chore(deps): update node.js to v18.20.7

[renovate]

This PR contains the following updates:

Package	Update	Change
node (source)	patch	18.20.4 -> 18.20.7

---

Release Notes

nodejs/node (node)

v18.20.7: 2025-02-20, Version 18.20.7 'Hydrogen' (LTS), @​aduh95

Compare Source

Notable Changes

• [ea5eb0e98b] - crypto: update root certificates to NSS 3.107 (Node.js GitHub Bot) #​56566

Commits

• [bb2977ca6c] - build: use glob for dependencies of out/Makefile (Richard Lau) #​55789
• [92896945b8] - build: support python 3.13 (Chengzhong Wu) #​53190
• [ea5eb0e98b] - crypto: update root certificates to NSS 3.107 (Node.js GitHub Bot) #​56566
• [d03a23577d] - deps: V8: cherry-pick 26fd1df (Shu-yu Guo) #​55873
• [53bb21b093] - deps: V8: backport ae5a4db (Shu-yu Guo) #​55873
• [5eb6dfe284] - deps: update zlib to 1.3.0.1-motley-82a5fec (Node.js GitHub Bot) #​55980
• [734515a0f7] - deps: update zlib to 1.3.0.1-motley-7e2e4d7 (Node.js GitHub Bot) #​54432
• [d64cc98324] - deps: update simdutf to 5.6.4 (Node.js GitHub Bot) #​56255
• [9eab21dd1d] - deps: update simdutf to 5.6.3 (Node.js GitHub Bot) #​55973
• [2e3367b46a] - deps: update simdutf to 5.6.2 (Node.js GitHub Bot) #​55889
• [df74d66207] - deps: update simdutf to 5.6.1 (Node.js GitHub Bot) #​55850
• [ade37ee0b3] - deps: update acorn to 8.14.0 (Node.js GitHub Bot) #​55699
• [a3c367adbd] - deps: update corepack to 0.31.0 (Node.js GitHub Bot) #​56795
• [2cff6a8428] - deps: update corepack to 0.30.0 (Node.js GitHub Bot) #​55977
• [8b8c9a2cf5] - doc: update macOS and Xcode versions for releases (Michaël Zasso) #​56337
• [706af28113] - doc: add "Skip to content" button (Antoine du Hamel) #​56750
• [634a6b3a14] - doc: improve accessibility of expandable lists (Antoine du Hamel) #​56749
• [f0b60c5bf9] - doc: fix arrow vertical alignment in HTML version (Akash Yeole) #​52193
• [91cce27ebb] - doc: remove flicker on page load on dark theme (Dima Demakov) #​50942
• [522fbb00a8] - doc: make theme consistent across api and other docs (Dima Demakov) #​50877
• [1486465520] - doc: save user preference for JS flavor (Vidar Eldøy) #​49526
• [d74cff7e59] - doc: rename possibly confusing variable and CSS class (Antoine du Hamel) #​49536
• [4829d976fe] - doc: add main ARIA landmark to API docs (Rich Trott) #​49882
• [6c4ce1f1d4] - doc: add navigation ARIA landmark to doc ToC (Rich Trott) #​49882
• [33548f8c1f] - doc: add history entries for JSON modules stabilization (Antoine du Hamel) #​55855
• [e12bdf6141] - meta: bump actions/upload-artifact from 4.4.3 to 4.6.0 (dependabot[bot]) #​56861
• [6f44ef388b] - meta: bump actions/upload-artifact from 4.4.0 to 4.4.3 (dependabot[bot]) #​55685
• [ae39211117] - meta: bump actions/upload-artifact from 4.3.4 to 4.4.0 (dependabot[bot]) #​54703
• [4cf80b37c7] - meta: bump actions/upload-artifact from 4.3.3 to 4.3.4 (dependabot[bot]) #​54166
• [4d402b79cb] - meta: bump actions/download-artifact from 4.1.7 to 4.1.8 (dependabot[bot]) #​54167
• [1c01f93497] - meta: bump actions/upload-artifact from 4.3.1 to 4.3.3 (dependabot[bot]) #​52785
• [6558a516ec] - meta: bump actions/download-artifact from 4.1.4 to 4.1.7 (dependabot[bot]) #​52784
• [dd70860ec8] - meta: bump actions/download-artifact from 4.1.3 to 4.1.4 (dependabot[bot]) #​52314
• [4a24d92a45] - meta: bump actions/upload-artifact from 4.3.0 to 4.3.1 (dependabot[bot]) #​51941
• [655b9071b9] - meta: bump actions/download-artifact from 4.1.1 to 4.1.3 (dependabot[bot]) #​51938
• [0e6ad795aa] - meta: bump actions/download-artifact from 4.1.0 to 4.1.1 (dependabot[bot]) #​51644
• [61babc5037] - meta: bump actions/upload-artifact from 4.0.0 to 4.3.0 (dependabot[bot]) #​51643
• [8b16d80029] - meta: update artifact actions to v4 (Michaël Zasso) #​51219
• [d47e8cb86d] - test: do not use deprecated import assertions (Antoine du Hamel) #​55873
• [06c523d693] - test: mark test-inspector-stop-profile-after-done as flaky (Antoine du Hamel) #​57001
• [dafea86962] - test: mark test-perf-hooks as flaky on macOS (Antoine du Hamel) #​57001
• [8e53f1f43d] - test: mark test-inspector-multisession-ws as flaky (Antoine du Hamel) #​57001
• [350eb50bbe] - test: mark test-performance-function as flaky (Antoine du Hamel) #​57001
• [a1f428a343] - test: skip test-perf-hooks on SmartOS (Antoine du Hamel) #​57001
• [199f52fcc0] - test: make test-crypto-hash compatible with OpenSSL > 3.4.0 (Jelle van der Waa) #​56160
• [b08ce67d48] - test: compare paths on Windows without considering case (Early Riser) #​53993
• [6e84d211a1] - test: deflake test-perf-hooks.js (Joyee Cheung) #​49892
• [a7f565fc7f] - tools: fix failing lint-sh workflow (Antoine du Hamel) #​56995

v18.20.6: 2025-01-21, Version 18.20.6 'Hydrogen' (LTS), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

• CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium)
• CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)

Dependency update:

• CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)

Commits

• [c03ad5ed63] - build: use rclone instead of aws CLI (Michaël Zasso) #​55617
• [8232463294] - build, tools: drop leading / from r2dir (Richard Lau) #​53951
• [b26bcd3394] - build, tools: copy release assets to staging R2 bucket once built (flakey5) #​51394
• [56df127b7b] - build,tools: simplify upload of shasum signatures (Michaël Zasso) #​53892
• [a63e9372ed] - (CVE-2025-22150) deps: update undici to v5.28.5 (Matteo Collina) nodejs-private/node-private#657
• [da2d177f91] - (CVE-2025-23084) path: fix path traversal in normalize() on Windows (Tobias Nießen) nodejs-private/node-private#555
• [6cc8d58e6f] - (CVE-2025-23085) src: fix HTTP2 mem leak on premature close and ERR_PROTO (RafaelGSS) nodejs-private/node-private#650

v18.20.5: 2024-11-12, Version 18.20.5 'Hydrogen' (LTS), @​aduh95

Compare Source

Notable Changes

• [ac37e554a5] - esm: mark import attributes and JSON module as stable (Nicolò Ribaudo) #​55333

Commits

• [c2e6a8f215] - benchmark: fix napi/ref addon (Michaël Zasso) #​53233
• [4c2e07aaac] - build: pin doc workflow to Node.js 20 (Richard Lau) #​55755
• [6ba4ebd060] - build: fix build with Python 3.12 (Luigi Pinca) #​50582
• [c50f01399e] - crypto: ensure invalid SubtleCrypto JWK data import results in DataError (Filip Skokan) #​55041
• [5c46782137] - crypto: make deriveBits length parameter optional and nullable (Filip Skokan) #​53601
• [6e7274fa53] - crypto: reject dh,x25519,x448 in {Sign,Verify}Final (Huáng Jùnliàng) #​53774
• [d2442044db] - crypto: reject Ed25519/Ed448 in Sign/Verify prototypes (Filip Skokan) #​52340
• [93670de499] - deps: upgrade npm to 10.8.2 (npm team) #​53799
• [8531c95587] - deps: upgrade npm to 10.8.1 (npm team) #​53207
• [fd9933ea0f] - deps: upgrade npm to 10.8.0 (npm team) #​53014
• [03852495d7] - deps: update simdutf to 5.6.0 (Node.js GitHub Bot) #​55379
• [3597be4146] - deps: update simdutf to 5.5.0 (Node.js GitHub Bot) #​54434
• [52d2c03738] - deps: update simdutf to 5.3.4 (Node.js GitHub Bot) #​54312
• [dd882ac483] - deps: update simdutf to 5.3.1 (Node.js GitHub Bot) #​54196
• [5fb8e1b428] - deps: update simdutf to 5.3.0 (Node.js GitHub Bot) #​53837
• [c952fd886d] - deps: update simdutf to 5.2.8 (Node.js GitHub Bot) #​52727
• [a1ae050ed5] - deps: update simdutf to 5.2.6 (Node.js GitHub Bot) #​52727
• [96ec48da7f] - deps: update brotli to 1.1.0 (Node.js GitHub Bot) #​50804
• [11242bcfb4] - deps: update zlib to 1.3.0.1-motley-71660e1 (Node.js GitHub Bot) #​53464
• [64f98a9869] - deps: update zlib to 1.3.0.1-motley-c2469fd (Node.js GitHub Bot) #​53464
• [4b815550e0] - deps: update zlib to 1.3.0.1-motley-68e57e6 (Node.js GitHub Bot) #​53464
• [f6b2f68ce7] - deps: update zlib to 1.3.0.1-motley-8b7eff8 (Node.js GitHub Bot) #​53464
• [e151ebef86] - deps: update zlib to 1.3.0.1-motley-e432200 (Node.js GitHub Bot) #​53464
• [637a306e02] - deps: update zlib to 1.3.0.1-motley-887bb57 (Node.js GitHub Bot) #​53464
• [569a739569] - deps: update zlib to 1.3.0.1-motley-209717d (Node.js GitHub Bot) #​53156
• [033f1e2ba5] - deps: update zlib to 1.3.0.1-motley-4f653ff (Node.js GitHub Bot) #​53052
• [aaa857fc01] - deps: update ada to 2.8.0 (Node.js GitHub Bot) #​53254
• [d577321877] - deps: update acorn to 8.13.0 (Node.js GitHub Bot) #​55558
• [55b3c8a41f] - deps: update acorn-walk to 8.3.4 (Node.js GitHub Bot) #​54950
• [50a9456f1e] - deps: update acorn-walk to 8.3.3 (Node.js GitHub Bot) #​53466
• [f56cfe776b] - deps: update acorn to 8.12.1 (Node.js GitHub Bot) #​53465
• [fce3ab686d] - deps: update archs files for openssl-3.0.15+quic1 (Node.js GitHub Bot) #​55184
• [46c782486e] - deps: upgrade openssl sources to quictls/openssl-3.0.15+quic1 (Node.js GitHub Bot) #​55184
• [4a18581dc3] - deps: update corepack to 0.29.4 (Node.js GitHub Bot) #​54845
• [67e98831ab] - deps: update archs files for openssl-3.0.14+quic1 (Node.js GitHub Bot) #​54336
• [c60c6630af] - deps: upgrade openssl sources to quictls/openssl-3.0.14+quic1 (Node.js GitHub Bot) #​54336
• [935a506377] - deps: update corepack to 0.29.3 (Node.js GitHub Bot) #​54072
• [dbdfdd0226] - deps: update corepack to 0.29.2 (Node.js GitHub Bot) #​53838
• [395ee44608] - deps: update corepack to 0.28.2 (Node.js GitHub Bot) #​53253
• [6ba8bc0618] - deps: update c-ares to 1.29.0 (Node.js GitHub Bot) #​53155
• [81c3260cd2] - deps: update corepack to 0.28.1 (Node.js GitHub Bot) #​52946
• [e4739e9aa6] - doc: only apply content-visibility on all.html (Filip Skokan) #​53510
• [4d2ac5d98f] - doc: move release key for Myles Borins (Richard Lau) #​54059
• [1c4decc998] - doc: add release key for aduh95 (Antoine du Hamel) #​55349
• [a4f6f0918f] - doc: add names next to release key bash commands (Aviv Keller) #​52878
• [c679348f83] - errors: use determineSpecificType in more error messages (Antoine du Hamel) #​49580
• [3059262185] - esm: fix broken assertion in legacyMainResolve (Antoine du Hamel) #​55708
• [ac37e554a5] - esm: mark import attributes and JSON module as stable (Nicolò Ribaudo) #​55333
• [84b0ead758] - esm: fix hook name in error message (Bruce MacNaughton) #​50466
• [0092358d00] - http: handle multi-value content-disposition header (Arsalan Ahmad) #​50977
• [d814fe935c] - src: account for OpenSSL unexpected version (Shelley Vohr) #​54038
• [6615fe5db1] - src: fix dynamically linked OpenSSL version (Richard Lau) #​53456
• [d6114cb2e2] - test: fix test when compiled without engine support (Richard Lau) #​53232
• [ac3a39051c] - test: fix test-tls-junk-closes-server (Michael Dawson) #​55089
• [c8520ff7d2] - test: fix OpenSSL version checks (Richard Lau) #​53503
• [9824827937] - test: update tls test to support OpenSSL32 (Michael Dawson) #​55030
• [1a4d497936] - test: adjust tls-set-ciphers for OpenSSL32 (Michael Dawson) #​55016
• [341496a5a2] - test: add asserts to validate test assumptions (Michael Dawson) #​54997
• [37a2f7eaa4] - test: adjust key sizes to support OpenSSL32 (Michael Dawson) #​54972
• [75ff0cdf66] - test: update test to support OpenSSL32 (Michael Dawson) #​54968
• [b097d85dfe] - test: adjust test-tls-junk-server for OpenSSL32 (Michael Dawson) #​54926
• [e9997388a6] - test: adjust tls test for OpenSSL32 (Michael Dawson) #​54909
• [c7de027adb] - test: fix test test-tls-dhe for OpenSSL32 (Michael Dawson) #​54903
• [68156cbae1] - test: fix test-tls-client-mindhsize for OpenSSL32 (Michael Dawson) #​54739
• [d5b73e5683] - test: increase key size for ca2-cert.pem (Michael Dawson) #​54599
• [5316314755] - test: update TLS test for OpenSSL 3.2 (Richard Lau) #​54612
• [a1f0c87859] - test: fix test-tls-client-auth test for OpenSSL32 (Michael Dawson) #​54610
• [e9e3306426] - test: use assert.{s,deepS}trictEqual() (Sonny) #​54208
• [1320fb9475] - test: update TLS trace tests for OpenSSL >= 3.2 (Richard Lau) #​53229
• [cc3cdf7cc0] - test: check against run-time OpenSSL version (Richard Lau) #​53456
• [fc43c6803e] - test: update TLS tests for OpenSSL 3.2 (Richard Lau) #​53384
• [627d3993f0] - test: fix unreliable assumption in js-native-api/test_cannot_run_js (Joyee Cheung) #​51898
• [9f521f456e] - test: update tests for OpenSSL 3.0.14 (Richard Lau) #​53373
• [0fb652eba9] - tools: update gyp-next to v0.16.1 (Michaël Zasso) #​50380
• [fa72b2c2de] - tools: skip ruff on tools/gyp (Michaël Zasso) #​50380

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.78%. Comparing base (1641aee) to head (d4dece4).
Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1848   +/-   ##
=======================================
  Coverage   92.78%   92.78%           
=======================================
  Files          36       36           
  Lines        1358     1358           
  Branches      273      273           
=======================================
  Hits         1260     1260           
  Misses         68       68           
  Partials       30       30           

Flag	Coverage Δ
aarch64	92.56% <ø> (ø)
aarch64-without-git	92.56% <ø> (ø)
alpine	92.78% <ø> (+0.22%)	⬆️
alpine-proxy	92.56% <ø> (ø)
alpine-without-git	92.78% <ø> (ø)
linux	92.56% <ø> (ø)
linux-without-git	92.56% <ø> (ø)
macos	92.56% <ø> (ø)
macos-arm64	92.56% <ø> (ø)
macos-arm64-without-git	92.56% <ø> (ø)
macos-without-git	92.56% <ø> (ø)
macos-x64	92.56% <ø> (ø)
macos-x64-without-git	92.56% <ø> (ø)
windows	92.56% <ø> (ø)
windows-without-git	92.56% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.