejs-private/node-private#564

v18.20.1

Compare Source

v18.20.0

Compare Source

v18.19.1

Compare Source

v18.19.0

Compare Source

v18.18.2

Compare Source

v18.18.1: 2023-10-10, Version 18.18.1 'Hydrogen' (LTS), @​richardlau

Compare Source

Notable Changes

This release addresses some regressions that appeared in Node.js 18.18.0:

• (Windows) FS can not handle certain characters in file name #​48673
• 18 and 20 node images give error - Text file busy (after re-build images) nodejs/docker-node#1968
• libuv update in 18.18.0 breaks webpack's thread-loader #​49911

The libuv 1.45.0 and 1.46.0 updates that were released in Node.js 18.18.0 have been temporarily reverted.

Commits

• [3e3a75cc46] - Revert "build: sync libuv header change" (Richard Lau) #​50036
• [14ece2c479] - Revert "deps: upgrade to libuv 1.45.0" (Richard Lau) #​50036
• [022352acbe] - Revert "deps: upgrade to libuv 1.46.0" (Richard Lau) #​50036
• [d9f138189c] - Revert "deps: add missing thread-common.c in uv.gyp" (Richard Lau) #​50036
• [7a3e1ffbb8] - fs: make sure to write entire buffer (Robert Nagy) #​49211
• [04cba95a67] - test: add tmpdir.resolve() (Livia Medeiros) #​49079

v18.18.0: 2023-09-18, Version 18.18.0 'Hydrogen' (LTS), @​ruyadorno

Compare Source

Notable Changes

• [7dc731d4bf] - build: sync libuv header change (Jiawen Geng) #​48078
• [490fc004b0] - crypto: update root certificates to NSS 3.93 (Node.js GitHub Bot) #​49341
• [dd8cd97d4d] - crypto: update root certificates to NSS 3.90 (Node.js GitHub Bot) #​48416
• [ea23870bec] - deps: add missing thread-common.c in uv.gyp (Santiago Gimeno) #​48078
• [88855e0b1b] - deps: upgrade to libuv 1.46.0 (Santiago Gimeno) #​48078
• [fb2b80fca0] - deps: upgrade to libuv 1.45.0 (Santiago Gimeno) #​48078
• [249879e46c] - doc: add atlowChemi to collaborators (atlowChemi) #​48757
• [e8dc7bde6a] - doc: add vmoroz to collaborators (Vladimir Morozov) #​48527
• [a30f2fbcc1] - doc: add kvakil to collaborators (Keyhan Vakil) #​48449
• [c39b7c240e] - (SEMVER-MINOR) esm: add --import flag (Moshe Atlow) #​43942
• [a68a67f54d] - (SEMVER-MINOR) events: allow safely adding listener to abortSignal (Chemi Atlow) #​48596
• [3a8586bee2] - fs, stream: initial Symbol.dispose and Symbol.asyncDispose support (Moshe Atlow) #​48518
• [863bdb785d] - net: add autoSelectFamily global getter and setter (Paolo Insogna) #​45777
• [c59ae86ba0] - (SEMVER-MINOR) url: add value argument to has and delete methods (Sankalp Shubham) #​47885

Commits

• [d1f43317ea] - benchmark: add bar.R (Rafael Gonzaga) #​47729
• [4f74be3c92] - benchmark: refactor crypto oneshot (Filip Skokan) #​48267
• [fe9da9df0f] - benchmark: add crypto.create*Key (Filip Skokan) #​48284
• [9cb18b3e9d] - build: do not pass target toolchain flags to host toolchain (Ivan Trubach) #​48597
• [7dc731d4bf] - build: sync libuv header change (Jiawen Geng) #​48078
• [211a4f88a9] - build: update action to close stale PRs (Michael Dawson) #​48196
• [cc33a1864b] - child_process: harden against prototype pollution (Livia Medeiros) #​48726
• [b5df084e1e] - child_process: use addAbortListener (atlowChemi) #​48550
• [611db8df1a] - child_process: support Symbol.dispose (Moshe Atlow) #​48551
• [490fc004b0] - crypto: update root certificates to NSS 3.93 (Node.js GitHub Bot) #​49341
• [dd8cd97d4d] - crypto: update root certificates to NSS 3.90 (Node.js GitHub Bot) #​48416
• [b2bc839d4c] - crypto: remove OPENSSL_FIPS guard for OpenSSL 3 (Richard Lau) #​48392
• [c8da8c80b9] - deps: update nghttp2 to 1.55.0 (Node.js GitHub Bot) #​48746
• [7e04242dcb] - deps: update minimatch to 9.0.3 (Node.js GitHub Bot) #​48704
• [ea23870bec] - deps: add missing thread-common.c in uv.gyp (Santiago Gimeno) #​48078
• [88855e0b1b] - deps: upgrade to libuv 1.46.0 (Santiago Gimeno) #​48078
• [fb2b80fca0] - deps: upgrade to libuv 1.45.0 (Santiago Gimeno) #​48078
• [59fca4e09a] - deps: update acorn to 8.10.0 (Node.js GitHub Bot) #​48713
• [bcb255d5a8] - deps: V8: cherry-pick cb00db4 (Keyhan Vakil) #​48671
• [65a6c90fc6] - deps: update acorn to 8.9.0 (Node.js GitHub Bot) #​48484
• [6b6d5d91e9] - deps: update zlib to 1.2.13.1-motley-f81f385 (Node.js GitHub Bot) #​48541
• [56249b0770] - deps: update googletest to ec4fed9 (Node.js GitHub Bot) #​48538
• [8914a5204a] - deps: update minimatch to 9.0.2 (Node.js GitHub Bot) #​48542
• [1b960d9988] - deps: update icu to 73.2 (Node.js GitHub Bot) #​48502
• [f0e2e3c549] - deps: update zlib to 1.2.13.1-motley-3ca9f16 (Node.js GitHub Bot) #​48413
• [9cf8fe6b93] - deps: upgrade npm to 9.8.1 (npm team) #​48838
• [d9ff473ff3] - deps: upgrade npm to 9.8.0 (npm team) #​48665
• [4a6177daad] - deps: upgrade npm to 9.7.2 (npm team) #​48514
• [104b58feb1] - deps: update ada to 2.6.0 (Node.js GitHub Bot) #​48896
• [7f7a125d78] - deps: update corepack to 0.19.0 (Node.js GitHub Bot) #​48540
• [5e1eb451d1] - deps: update corepack to 0.18.1 (Node.js GitHub Bot) #​48483
• [3be53358bc] - deps: add loong64 config into openssl gypi (Shi Pujin) #​48043
• [555982c59e] - deps: upgrade npm to 9.7.1 (npm team) #​48378
• [3c03ec0832] - deps: update simdutf to 3.2.14 (Node.js GitHub Bot) #​48344
• [a2964a4583] - deps: update ada to 2.5.1 (Node.js GitHub Bot) #​48319
• [38f6e0d8cd] - deps: update zlib to 982b036 (Node.js GitHub Bot) #​48327
• [f4617a4f81] - deps: add loongarch64 into openssl Makefile and gen openssl-loongarch64 (Shi Pujin) #​46401
• [573eb4be12] - dgram: socket add asyncDispose (atlowChemi) #​48717
• [f3c4300e00] - dgram: use addAbortListener (atlowChemi) #​48550
• [d3041df738] - doc: expand on squashing and rebasing to land a PR (Chengzhong Wu) #​48751
• [249879e46c] - doc: add atlowChemi to collaborators (atlowChemi) #​48757
• [42ecd46d1f] - doc: fix ambiguity in http.md and https.md (an5er) #​48692
• [e78824e053] - doc: add release key for Ulises Gascon (Ulises Gascón) #​49196
• [1aa798d69f] - doc: clarify transform._transform() callback argument logic (Rafael Sofi-zada) #​48680
• [d723e870a2] - doc: mention git node release prepare (Rafael Gonzaga) #​48644
• [a9a1394388] - doc: fix options order (Luigi Pinca) #​48617
• [989ea6858f] - doc: update security release stewards (Rafael Gonzaga) #​48569
• [f436ac1803] - doc: update return type for describe (Shrujal Shah) #​48572
• [fbe89e6320] - doc: run license-builder (github-actions[bot]) #​48552
• [f18b287bc3] - doc: add description of autoAllocateChunkSize in ReadableStream (Debadree Chatterjee) #​48004
• [e2f3ed1444] - doc: fix filename type in watch result (Dmitry Semigradsky) #​48032
• [1fe75dc2b0] - doc: unnest mime and MIMEParams from MIMEType constructor (Dmitry Semigradsky) #​47950
• [e1339d58e8] - doc: update security-release-process.md (Rafael Gonzaga) #​48504
• [e8dc7bde6a] - doc: add vmoroz to collaborators (Vladimir Morozov) #​48527
• [f8ba672c7b] - doc: link to Runtime Keys in export conditions (Jacob Hummer) #​48408
• [0056cb93e9] - doc: update fs flags documentation (sinkhaha) #​48463
• [3cf3fb9479] - doc: revise error.md introduction (Antoine du Hamel) #​48423
• [7575d8b90e] - doc: add preveen-stack to triagers (Preveen P) #​48387
• [820aa550a4] - doc: refine when file is undefined in test events (Moshe Atlow) #​48451
• [a30f2fbcc1] - doc: add kvakil to collaborators (Keyhan Vakil) #​48449
• [239b4ea66f] - doc: mark --import as experimental (Moshe Atlow) #​44067
• [2a561aefe2] - doc: add additional info on TSFN dispatch (Michael Dawson) #​48367
• [5cc6eee30d] - doc: add link for news from security wg (Michael Dawson) #​48396
• [ffece88452] - doc: fix typo in events.md (Darshan Sen) #​48436
• [06513585dc] - doc: run license-builder (github-actions[bot]) #​48336
• [d9a800ee5c] - esm: fix emit deprecation on legacy main resolve (Antoine du Hamel) #​48664
• [c39b7c240e] - (SEMVER-MINOR) esm: add --import flag (Moshe Atlow) #​43942
• [a00464ee06] - esm: fix specifier resolution and symlinks (Zack Newsham) #​47674
• [3b8ec348b0] - events: fix bug listenerCount don't compare wrapped listener (yuzheng14) #​48592
• [a68a67f54d] - (SEMVER-MINOR) events: allow safely adding listener to abortSignal (Chemi Atlow) #​48596
• [5354af3dab] - fs: call the callback with an error if writeSync fails (killa) #​47949
• [c3a27d1d3d] - fs: remove unneeded return statement (Luigi Pinca) #​48526
• [3a8586bee2] - fs, stream: initial Symbol.dispose and Symbol.asyncDispose support (Moshe Atlow) #​48518
• [01746c71df] - http: null the joinDuplicateHeaders property on cleanup (Luigi Pinca) #​48608
• [d47eb73a85] - http: remove useless ternary in test (geekreal) #​48481
• [977e9a38b4] - http: fix for handling on boot timers headers and request (Franciszek Koltuniuk) #​48291
• [be88f7cd22] - http2: use addAbortListener (atlowChemi) #​48550
• [7c7230a85c] - http2: send RST code 8 on AbortController signal (Devraj Mehta) #​48573
• [f74c2fc72a] - lib: use addAbortListener (atlowChemi) #​48550
• [db355d1f37] - lib: add option to force handling stopped events (Chemi Atlow) #​48301
• [5d682c55a5] - lib: reduce url getters on makeRequireFunction (Yagiz Nizipli) #​48492
• [5260f53e55] - lib: add support for inherited custom inspection methods (Antoine du Hamel) #​48306
• [69aaf8b1d1] - lib: remove invalid parameter to toASCII (Yagiz Nizipli) #​48878
• [51863b80e4] - meta: bump actions/checkout from 3.5.2 to 3.5.3 (dependabot[bot]) #​48625
• [7ec370991d] - meta: bump step-security/harden-runner from 2.4.0 to 2.4.1 (dependabot[bot]) #​48626
• [34b8e980d4] - meta: bump ossf/scorecard-action from 2.1.3 to 2.2.0 (dependabot[bot]) #​48628
• [dfed9a7da9] - meta: bump github/codeql-action from 2.3.6 to 2.20.1 (dependabot[bot]) #​48627
• [071eaadc5a] - module: add SourceMap.findOrigin (Isaac Z. Schlueter) #​47790
• [bf1525c549] - module: reduce url invocations in esm/load.js (Yagiz Nizipli) #​48337
• [f8921630a2] - net: server add asyncDispose (atlowChemi) #​48717
• [b5f53d9a0b] - net: fix family autoselection SSL connection handling (Paolo Insogna) #​48189
• [267439fc34] - net: rework autoSelectFamily implementation (Paolo Insogna) #​46587
• [d3637cdbbf] - net: fix address iteration with autoSelectFamily (Fedor Indutny) #​48258
• [e8289a83f1] - net: fix family autoselection timeout handling (Paolo Insogna) #​47860
• [863bdb785d] - net: add autoSelectFamily global getter and setter (Paolo Insogna) #​45777
• [04dc090bfa] - node-api: provide napi_define_properties fast path (Gabriel Schulhof) #​48440
• [feb6a54dc3] - node-api: implement external strings (Gabriel Schulhof) #​48339
• [121f74c463] - perf_hooks: convert maxSize to IDL value in setResourceTimingBufferSize (Chengzhong Wu) #​44902
• [804d880589] - permission: fix data types in PrintTree (Tobias Nießen) #​48770
• [7aaecce9bf] - permission: add debug log when inserting fs nodes (Rafael Gonzaga) #​48677
• [cb51ef2905] - readline: use addAbortListener (atlowChemi) #​48550
• [07065d0814] - report: disable js stack when no context is entered (Chengzhong Wu) #​48495
• [572b82ffef] - src: make BaseObject iteration order deterministic (Joyee Cheung) #​48702
• [3f65598a41] - src: remove kEagerCompile for CompileFunction (Keyhan Vakil) #​48671
• [f43eacac9b] - src: deduplicate X509 getter implementations (Tobias Nießen) #​48563
• [0c19621bdc] - src: fix uninitialized field access in AsyncHooks (Jan Olaf Krems) #​48566
• [0c38184d62] - src: fix Coverity issue regarding unnecessary copy (Yagiz Nizipli) #​48565
• [0d73009ba3] - src: refactor SplitString in util (Yagiz Nizipli) #​48491
• [6c72622df9] - src: handle wasm out of bound in osx will raise SIGBUS correctly (Congcong Cai) #​46561
• [e4261809b0] - src: replace idna functions with ada::idna (Yagiz Nizipli) #​47735
• [3dd82b1820] - stream: use addAbortListener (atlowChemi) #​48550
• [786fbdb824] - stream: fix premature pipeline end (Robert Nagy) #​48435
• [c224e1b255] - stream: fix deadlock when pipeing to full sink (Robert Nagy) #​48691
• [2c75b9ece2] - test: fix flaky test-string-decode.js on x86 (Stefan Stojanovic) #​48750
• [279c4f64c1] - test: mark test-http-regr-gh-2928 as flaky (Joyee Cheung) #​49565
• [01eacccd9a] - test: deflake test-net-throttle (Luigi Pinca) #​48599
• [33886b271c] - test: move test-net-throttle to parallel (Luigi Pinca) #​48599
• [a79112b5f4] - Revert "test: remove test-crypto-keygen flaky designation" (Luigi Pinca) #​48652
• [6ec57984db] - test: add missing assertions to test-runner-cli (Moshe Atlow) #​48593
• [dd1805e802] - test: remove test-crypto-keygen flaky designation (Luigi Pinca) #​48575
• [df9a9afc99] - test: remove test-timers-immediate-queue flaky designation (Luigi Pinca) #​48575
• [3ae96ae380] - test: make IsolateData per-isolate in cctest (Joyee Cheung) #​48450
• [f2ce8e0c06] - test: define NAPI_VERSION before including node_api.h (Chengzhong Wu) #​48376
• [13ac0a5e26] - test: remove unnecessary noop function args to mustNotCall() (Antoine du Hamel) #​48513
• [8fdd4c55b3] - test: skip test-runner-watch-mode on IBMi (Moshe Atlow) #​48473
• [9d90409241] - test: fix flaky test-watch-mode (Moshe Atlow) #​48147
• [27a4bc7c32] - test: add missing <algorithm> include for std::find (Sam James) #​48380
• [cb92c4b9fe] - test: update url web-platform tests (Yagiz Nizipli) #​48319
• [f35c4d3190] - test: ignore the copied entry_point.c (Luigi Pinca) #​48297
• [41d1e6888f] - test: refactor test-gc-http-client-timeout (Luigi Pinca) #​48292
• [125bca621a] - test: update encoding web-platform tests (Yagiz Nizipli) #​48320
• [e9ac111d02] - test: update FileAPI web-platform tests (Yagiz Nizipli) #​48322
• [3da57d17f5] - test: update user-timing web-platform tests (Yagiz Nizipli) #​48321
• [c728b8a29b] - test: fix test-net-autoselectfamily for kernel without IPv6 support (Livia Medeiros) #​45856
• [6de7aa1d19] - test: move test-tls-autoselectfamily-servername to test/internet (Antoine du Hamel) #​47029
• [2de9868292] - test: validate host with commas on url.parse (Yagiz Nizipli) #​48878
• [e7d2e8ef2a] - test: delete test-net-bytes-per-incoming-chunk-overhead (Michaël Zasso) #​48811
• [f5494fa1b0] - test_runner: fixed test shorthands return type (Shocker) #​48555
• [7051cafdfa] - test_runner: make --test-name-pattern recursive (Moshe Atlow) #​48382
• [f302286442] - test_runner: refactor coverage report output for readability (Damien Seguin) #​47791
• [7822a541e5] - timers: support Symbol.dispose (Moshe Atlow) #​48633
• [3eeca52db1] - tls: fix bugs of double TLS (rogertyang) #​48969
• [4826379516] - tools: run fetch_deps.py with Python 3 (Richard Lau) #​48729
• [e2688c8d79] - tools: update doc to unist-util-select@5.0.0 unist-util-visit@5.0.0 (Node.js GitHub Bot) #​48714
• [7399481096] - tools: update lint-md-dependencies to rollup@3.26.2 (Node.js GitHub Bot) #​48705
• [31c07153ce] - tools: update eslint to 8.44.0 (Node.js GitHub Bot) #​48632
• [4e53f51e24] - tools: update lint-md-dependencies to rollup@3.26.0 (Node.js GitHub Bot) #​48631
• [7d52950a96] - tools: update lint-md-dependencies (Node.js GitHub Bot) #​48544
• [e168eab3ee] - tools: update lint-md-dependencies (Node.js GitHub Bot) #​48486
• [9711bc24f6] - tools: replace sed with perl (Luigi Pinca) #​48499
• [9c1937c0a7] - tools: update eslint to 8.43.0 (Node.js GitHub Bot) #​48487
• [9449f05ab1] - tools: update doc to to-vfile@8.0.0 (Node.js GitHub Bot) #​48485
• [79dcd968b1] - tools: prepare tools/doc for to-vfile 8.0.0 (Rich Trott) #​48485
• [538f388ac0] - tools: update lint-md-dependencies (Node.js GitHub Bot) #​48417
• [01bc10dcd5] - tools: update create-or-update-pull-request-action (Richard Lau) #​48398
• [590a072657] - tools: update eslint-plugin-jsdoc (Richard Lau) #​48393
• [6a5805491e] - tools: update eslint to 8.42.0 (Node.js GitHub Bot) #​48328
• [2eb13e3986] - tools: disable jsdoc/no-defaults rule (Luigi Pinca) #​48328
• [3363cfa6c7] - typings: remove unused primordials (Yagiz Nizipli) #​48509
• [c59ae86ba0] - (SEMVER-MINOR) url: add value argument to has and delete methods (Sankalp Shubham) #​47885
• [f59c9636f4] - url: conform to origin getter spec changes (Yagiz Nizipli) #​48319
• [0beb5ab93d] - url: ensure getter access do not mutate observable symbols (Antoine du Hamel) #​48897
• [0a022c496d] - util: use primordials.ArrayPrototypeIndexOf instead of mutable method (DaisyDogs07) #​48586

v18.17.1: 2023-08-09, Version 18.17.1 'Hydrogen' (LTS), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

• CVE-2023-32002: Policies can be bypassed via Module._load (High)
• CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
• CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
• OpenSSL Security Releases
  • OpenSSL security advisory 14th July.
  • OpenSSL security advisory 19th July.
  • OpenSSL security advisory 31st July

More detailed information on each of the vulnerabilities can be found in August 2023 Security Releases blog post.

Commits

• [fe3abdf82e] - deps: update archs files for openssl-3.0.10+quic1 (Node.js GitHub Bot) #​49036
• [2c5a522d9c] - deps: upgrade openssl sources to quictls/openssl-3.0.10+quic1 (Node.js GitHub Bot) #​49036
• [15bced0bde] - policy: handle Module.constructor and main.extensions bypass (RafaelGSS) nodejs-private/node-private#417
• [d4570fae35] - policy: disable process.binding() when enabled (Tobias Nießen) nodejs-private/node-private#460

v18.17.0: 2023-07-18, Version 18.17.0 'Hydrogen' (LTS), @​danielleadams

Compare Source

Notable Changes

Ada 2.0

Node.js v18.17.0 comes with the latest version of the URL parser, Ada. This update brings significant performance improvements
to URL parsing, including enhancements to the url.domainToASCII and url.domainToUnicode functions in node:url.

Ada 2.0 has been integrated into the Node.js codebase, ensuring that all parts of the application can benefit from the
improved performance. Additionally, Ada 2.0 features a significant performance boost over its predecessor, Ada 1.0.4,
while also eliminating the need for the ICU requirement for URL hostname parsing.

Contributed by Yagiz Nizipli and Daniel Lemire in #​47339

Web Crypto API

Web Crypto API functions' arguments are now coerced and validated as per their WebIDL definitions like in other Web Crypto API implementations.
This further improves interoperability with other implementations of Web Crypto API.

Contributed by Filip Skokan in #​46067

• crypto:
  • update root certificates to NSS 3.89 (Node.js GitHub Bot) #​47659
• dns:
  • (SEMVER-MINOR) expose getDefaultResultOrder (btea) #​46973
• doc:
  • add ovflowd to collaborators (Claudio Wunder) #​47844
  • add KhafraDev to collaborators (Matthew Aitken) #​47510
• events:
  • (SEMVER-MINOR) add getMaxListeners method (Matthew Aitken) #​47039
• fs:
  • (SEMVER-MINOR) add support for mode flag to specify the copy behavior (Tetsuharu Ohzeki) #​47084
  • (SEMVER-MINOR) add recursive option to readdir and opendir (Ethan Arrowood) #​41439
  • (SEMVER-MINOR) add support for mode flag to specify the copy behavior (Tetsuharu Ohzeki) #​47084
  • (SEMVER-MINOR) implement byob mode for readableWebStream() (Debadree Chatterjee) #​46933
• http:
  • (SEMVER-MINOR) prevent writing to the body when not allowed by HTTP spec (Gerrard Lindsay) #​47732
  • (SEMVER-MINOR) remove internal error in assignSocket (Matteo Collina) #​47723
  • (SEMVER-MINOR) add highWaterMark opt in http.createServer (HinataKah0) #​47405
• lib:
  • (SEMVER-MINOR) add webstreams to Duplex.from() (Debadree Chatterjee) #​46190
  • (SEMVER-MINOR) implement AbortSignal.any() (Chemi Atlow) #​47821
• module:
  • change default resolver to not throw on unknown scheme (Gil Tayar) #​47824
• node-api:
  • (SEMVER-MINOR) define version 9 (Chengzhong Wu) #​48151
  • (SEMVER-MINOR) deprecate napi_module_register (Vladimir Morozov) #​46319
• stream:
  • (SEMVER-MINOR) preserve object mode in compose (Raz Luvaton) #​47413
  • (SEMVER-MINOR) add setter & getter for default highWaterMark (#​46929) (Robert Nagy) #​46929
• test:
  • unflake test-vm-timeout-escape-nexttick (Santiago Gimeno) #​48078
• test_runner:
  • (SEMVER-MINOR) add shorthands to test (Chemi Atlow) #​47909
  • (SEMVER-MINOR) support combining coverage reports (Colin Ihrig) #​47686
  • (SEMVER-MINOR) execute before hook on test (Chemi Atlow) #​47586
  • (SEMVER-MINOR) expose reporter for use in run api (Chemi Atlow) #​47238
• tools:
  • update LICENSE and license-builder.sh (Santiago Gimeno) #​48078
• url:
  • (SEMVER-MINOR) implement URL.canParse (Matthew Aitken) #​47179
• wasi:
  • (SEMVER-MINOR) no longer require flag to enable wasi (Michael Dawson) #​47286

Commits

• [2ba08ac002] - benchmark: use cluster.isPrimary instead of cluster.isMaster (Deokjin Kim) #​48002
• [60ca69d96c] - benchmark: add eventtarget creation bench (Rafael Gonzaga) #​47774
• [d8233d96bb] - benchmark: add a benchmark for defaultResolve (Antoine du Hamel) #​47543
• [a1aabb6912] - benchmark: fix invalid requirementsURL (Deokjin Kim) #​47378
• [394c61caf9] - bootstrap: support namespaced builtins in snapshot scripts (Joyee Cheung) #​47467
• [0165a765a0] - bootstrap: do not expand process.argv[1] for snapshot entry points (Joyee Cheung) #​47466
• [cca557cdd9] - buffer: combine checking range of sourceStart in buf.copy (Deokjin Kim) #​47758
• [4c69be467c] - buffer: use private properties for brand checks in File (Matthew Aitken) #​47154
• [d002f9b6e2] - build: revert unkonwn ruff selector (Moshe Atlow) #​48753
• [93f77cb762] - build: set v8_enable_webassembly=false when lite mode is enabled (Cheng Shao) #​48248
• [1662e894f3] - build: add action to close stale PRs (Michael Dawson) #​48051
• [5ca437b288] - build: use pathlib for paths (Mohammed Keyvanzadeh) #​47581
• [72443bc54b] - build: refactor configure.py (Mohammed Keyvanzadeh) #​47667
• [[d4eecb5be9](https://togithub.com/nodejs/no

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

The version of Java (11.0.20.1) you have used to run this analysis is deprecated and we will stop accepting it soon. Please update to at least Java 17.
Read more here

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

The version of Java (11.0.21) you have used to run this analysis is deprecated and we will stop accepting it soon. Please update to at least Java 17.
Read more here