Upgrade nodejs to version 24.17.0 to fix multiple CVEs#17788
Conversation
|
https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1145300&view=results Buddy build has passed. |
|
Verified the ICU mismatch and segfault from #17161 stay resolved with the nodejs 24.17.0 upgrade: https://dev.azure.com/mariner-org/mariner/_build/results?buildId=1145300&view=results Reproduced the issue's ICU check and its exact TypeSpec reproducer against the nodejs-24.17.0-1.azl3 / nodejs-full-i18n-24.17.0-1.azl3 / nodejs-npm-24.17.0-1.azl3 RPMs on linux/amd64, in the OneBranch build image (mcr.microsoft.com/onebranch/azurelinux/build:3.0):
Binary (ICU 78) and the -full-i18n data file (icudt78l.dat) are consistent on amd64 — the root cause called out in #17161 — and @typespec/compiler@1.11.0 compiles cleanly (docker exit: 0), with no Segmentation fault / exit 139. Repeated runs back-to-back, all clean. |
|
NPM version matches the upstream reference - https://github.com/nodejs/node/blob/v24.17.0/deps/npm/package.json Changes LGTM. |
sandeepkarambelkar
left a comment
There was a problem hiding this comment.
Buddy Build Passed.
ICU and NPM versions verified against upstream and updated to the referenced versions.
Removed patches for CVE fixes.
kgodara912
left a comment
There was a problem hiding this comment.
PR #17788 Verification — Upgrade nodejs to version 24.17.0
Build Verification
- Pipeline (run 1145300): SUCCEEDED
- Patches applied: 12/12 applied cleanly
- Build errors: None (29 false positives — V8 object file names containing "error")
- Build warnings: 3770 — standard C/C++ compiler noise
Verdict: PASS ✅
Upstream Release Analysis (24.14.1 → 24.17.0)
The upgrade spans 3 intermediate releases:
24.17.0 (2026-06-18) — Security Release
- (High) CVE-2026-48618 — tls: normalize hostname for server identity checks
- (High) CVE-2026-48933 — crypto: guard WebCrypto cipher output length
- (Medium) CVE-2026-48615 — lib: redact proxy credentials in tunnel errors
- (Medium) CVE-2026-48619 — http2: cap originSet size (unbounded memory growth)
- (Medium) CVE-2026-48928 — tls: fix case-sensitive SNI context matching
- (Medium) CVE-2026-48930 — dns,net: reject hostnames with embedded NUL bytes
- (Medium) CVE-2026-48934 — tls: bind reusable sessions to authenticated host
- (Medium) CVE-2026-48937 — deps: fix nghttp2 integration issues
- (Low) CVE-2026-48617 — permission: handle process.chdir on writereport
- (Low) CVE-2026-48931 — http: fix response queue poisoning in http.Agent
- (Low) CVE-2026-48935 — permission: disable FileHandle utimes with permission model
24.16.0 (2026-05-21) — Regular LTS
Additive SEMVER-MINOR only: crypto.randomUUIDv7(), fs.stat() signal option, http: harden ClientRequest options merge, http: req.signal on IncomingMessage, deps bumps (llhttp 9.4.1, undici 7.28.0, ICU 78.3).
24.15.0 (2026-04-15) — Regular LTS
Additive SEMVER-MINOR only: --max-heap-size, require(esm) stable, http2: http1Options, net.setTOS/getTOS, deps bumps (npm 11.12.1, sqlite 3.51.3).
Breaking changes: None. The nghttp2 SEMVER-MAJOR tag is internal-only (required to ship CVE-2026-48937 fix). No API removals, no deprecation escalations.
CVE-2026-33671 & CVE-2026-33672 Subsumption
Both CVEs affect picomatch (bundled via npm → tinyglobby):
- CVE-2026-33671 (High 7.5) — ReDoS via crafted extglob quantifiers. Fixed in picomatch ≥ 2.3.2 (5eceecd)
- CVE-2026-33672 (Medium 5.3) — Prototype pollution via POSIX bracket expressions. Fixed in picomatch ≥ 2.3.2 (4516eb5)
Confirmed fixed by this upgrade. The PR deletes Patch6: CVE-2026-33671.patch and Patch7: CVE-2026-33672.patch (previously backported onto 24.14.1). Node.js 24.17.0 bundles npm 11.13.0 which ships a picomatch version that already includes both upstream fixes.
Release notes:
https://nodejs.org/en/blog/release/v24.17.0
https://nodejs.org/en/blog/release/v24.16.0
https://nodejs.org/en/blog/release/v24.15.0
Summary
- ✅ Build succeeds
- ✅ No breaking changes from 24.14.1 → 24.17.0
- ✅ CVE-2026-33671 and CVE-2026-33672 subsumed by the upgrade (patches correctly removed)
- ✅ 11 additional Node.js security CVEs resolved
LGTM

Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
What does the PR accomplish, why was it needed?
This PR is upgrade core package nodejs to version 24.17. Bumping the icu component version of 78.3 and npm to 11.13.
Change Log
Does this affect the toolchain?
NO
Associated issues
Links to CVEs
Test Methodology