Update node Docker tag to v20.9.0 - autoclosed
This MR contains the following updates:
Package | Type | Update | Change |
---|---|---|---|
node | image | minor |
20.8.0 -> 20.9.0
|
⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the logs for more information.
Release Notes
nodejs/node (node)
v20.9.0
: 2023-10-24, Version 20.9.0 'Iron' (LTS), @richardlau
Notable Changes
This release marks the transition of Node.js 20.x into Long Term Support (LTS) with the codename 'Iron'. The 20.x release line now moves into "Active LTS" and will remain so until October 2024. After that time, it will move into "Maintenance" until end of life in April 2026.
Known issue
Collecting code coverage via the NODE_V8_COVERAGE
environment variable may
lead to a hang. This is not thought to be a regression in Node.js 20 (some
reports are on Node.js 18). For more information, including some potential
workarounds, see issue #49344.
v20.8.1
: 2023-10-13, Version 20.8.1 (Current), @RafaelGSS
This is a security release.
Notable Changes
The following CVEs are fixed in this release:
-
CVE-2023-44487:
nghttp2
Security Release (High) -
CVE-2023-45143:
undici
Security Release (High) - CVE-2023-39332: Path traversal through path stored in Uint8Array (High)
- CVE-2023-39331: Permission model improperly protects against path traversal (High)
- CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium)
- CVE-2023-39333: Code injection via WebAssembly export names (Low)
More detailed information on each of the vulnerabilities can be found in October 2023 Security Releases blog post.
Commits
- [
c86883e844
] - deps: update nghttp2 to 1.57.0 (James M Snell) #50121 - [
2860631359
] - deps: update undici to v5.26.3 (Matteo Collina) #50153 - [
cd37838bf8
] - lib: let deps requirenode
prefixed modules (Matthew Aitken) #50047 - [
f5c90b2951
] - module: fix code injection through export names (Tobias Nießen) nodejs-private/node-private#461 - [
fa5dae1944
] - permission: fix Uint8Array path traversal (Tobias Nießen) nodejs-private/node-private#456 - [
cd35275111
] - permission: improve path traversal protection (Tobias Nießen) nodejs-private/node-private#456 - [
a4cb7fc7c0
] - policy: use tamper-proof integrity check function (Tobias Nießen) nodejs-private/node-private#462
Configuration
-
If you want to rebase/retry this MR, check this box