Update node Docker tag to v20.5.1

This MR contains the following updates:

Package	Type	Update	Change
node	image	minor	20.0.0 -> 20.5.1

---

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the logs for more information.

---

Release Notes

nodejs/node (node)

v20.5.1: 2023-08-09, Version 20.5.1 (Current), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

• CVE-2023-32002: Policies can be bypassed via Module._load (High)
• CVE-2023-32558: process.binding() can bypass the permission model through path traversal (High)
• CVE-2023-32004: Permission model can be bypassed by specifying a path traversal sequence in a Buffer (High)
• CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
• CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
• CVE-2023-32005: fs.statfs can bypass the permission model (Low)
• CVE-2023-32003: fs.mkdtemp() and fs.mkdtempSync() can bypass the permission model (Low)
• OpenSSL Security Releases
  • OpenSSL security advisory 14th July.
  • OpenSSL security advisory 19th July.
  • OpenSSL security advisory 31st July

More detailed information on each of the vulnerabilities can be found in August 2023 Security Releases blog post.

Commits

• [92300b51b4] - deps: update archs files for openssl-3.0.10+quic1 (Node.js GitHub Bot) #​49036
• [559698abf2] - deps: upgrade openssl sources to quictls/openssl-3.0.10+quic1 (Node.js GitHub Bot) #​49036
• [1bf3429e8e] - lib,permission: restrict process.binding when pm is enabled (RafaelGSS) nodejs-private/node-private#438
• [98a83a67e6] - permission: ensure to resolve path when calling mkdtemp (RafaelGSS) nodejs-private/node-private#464
• [1f0cde466b] - permission: handle buffer path on fs calls (RafaelGSS) nodejs-private/node-private#439
• [bd094d60ea] - permission: handle fstatfs and add pm supported list (RafaelGSS) nodejs-private/node-private#441
• [7337d21484] - policy: handle Module.constructor and main.extensions bypass (RafaelGSS) nodejs-private/node-private#417
• [cf348ec640] - policy: disable process.binding() when enabled (Tobias Nießen) nodejs-private/node-private#397

v20.5.0: 2023-07-18, Version 20.5.0 (Current), @​juanarbol

Compare Source

Notable Changes

• [45be29d89f] - doc: add atlowChemi to collaborators (atlowChemi) #​48757
• [a316808136] - (SEMVER-MINOR) events: allow safely adding listener to abortSignal (Chemi Atlow) #​48596
• [986b46a567] - fs: add a fast-path for readFileSync utf-8 (Yagiz Nizipli) #​48658
• [0ef73ff6f0] - (SEMVER-MINOR) test_runner: add shards support (Raz Luvaton) #​48639

Commits

• [eb0aba59b8] - bootstrap: use correct descriptor for Symbol.{dispose,asyncDispose} (Jordan Harband) #​48703
• [e2d0195dcf] - bootstrap: hide experimental web globals with flag kNoBrowserGlobals (Chengzhong Wu) #​48545
• [67a1018389] - build: do not pass target toolchain flags to host toolchain (Ivan Trubach) #​48597
• [7d843bb942] - child_process: use addAbortListener (atlowChemi) #​48550
• [4e08160f8c] - child_process: support Symbol.dispose (Moshe Atlow) #​48551
• [ef7728bf36] - deps: update nghttp2 to 1.55.1 (Node.js GitHub Bot) #​48790
• [1454f02499] - deps: update nghttp2 to 1.55.0 (Node.js GitHub Bot) #​48746
• [fa94debf46] - deps: update minimatch to 9.0.3 (Node.js GitHub Bot) #​48704
• [c73cfcc144] - deps: update acorn to 8.10.0 (Node.js GitHub Bot) #​48713
• [b7a076a052] - deps: V8: cherry-pick cb00db4 (Keyhan Vakil) #​48671
• [150e15536b] - deps: upgrade npm to 9.8.0 (npm team) #​48665
• [c47b2cbd35] - dgram: socket add asyncDispose (atlowChemi) #​48717
• [002ce31cca] - dgram: use addAbortListener (atlowChemi) #​48550
• [45be29d89f] - doc: add atlowChemi to collaborators (atlowChemi) #​48757
• [69b55d2261] - doc: fix ambiguity in http.md and https.md (an5er) #​48692
• [caccb051c7] - doc: clarify transform._transform() callback argument logic (Rafael Sofi-zada) #​48680
• [999ae0c8c3] - doc: fix copy node executable in Windows (Yoav Vainrich) #​48624
• [7daefaeb44] - doc: drop <b> of v20 changelog (Rafael Gonzaga) #​48649
• [dd7ea3e1df] - doc: mention git node release prepare (Rafael Gonzaga) #​48644
• [cc7809df21] - esm: fix emit deprecation on legacy main resolve (Antoine du Hamel) #​48664
• [67b13d1dba] - events: fix bug listenerCount don't compare wrapped listener (yuzheng14) #​48592
• [a316808136] - (SEMVER-MINOR) events: allow safely adding listener to abortSignal (Chemi Atlow) #​48596
• [986b46a567] - fs: add a fast-path for readFileSync utf-8 (Yagiz Nizipli) #​48658
• [e4333ac41f] - http2: use addAbortListener (atlowChemi) #​48550
• [4a0b66e4f9] - http2: send RST code 8 on AbortController signal (Devraj Mehta) #​48573
• [1295c76fce] - lib: use addAbortListener (atlowChemi) #​48550
• [dff6c25a36] - meta: bump actions/checkout from 3.5.2 to 3.5.3 (dependabot[bot]) #​48625
• [b5cb69ceaa] - meta: bump step-security/harden-runner from 2.4.0 to 2.4.1 (dependabot[bot]) #​48626
• [332e480b46] - meta: bump ossf/scorecard-action from 2.1.3 to 2.2.0 (dependabot[bot]) #​48628
• [25c5a0aaee] - meta: bump github/codeql-action from 2.3.6 to 2.20.1 (dependabot[bot]) #​48627
• [6406f50ab1] - module: add SourceMap.lineLengths (Isaac Z. Schlueter) #​48461
• [cfa69bd48c] - net: server add asyncDispose (atlowChemi) #​48717
• [ac11264cc5] - net: use addAbortListener (atlowChemi) #​48550
• [82d6b13bf6] - permission: add debug log when inserting fs nodes (Rafael Gonzaga) #​48677
• [f4333b1cdd] - permission: v8.writeHeapSnapshot and process.report (Rafael Gonzaga) #​48564
• [f691dca6c9] - readline: use addAbortListener (atlowChemi) #​48550
• [227e6bd898] - src: pass syscall on fs.readFileSync fail operation (Yagiz Nizipli) #​48815
• [a9a4b73653] - src: make BaseObject iteration order deterministic (Joyee Cheung) #​48702
• [d99ea4845a] - src: remove kEagerCompile for CompileFunction (Keyhan Vakil) #​48671
• [df363d0010] - src: deduplicate X509 getter implementations (Tobias Nießen) #​48563
• [9cf2e1f55b] - src,lib: reducing C++ calls of esm legacy main resolve (Vinicius Lourenço) #​48325
• [daeb21dde9] - stream: fix deadlock when pipeing to full sink (Robert Nagy) #​48691
• [5a382d02d6] - stream: use addAbortListener (atlowChemi) #​48550
• [6e82077dd4] - test: deflake test-net-throttle (Luigi Pinca) #​48599
• [d378b2c822] - test: move test-net-throttle to parallel (Luigi Pinca) #​48599
• [dfa0aee5bf] - Revert "test: remove test-crypto-keygen flaky designation" (Luigi Pinca) #​48652
• [0ef73ff6f0] - (SEMVER-MINOR) test_runner: add shards support (Raz Luvaton) #​48639
• [e2442bb7ef] - timers: support Symbol.dispose (Moshe Atlow) #​48633
• [4398ade426] - tools: run fetch_deps.py with Python 3 (Richard Lau) #​48729
• [38ce95d054] - tools: update doc to unist-util-select@5.0.0 unist-util-visit@5.0.0 (Node.js GitHub Bot) #​48714
• [b25e78a998] - tools: update lint-md-dependencies to rollup@3.26.2 (Node.js GitHub Bot) #​48705
• [a1f4ff7c59] - tools: update eslint to 8.44.0 (Node.js GitHub Bot) #​48632
• [42dc6eb698] - tools: update lint-md-dependencies to rollup@3.26.0 (Node.js GitHub Bot) #​48631
• [07bfcc45ab] - url: fix canParse false value when v8 optimizes (Yagiz Nizipli) #​48817

v20.4.0: 2023-07-05, Version 20.4.0 (Current), @​RafaelGSS

Compare Source

Notable Changes

Mock Timers

The new feature allows developers to write more reliable and predictable tests for time-dependent functionality. It includes MockTimers with the ability to mock setTimeout, setInterval from globals, node:timers, and node:timers/promises.

The feature provides a simple API to advance time, enable specific timers, and release all timers.

import assert from 'node:assert';
import { test } from 'node:test';

test('mocks setTimeout to be executed synchronously without having to actually wait for it', (context) => {
  const fn = context.mock.fn();
  // Optionally choose what to mock
  context.mock.timers.enable(['setTimeout']);
  const nineSecs = 9000;
  setTimeout(fn, nineSecs);

  const threeSeconds = 3000;
  context.mock.timers.tick(threeSeconds);
  context.mock.timers.tick(threeSeconds);
  context.mock.timers.tick(threeSeconds);

  assert.strictEqual(fn.mock.callCount(), 1);
});

This feature was contributed by Erick Wendel in #​47775.

Support to the explicit resource management proposal

Node is adding support to the explicit resource management proposal to its resources allowing users of TypeScript/babel to use using/await using with V8 support for everyone else on the way.

This feature was contributed by Moshe Atlow and Benjamin Gruenbaum in #​48518.

Other notable changes

• [fe333d2584] - crypto: update root certificates to NSS 3.90 (Node.js GitHub Bot) #​48416
• [60c2ea4e79] - doc: add vmoroz to collaborators (Vladimir Morozov) #​48527
• [5cacdf9e6b] - doc: add kvakil to collaborators (Keyhan Vakil) #​48449
• [504d1d7bdc] - (SEMVER-MINOR) tls: add ALPNCallback server option for dynamic ALPN negotiation (Tim Perry) #​45190

Commits

• [8a611a387f] - benchmark: add bar.R (Rafael Gonzaga) #​47729
• [12fa716cf9] - benchmark: refactor crypto oneshot (Filip Skokan) #​48267
• [d6ecbde592] - benchmark: add crypto.create*Key (Filip Skokan) #​48284
• [e60b6dedd8] - bootstrap: unify snapshot builder and embedder entry points (Joyee Cheung) #​48242
• [40662957b1] - bootstrap: simplify initialization of source map handlers (Joyee Cheung) #​48304
• [6551538079] - build: fix configure --link-module (Richard Lau) #​48522
• [f7f32089e7] - build: sync libuv header change (Jiawen Geng) #​48429
• [f60205c915] - build: update action to close stale MRs (Michael Dawson) #​48196
• [4f4d0b802e] - child_process: improve spawn performance on Linux (Keyhan Vakil) #​48523
• [fe333d2584] - crypto: update root certificates to NSS 3.90 (Node.js GitHub Bot) #​48416
• [89aaf16237] - crypto: remove OPENSSL_FIPS guard for OpenSSL 3 (Richard Lau) #​48392
• [6199e1946c] - deps: upgrade to libuv 1.46.0 (Santiago Gimeno) #​48618
• [1b2b930fda] - deps: add loong64 config into openssl gypi (Shi Pujin) #​48043
• [ba8d048929] - deps: update acorn to 8.9.0 (Node.js GitHub Bot) #​48484
• [d96f921d06] - deps: update zlib to 1.2.13.1-motley-f81f385 (Node.js GitHub Bot) #​48541
• [ed1d047e8f] - deps: update googletest to ec4fed9 (Node.js GitHub Bot) #​48538
• [f43d718c67] - deps: update minimatch to 9.0.2 (Node.js GitHub Bot) #​48542
• [2f66147cbf] - deps: update corepack to 0.19.0 (Node.js GitHub Bot) #​48540
• [d91b0fde73] - deps: V8: cherry-pick 1a782f6 (Keyhan Vakil) #​48523
• [112335e342] - deps: update corepack to 0.18.1 (Node.js GitHub Bot) #​48483
• [2b141c413f] - deps: update icu to 73.2 (Node.js GitHub Bot) #​48502
• [188b34d4a1] - deps: upgrade npm to 9.7.2 (npm team) #​48514
• [bf0444b5d9] - deps: update zlib to 1.2.13.1-motley-3ca9f16 (Node.js GitHub Bot) #​48413
• [b339d80a56] - deps: upgrade npm to 9.7.1 (npm team) #​48378
• [4132931b87] - deps: update simdutf to 3.2.14 (Node.js GitHub Bot) #​48344
• [8cd56c1e85] - deps: update ada to 2.5.1 (Node.js GitHub Bot) #​48319
• [78cffcd645] - deps: update zlib to 982b036 (Node.js GitHub Bot) #​48327
• [6d00c2e33b] - doc: fix options order (Luigi Pinca) #​48617
• [7ad2d3a5d1] - doc: update security release stewards (Rafael Gonzaga) #​48569
• [cc3a056fdd] - doc: update return type for describe (Shrujal Shah) #​48572
• [99ae0b98af] - doc: run license-builder (github-actions[bot]) #​48552
• [9750d8205c] - doc: add description of autoAllocateChunkSize in ReadableStream (Debadree Chatterjee) #​48004
• [417927bb41] - doc: fix filename type in watch result (Dmitry Semigradsky) #​48032
• [ca2ae86bd7] - doc: unnest mime and MIMEParams from MIMEType constructor (Dmitry Semigradsky) #​47950
• [bda1228135] - doc: update security-release-process.md (Rafael Gonzaga) #​48504
• [60c2ea4e79] - doc: add vmoroz to collaborators (Vladimir Morozov) #​48527
• [37bc0eac4a] - doc: improve inspector.close() description (mary marchini) #​48494
• [2a403cdad5] - doc: link to Runtime Keys in export conditions (Jacob Hummer) #​48408
• [e2d579e644] - doc: update fs flags documentation (sinkhaha) #​48463
• [38bf290115] - doc: revise error.md introduction (Antoine du Hamel) #​48423
• [641a2e9c6d] - doc: add preveen-stack to triagers (Preveen P) #​48387
• [4ab5e8d2e3] - doc: refine when file is undefined in test events (Moshe Atlow) #​48451
• [5cacdf9e6b] - doc: add kvakil to collaborators (Keyhan Vakil) #​48449
• [b9c643e3ef] - doc: add additional info on TSFN dispatch (Michael Dawson) #​48367
• [17a0e1d1bf] - doc: add link for news from security wg (Michael Dawson) #​48396
• [3a62994a4f] - doc: fix typo in events.md (Darshan Sen) #​48436
• [e10a4cdf68] - doc: run license-builder (github-actions[bot]) #​48336
• [19fde638fd] - fs: call the callback with an error if writeSync fails (killa) #​47949
• [4cad9fd8bd] - fs: remove unneeded return statement (Luigi Pinca) #​48526
• [d367b73f43] - fs: use kResistStopPropagation (Chemi Atlow) #​48521
• [e50c3169af] - fs, stream: initial Symbol.dispose and Symbol.asyncDispose support (Moshe Atlow) #​48518
• [7d8a0b6eb7] - http: null the joinDuplicateHeaders property on cleanup (Luigi Pinca) #​48608
• [94ebb02f59] - http: server add async dispose (atlowChemi) #​48548
• [c6a69e31a3] - http: remove useless ternary in test (geekreal) #​48481
• [2f0f40328f] - http: fix for handling on boot timers headers and request (Franciszek Koltuniuk) #​48291
• [5378ad8ab1] - http2: server add asyncDispose (atlowChemi) #​48548
• [97a58c5970] - https: server add asyncDispose (atlowChemi) #​48548
• [40ae6eb6aa] - https: fix connection checking interval not clearing on server close (Nitzan Uziely) #​48383
• [15530fea4c] - lib: merge cjs and esm package json reader caches (Yagiz Nizipli) #​48477
• [32bda81c31] - lib: reduce url getters on makeRequireFunction (Yagiz Nizipli) #​48492
• [0da03f01ba] - lib: remove duplicated requires in check_syntax (Yagiz Nizipli) #​48508
• [97b00c347d] - lib: add option to force handling stopped events (Chemi Atlow) #​48301
• [fe16749649] - lib: fix output message when repl is used with pm (Rafael Gonzaga) #​48438
• [8c2c02d28a] - lib: create weakRef only if any signals provided (Chemi Atlow) #​48448
• [b6ae411ea9] - lib: remove obsolete deletion of bufferBinding.zeroFill (Chengzhong Wu) #​47881
• [562b3d4856] - lib: move web global bootstrapping to the expected file (Chengzhong Wu) #​47881
• [f9c0d5acac] - lib: fix blob.stream() causing hanging promises (Debadree Chatterjee) #​48232
• [0162a0f5bf] - lib: add support for inherited custom inspection methods (Antoine du Hamel) #​48306
• [159ab6627a] - lib: reduce URL invocations on http2 origins (Yagiz Nizipli) #​48338
• [f0709fdc59] - module: add SourceMap.findOrigin (Isaac Z. Schlueter) #​47790
• [4ec2d925b1] - module: reduce url invocations in esm/load.js (Yagiz Nizipli) #​48337
• [2c363971cc] - net: improve network family autoselection handle handling (Paolo Insogna) #​48464
• [dbf9e9ffc8] - node-api: provide napi_define_properties fast path (Gabriel Schulhof) #​48440
• [87ad657777] - node-api: implement external strings (Gabriel Schulhof) #​48339
• [4efa6807ea] - permission: handle end nodes with children cases (Rafael Gonzaga) #​48531
• [84fe811108] - repl: display dynamic import variant in static import error messages (Hemanth HM) #​48129
• [bdcc037470] - report: disable js stack when no context is entered (Chengzhong Wu) #​48495
• [97bd9ccd04] - src: fix uninitialized field access in AsyncHooks (Jan Olaf Krems) #​48566
• [404958fc96] - src: fix Coverity issue regarding unnecessary copy (Yagiz Nizipli) #​48565
• [c4b8edea24] - src: refactor SplitString in util (Yagiz Nizipli) #​48491
• [5bc13a4772] - src: revert IS_RELEASE (Rafael Gonzaga) #​48505
• [4971e46051] - src: add V8 fast api to guessHandleType (Yagiz Nizipli) #​48349
• [954e46e792] - src: return uint32 for guessHandleType (Yagiz Nizipli) #​48349
• [05009675da] - src: make realm binding data store weak (Chengzhong Wu) #​47688
• [120ac74352] - src: remove aliased buffer weak callback (Chengzhong Wu) #​47688
• [6591826e99] - src: handle wasm out of bound in osx will raise SIGBUS correctly (Congcong Cai) #​46561
• [1b84ddeec2] - src: implement constants binding directly (Joyee Cheung) #​48186
• [06d49c1f10] - src: implement natives binding without special casing (Joyee Cheung) #​48186
• [325441abf5] - src: add missing to_ascii method in dns queries (Daniel Lemire) #​48354
• [84d0eb74b8] - stream: fix premature pipeline end (Robert Nagy) #​48435
• [3df7368735] - test: add missing assertions to test-runner-cli (Moshe Atlow) #​48593
• [07eb310b0d] - test: remove test-crypto-keygen flaky designation (Luigi Pinca) #​48575
• [75aa0a7682] - test: remove test-timers-immediate-queue flaky designation (Luigi Pinca) #​48575
• [a9756f3126] - test: add Symbol.dispose support to mock timers (Benjamin Gruenbaum) #​48549
• [0f912a7248] - test: mark test-child-process-stdio-reuse-readable-stdio flaky (Luigi Pinca) #​48537
• [30f4bc4985] - test: make IsolateData per-isolate in cctest (Joyee Cheung) #​48450
• [407ce3fdcb] - test: define NAPI_VERSION before including node_api.h (Chengzhong Wu) #​48376
• [24a8fa95f0] - test: remove unnecessary noop function args to mustNotCall() (Antoine du Hamel) #​48513
• [09af579775] - test: skip test-runner-watch-mode on IBMi (Moshe Atlow) #​48473
• [77cb1ee0b2] - test: add missing <algorithm> include for std::find (Sam James) #​48380
• [7c790ca03c] - test: fix flaky test-watch-mode (Moshe Atlow) #​48147
• [1398829746] - test: fix test-net-autoselectfamily for kernel without IPv6 support (Livia Medeiros) #​48265
• [764119ba4b] - test: update url web-platform tests (Yagiz Nizipli) #​48319
• [f1ead59629] - test: ignore the copied entry_point.c (Luigi Pinca) #​48297
• [fc5d1bddcb] - test: refactor test-gc-http-client-timeout (Luigi Pinca) #​48292
• [46a3d068a0] - test: update encoding web-platform tests (Yagiz Nizipli) #​48320
• [141e5aad83] - test: update FileAPI web-platform tests (Yagiz Nizipli) #​48322
• [83cfc67099] - test: update user-timing web-platform tests (Yagiz Nizipli) #​48321
• [2c56835a33] - test_runner: fixed test shorthands return type (Shocker) #​48555
• [7d01c8894a] - (SEMVER-MINOR) test_runner: add initial draft for fakeTimers (Erick Wendel) #​47775
• [de4f14c249] - test_runner: add enqueue and dequeue events (Moshe Atlow) #​48428
• [5ebe3a4ea7] - test_runner: make --test-name-pattern recursive (Moshe Atlow) #​48382
• [93bf447308] - test_runner: refactor coverage report output for readability (Damien Seguin) #​47791
• [504d1d7bdc] - (SEMVER-MINOR) tls: add ALPNCallback server option for dynamic ALPN negotiation (Tim Perry) #​45190
• [203c3cf4ca] - tools: update lint-md-dependencies (Node.js GitHub Bot) #​48544
• [333907b19d] - tools: speedup compilation of js2c output (Keyhan Vakil) #​48160
• [10bd5f4d97] - tools: update lint-md-dependencies (Node.js GitHub Bot) #​48486
• [52de27b9fe] - tools: pin ruff version number (Rich Trott) #​48505
• [4345526644] - tools: replace sed with perl (Luigi Pinca) #​48499
• [6c590835f3] - tools: automate update openssl v16 (Marco Ippolito) #​48377
• [90b5335338] - tools: update eslint to 8.43.0 (Node.js GitHub Bot) #​48487
• [cd83530a11] - tools: update doc to to-vfile@8.0.0 (Node.js GitHub Bot) #​48485
• [e500b439bd] - tools: prepare tools/doc for to-vfile 8.0.0 (Rich Trott) #​48485
• [d623616813] - tools: update lint-md-dependencies (Node.js GitHub Bot) #​48417
• [a2e107dde4] - tools: update create-or-update-pull-request-action (Richard Lau) #​48398
• [8009e2c3be] - tools: update eslint-plugin-jsdoc (Richard Lau) #​48393
• [10385c8565] - tools: add version update to external dependencies (Andrea Fassina) #​48081
• [b1cef81b18] - tools: update eslint to 8.42.0 (Node.js GitHub Bot) #​48328
• [0923dc0b8e] - tools: disable jsdoc/no-defaults rule (Luigi Pinca) #​48328
• [b03146da85] - typings: remove unused primordials (Yagiz Nizipli) #​48509
• [e9c9d187b9] - typings: fix JSDoc in ESM loader modules (Antoine du Hamel) #​48424
• [fafe651d23] - url: conform to origin getter spec changes (Yagiz Nizipli) #​48319

v20.3.1: 2023-06-20, Version 20.3.1 (Current), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

• CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High)
• CVE-2023-30584: Path Traversal Bypass in Experimental Permission Model (High)
• CVE-2023-30587: Bypass of Experimental Permission Model via Node.js Inspector (High)
• CVE-2023-30582: Inadequate Permission Model Allows Unauthorized File Watching (Medium)
• CVE-2023-30583: Bypass of Experimental Permission Model via fs.openAsBlob() (Medium)
• CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
• CVE-2023-30586: Bypass of Experimental Permission Model via Arbitrary OpenSSL Engines (Medium)
• CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
• CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
• CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
• OpenSSL Security Releases
  • OpenSSL security advisory 28th March.
  • OpenSSL security advisory 20th April.
  • OpenSSL security advisory 30th May

More detailed information on each of the vulnerabilities can be found in June 2023 Security Releases blog post.

Commits

• [dac08dafc9] - crypto: handle cert with invalid SPKI gracefully (Tobias Nießen) nodejs-private/node-private#393
• [d274c3babc] - crypto,https,tls: disable engines if perms enabled (Tobias Nießen) nodejs-private/node-private#409
• [5621c1de38] - deps: update archs files for openssl-3.0.9-quic1 (Node.js GitHub Bot) #​48402
• [771caa9f1c] - deps: upgrade openssl sources to quictls/openssl-3.0.9-quic1 (Node.js GitHub Bot) #​48402
• [0459bf9c99] - doc,test: clarify behavior of DH generateKeys (Tobias Nießen) nodejs-private/node-private#426
• [27e20501aa] - http: disable request smuggling via empty headers (Paolo Insogna) nodejs-private/node-private#427
• [9c17e335f1] - msi: do not create AppData\Roaming\npm (Tobias Nießen) nodejs-private/node-private#408
• [b51124c637] - permission: handle fs path traversal (RafaelGSS) nodejs-private/node-private#403
• [ebc5927adc] - permission: handle fs.openAsBlob (RafaelGSS) nodejs-private/node-private#405
• [c39a43bff5] - permission: handle fs.watchFile (RafaelGSS) nodejs-private/node-private#404
• [d0a8264ec9] - policy: handle mainModule.__proto__ bypass (RafaelGSS) nodejs-private/node-private#416
• [3df13d5a79] - src,permission: restrict inspector when pm enabled (RafaelGSS) nodejs-private/node-private#410

v20.3.0: 2023-06-08, Version 20.3.0 (Current), @​targos

Compare Source

Notable Changes

• [bfcb3d1d9a] - deps: upgrade to libuv 1.45.0, including significant performance improvements to file system operations on Linux (Santiago Gimeno) #​48078
• [5094d1b292] - doc: add Ruy Adorno to list of TSC members (Michael Dawson) #​48172
• [2f5dbca690] - doc: mark Node.js 14 as End-of-Life (Richard Lau) #​48023
• [b1828b325e] - (SEMVER-MINOR) lib: implement AbortSignal.any() (Chemi Atlow) #​47821
• [f380953103] - module: change default resolver to not throw on unknown scheme (Gil Tayar) #​47824
• [a94f87ed99] - (SEMVER-MINOR) node-api: define version 9 (Chengzhong Wu) #​48151
• [9e2b13dfa7] - stream: deprecate asIndexedPairs (Chemi Atlow) #​48102

Commits

• [35c96156d1] - benchmark: use cluster.isPrimary instead of cluster.isMaster (Deokjin Kim) #​48002
• [3e6e3abf32] - bootstrap: throw ERR_NOT_SUPPORTED_IN_SNAPSHOT in unsupported operation (Joyee Cheung) #​47887
• [c480559347] - bootstrap: put is_building_snapshot state in IsolateData (Joyee Cheung) #​47887
• [50c0a15535] - build: set v8_enable_webassembly=false when lite mode is enabled (Cheng Shao) #​48248
• [4562805cf6] - build: speed up compilation of mksnapshot output (Keyhan Vakil) #​48162
• [8b89f13933] - build: add action to close stale MRs (Michael Dawson) #​48051
• [5d92202220] - build: replace js2c.py with js2c.cc (Joyee Cheung) #​46997
• [6cf2adc36e] - cluster: use ObjectPrototypeHasOwnProperty (Daeyeon Jeong) #​48141
• [f564b03c38] - crypto: use openssl's own memory BIOs in crypto_context.cc (GauriSpears) #​47160
• [ac8dd61fc3] - crypto: remove default encoding from cipher (Tobias Nießen) #​47998
• [15c2de4407] - crypto: fix setEngine() when OPENSSL_NO_ENGINE set (Tobias Nießen) #​47977
• [9e2dd5b5e2] - deps: update zlib to 337322d (Node.js GitHub Bot) #​48218
• [bfcb3d1d9a] - deps: upgrade to libuv 1.45.0 (Santiago Gimeno) #​48078
• [13930f092f] - deps: update ada to 2.5.0 (Node.js GitHub Bot) #​48223
• [3047caebec] - deps: set CARES_RANDOM_FILE for c-ares (Richard Lau) #​48156
• [0db79a0872] - deps: update histogram 0.11.8 (Marco Ippolito) #​47742
• [99af6716f5] - deps: update histogram to 0.11.7 (Marco Ippolito) #​47742
• [d4922bc985] - deps: update c-ares to 1.19.1 (Node.js GitHub Bot) #​48115
• [f6ccdb289f] - deps: update simdutf to 3.2.12 (Node.js GitHub Bot) #​48118
• [3ed0afc778] - deps: update minimatch to 9.0.1 (Node.js GitHub Bot) #​48094
• [df7540fb73] - deps: update ada to 2.4.2 (Node.js GitHub Bot) #​48092
• [07df5c48e8] - deps: update corepack to 0.18.0 (Node.js GitHub Bot) #​48091
• [d95a5bb559] - deps: update uvwasi to 0.0.18 (Node.js GitHub Bot) #​47866
• [443477e041] - deps: update uvwasi to 0.0.17 (Node.js GitHub Bot) #​47866
• [03f67d6d6d] - deps: upgrade npm to 9.6.7 (npm team) #​48062
• [d3e3a911fd] - deps: update nghttp2 to 1.53.0 (Node.js GitHub Bot) #​47997
• [f7c4daaf67] - deps: update ada to 2.4.1 (Node.js GitHub Bot) #​48036
• [c6a752560d] - deps: add loongarch64 into openssl Makefile and gen openssl-loongarch64 (Shi Pujin) #​46401
• [d194241716] - deps: update undici to 5.22.1 (Node.js GitHub Bot) #​47994
• [02e919f4a2] - deps,test: update postject to 1.0.0-alpha.6 (Node.js GitHub Bot) #​48072
• [2c19f596ad] - doc: clarify array args to Buffer.from() (Bryan English) #​48274
• [d681e5f456] - doc: document watch option for node:test run() (Moshe Atlow) #​48256
• [96e54ddbca] - doc: reserve 117 for Electron 26 (Calvin) #​48245
• [9aff8c7818] - doc: update documentation for FIPS support (Richard Lau) #​48194
• [8c5338648f] - doc: improve the documentation of the stdio option (Kumar Arnav) #​48110
• [11918d705f] - doc: update Buffer.allocUnsafe description (sinkhaha) #​48183
• [2b51ee5e22] - doc: update codeowners with website team (Claudio Wunder) #​48197
• [360df25d04] - doc: fix broken link to new folder doc/contributing/maintaining (Andrea Fassina) #​48205
• [13e95e21a4] - doc: add atlowChemi to triagers (Chemi Atlow) #​48104
• [5f83ce530f] - doc: fix typo in readline completer function section (Vadym) #​48188
• [3c82165d27] - doc: remove broken link for keygen (Rich Trott) #​48176
• [0ca90a1e6d] - doc: add auto intrinsic height to prevent jitter/flicker (Daniel Holbert) #​48195
• [f117855092] - doc: add version info on the SEA docs (Antoine du Hamel) #​48173
• [5094d1b292] - doc: add Ruy to list of TSC members (Michael Dawson) #​48172
• [39d8140227] - doc: update socket.remote* properties documentation (Saba Kharanauli) #​48139
• [5497c13efe] - doc: update outdated section on TLSv1.3-PSK (Tobias Nießen) #​48123
• [281dfaf727] - doc: improve HMAC key recommendations (Tobias Nießen) #​48121
• [bd311b6c70] - doc: clarify mkdir() recursive behavior (Stephen Odogwu) #​48109
• [5b061c8922] - doc: fix typo in crypto legacy streams API section (Tobias Nießen) #​48122
• [10ccb2bd81] - doc: update SEA source link (Rich Trott) #​48080
• [415bf7f532] - doc: clarify tty.isRaw (Roberto Vidal) #​48055
• [0ac4b33c76] - doc: correct line break for Windows terminals (Alex Schwartz) #​48083
• [f30ba5c320] - doc: fix Windows code snippet tags (Antoine du Hamel) #​48100
• [12fef9b68c] - doc: harmonize fenced code snippet flags (Antoine du Hamel) #​48082
• [13f163eace] - doc: use secure key length for HMAC generateKey (Tobias Nießen) #​48052
• [1e3e7c9f33] - doc: update broken EVP_BytesToKey link (Rich Trott) #​48064
• [5917ba1838] - doc: update broken spkac link (Rich Trott) #​48063
• [0e4a3b7db1] - doc: document node-api version process (Chengzhong Wu) #​47972
• [85bbaa94ea] - doc: update process.versions properties (Saba Kharanauli) #​48019
• [7660eb591a] - doc: fix typo in binding functions (Deokjin Kim) #​48003
• [2f5dbca690] - doc: mark Node.js 14 as End-of-Life (Richard Lau) #​48023
• [3b94a739f2] - doc: clarify CRYPTO_CUSTOM_ENGINE_NOT_SUPPORTED (Tobias Nießen) #​47976
• [9e381cfa89] - doc: add heading for permission model limitations (Tobias Nießen) #​47989
• [802db923e0] - doc,vm: clarify usage of cachedData in vm.compileFunction() (Darshan Sen) #​48193
• [11a3434810] - esm: remove support for arrays in import internal method (Antoine du Hamel) #​48296
• [3b00f3afef] - esm: handle globalPreload hook returning a nullish value (Antoine du Hamel) #​48249
• [3c7846d7e1] - esm: handle more error types thrown from the loader thread (Antoine du Hamel) #​48247
• [60ce2bcabc] - http: send implicit headers on HEAD with no body (Matteo Collina) #​48108
• [72de4e7170] - lib: do not disable linter for entire files (Antoine du Hamel) #​48299
• [10cc60fc91] - lib: use existing isWindows variable (sinkhaha) #​48134
• [a90010aae9] - lib: support FORCE_COLOR for non TTY streams (Moshe Atlow) #​48034
• [b1828b325e] - (SEMVER-MINOR) lib: implement AbortSignal.any() (Chemi Atlow) #​47821
• [8f1b86961f] - meta: bump github/codeql-action from 2.3.3 to 2.3.6 (dependabot[bot]) #​48287
• [1b87ccdf70] - meta: bump actions/setup-python from 4.6.0 to 4.6.1 (dependabot[bot]) #​48286
• [10715aea26] - meta: bump codecov/codecov-action from 3.1.3 to 3.1.4 (dependabot[bot]) #​48285
• [79f73778ab] - meta: remove dont-land-on-v14 auto labeling (Shrujal Shah) #​48031
• [9c5711f3ea] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #​48010
• [6d6bf3ee52] - module: reduce the number of URL initializations (Yagiz Nizipli) #​48272
• [f380953103] - module: change default resolver to not throw on unknown scheme (Gil Tayar) #​47824
• [950185b0c0] - net: fix address iteration with autoSelectFamily (Fedor Indutny) #​48258
• [5ddca72e62] - net: fix family autoselection SSL connection handling (Paolo Insogna) #​48189
• [750e53ca3c] - net: fix family autoselection timeout handling (Paolo Insogna) #​47860
• [a94f87ed99] - (SEMVER-MINOR) node-api: define version 9 (Chengzhong Wu) #​48151
• [e834979818] - node-api: add status napi_cannot_run_js (Gabriel Schulhof) #​47986
• [eafe0c3ec6] - node-api: napi_ref on all types is experimental (Vladimir Morozov) #​47975
• [9a034746f5] - src: add Realm document in the src README.md (Chengzhong Wu) #​47932
• [b8f4070f71] - src: check node_extra_ca_certs after openssl cfg (Raghu Saxena) #​48159
• [0347a18056] - src: include missing header in node_sea.h (Joyee Cheung) #​48152
• [45c3782c20] - src: remove INT_MAX asserts in SecretKeyGenTraits (Tobias Nießen) #​48053
• [b25e7045ad] - src: avoid prototype access in binding templates (Joyee Cheung) #​47913
• [33aa373eec] - src: use Blob{Des|S}erializer for SEA blobs (Joyee Cheung) #​47962
• [9e2b13dfa7] - stream: deprecate asIndexedPairs (Chemi Atlow) #​48102
• [96c323dee2] - test: mark test-child-process-pipe-dataflow as flaky (Moshe Atlow) #​48334
• [9875885357] - test: adapt tests for OpenSSL 3.1 (OttoHollmann) #​47859
• [3440d7c6bf] - test: unflake test-vm-timeout-escape-nexttick (Santiago Gimeno) #​48078
• [215b2bc72c] - test: fix zlib version regex (Luigi Pinca) #​48227
• [e12ee59d26] - test: use lower security level in s_client (Luigi Pinca) #​48192
• [1dabc7390c] - Revert "test: unskip negative-settimeout.any.js WPT" (Filip Skokan) #​48182
• [c1c4796a86] - test: mark test_cannot_run_js as flaky (Keyhan Vakil) #​48181
• [8c49d74002] - test: fix flaky test-runner-watch-mode (Moshe Atlow) #​48144
• [6388766862] - test: skip test-http-pipeline-flood on IBM i (Abdirahim Musse) #​48048
• [8d2a3b1952] - test: ignore helper files in WPTs (Filip Skokan) #​48079
• [7a96d825fd] - test: move test-cluster-primary-error flaky test (Yagiz Nizipli) #​48039
• [a80dd3a8b3] - test: fix suite signal (Benjamin Gruenbaum) #​47800
• [a41cfd183f] - test: fix parsing test flags (Daeyeon Jeong) #​48012
• [4d4e506f2b] - test,doc,sea: run SEA tests on ppc64 (Darshan Sen) #​48111
• [44411fc40c] - test_runner: apply runOnly on suites (Moshe Atlow) #​48279
• [3f259b7a30] - test_runner: emit test:watch:drained event (Moshe Atlow) #​48259
• [c9f8e8c562] - test_runner: stop watch mode when abortSignal aborted (Moshe Atlow) #​48259
• [f3268d64cb] - test_runner: fix global after hook (Moshe Atlow) #​48231
• [15336c3139] - test_runner: remove redundant check from coverage (Colin Ihrig) #​48070
• [750d3e8606] - test_runner: pass FORCE_COLOR to child process (Moshe Atlow) #​48057
• [3278542243] - test_runner: dont split lines on test:stdout (Moshe Atlow) #​48057
• [027c531766] - test_runner: fix test deserialize edge cases (Moshe Atlow) #​48106
• [2b797a6d39] - test_runner: delegate stderr and stdout formatting to reporter (Shiba) #​48045
• [23d310bee8] - test_runner: display dot report as wide as the terminal width (Raz Luvaton) #​48038
• [fd2620dcf1] - tls: reapply servername on happy eyeballs connect (Fedor Indutny) #​48255
• [62f847d0b3] - tools: update rollup lint-md-dependencies (Node.js GitHub Bot) #​48329
• [3e97826a66] - Revert "tools: open issue when update workflow fails" (Marco Ippolito) #​48312
• [5f08bfe35f] - tools: don't gitignore base64 config.h (Ben Noordhuis) #​48174
• [ded0e2d755] - tools: update LICENSE and license-builder.sh (Santiago Gimeno) #​48078
• [07aa264366] - tools: automate histogram update (Marco Ippolito) #​48171
• [1416b75eaa] - tools: use shasum instead of sha256sum (Luigi Pinca) #​48229
• [b81e9d9b7b] - tools: harmonize dep_updaters scripts (Antoine du Hamel) #​48201
• [a60bc41e53] - tools: deps update authenticate github api request (Andrea Fassina) #​48200
• [7478ed014e] - tools: order dependency jobs alphabetically (Luca) #​48184
• [568a705799] - tools: refactor v8_pch config (Michaël Zasso) #​47364
• [801573ba46] - tools: log and verify sha256sum (Andrea Fassina) #​48088
• [db62325e18] - tools: open issue when update workflow fails (Marco Ippolito) #​48018
• [ad8a68856d] - tools: alphabetize CODEOWNERS (Rich Trott) #​48124
• [4cf5a9edaf] - tools: use latest upstream commit for zlib updates (Andrea Fassina) #​48054
• [8d93af381b] - tools: add security-wg as dep updaters owner (Marco Ippolito) #​48113
• [5325be1d99] - tools: port js2c.py to C++ (Joyee Cheung) #​46997
• [6c60d90277] - tools: fix race condition when npm installing (Tobias Nießen) #​48101
• [0ab840a58f] - tools: refloat 7 Node.js patches to cpplint.py (Rich Trott) #​48098
• [a298193378] - tools: update cpplint to 1.6.1 (Yagiz Nizipli) #​48098
• [f6725751b7] - tools: update eslint to 8.41.0 (Node.js GitHub Bot) #​48097
• [6539361f4e] - tools: update lint-md-dependencies (Node.js GitHub Bot) #​48096
• [5d94dbb951] - tools: update doc to remark-parse@10.0.2 (Node.js GitHub Bot) #​48095
• [2226088048] - tools: add debug logs (Marco Ippolito) #​48060
• [0c8c383583] - tools: fix zconf.h path (Luigi Pinca) #​48089
• [6adaf4c648] - tools: update remark-preset-lint-node to 4.0.0 (Node.js GitHub Bot) #​47995
• [92b3334231] - url: clean vertical alignment of docs (Robin Ury) #​48037
• [ebb6536775] - url: call ada::can_parse directly (Yagiz Nizipli) #​47919
• [ed4514294a] - vm: properly handle defining symbol props (Nicolas DUBIEN) #​47572

v20.2.0: 2023-05-16, Version 20.2.0 (Current), @​targos

Compare Source

Notable Changes

• [c092df9094] - doc: add ovflowd to collaborators (Claudio Wunder) #​47844
• [4197a9a5a0] - (SEMVER-MINOR) http: prevent writing to the body when not allowed by HTTP spec (Gerrard Lindsay) #​47732
• [c4596b9ce7] - (SEMVER-MINOR) sea: add option to disable the experimental SEA warning (Darshan Sen) #​47588
• [17befe008c] - (SEMVER-MINOR) test_runner: add skip, todo, and only shorthands to test (Chemi Atlow) #​47909
• [a0634d7f89] - (SEMVER-MINOR) url: add value argument to URLSearchParams has and delete methods (Sankalp Shubham) #​47885

Commits

• [456fca0d9c] - bootstrap: initialize per-isolate properties of bindings separately (Joyee Cheung) #​47768
• [d6d12bf978] - bootstrap: log isolate data info in mksnapshot debug logs (Joyee Cheung) #​47768
• [e457d89a1b] - buffer: combine checking range of sourceStart in buf.copy (Deokjin Kim) #​47758
• [00668fcfb4] - child_process: use signal.reason in child process abort (Debadree Chatterjee) #​47817
• [d7993474ea] - crypto: remove default encoding from scrypt (Tobias Nießen) #​47943
• [09fb74a7cc] - crypto: fix webcrypto private/secret import with empty usages (Filip Skokan) #​47877
• [e9c6ee74f3] - crypto: remove default encoding from pbkdf2 (Tobias Nießen) #​47869
• [b7f13a8679] - deps: update simdutf to 3.2.9 (Node.js GitHub Bot) #​47983
• [b16f6da153] - deps: V8: cherry-pick 5f025d1 (Michaël Zasso) #​47610
• [99f8fcab45] - deps: V8: cherry-pick a8a11a8 (Michaël Zasso) #​47610
• [c2b14b4c78] - deps: update ada to 2.4.0 (Node.js GitHub Bot) #​47922
• [cad42e7a56] - deps: V8: cherry-pick 1b471b7 (Lu Yahan) #​47399
• [7b2f17ca59] - deps: upgrade npm to 9.6.6 (npm team) #​47862
• [d23b1af562] - deps: update ada to 2.3.1 (Node.js GitHub Bot) #​47893
• [72340c98fb] - dgram: convert macro to template (Tobias Nießen) #​47891
• [9be922892f] - dns: call ada::idna::to_ascii directly from c++ (Yagiz Nizipli) #​47920
• [4a1e97156a] - doc: add missing deprecated blocks to cluster (Tobias Nießen) #​47981
• [13118a19ee] - doc: update description of global (Tobias Nießen) #​47969
• [372796440b] - doc: update measure memory rejection information (Yash Ladha) #​41639
• [7ecc6740e4] - doc: fix broken link to TC39 import attributes proposal (Rich Trott) #​47954
• [b9771c95c7] - doc: fix broken link (Rich Trott) #​47953
• [6f5ba92e61] - doc: remove broken link (Rich Trott) #​47942
• [c9ffc555f1] - doc: document make lint-md-clean (Matteo Collina) #​47926
• [7ed99e8ba5] - doc: mark global object as legacy (Mert Can Altın) #​47819
• [bf39f2d252] - doc: ntfs junction points must link to directories (Ben Noordhuis) #​47907
• [4dfc3890d8] - doc: improve permission.has description (Daeyeon Jeong) #​47875
• [93f1aa2856] - doc: fix params names (Dmitry Semigradsky) #​47853
• [9a362aa2fb] - doc: update supported version of FreeBSD to 12.4 (Michaël Zasso) #​47838
• [89c70dc6e6] - doc: add stability experimental to pm (Rafael Gonzaga) #​47890
• [f96fb2eee7] - doc: swap Matteo with Rafael in the stewards (Rafael Gonzaga) #​47841
• [1666a146e3] - doc: add valgrind suppression details (Kevin Eady) #​47760
• [e53e8231ff] - doc: replace EOL versions in README (Tobias Nießen) #​47833
• [c092df9094] - doc: add ovflowd to collaborators (Claudio Wunder) #​47844
• [f7106765b3] - doc: update BUILDING.md previous versions links (Tobias Nießen) #​47835
• [811b43c215] - doc,test: update the v8.startupSnapshot doc and test the example (Joyee Cheung) #​47468
• [1ec640ac70] - esm: do not use 'beforeExit' on the main thread (Antoine du Hamel) #​47964
• [106dc612d6] - fs: make readdir recursive algorithm iterative (Ethan Arrowood) #​47650
• [a0da2348a8] - fs: move fs_use_promises_symbol to per-isolate symbols (Joyee Cheung) #​47768
• [4197a9a5a0] - (SEMVER-MINOR) http: prevent writing to the body when not allowed by HTTP spec (Gerrard Lindsay) #​47732
• [a4d6543598] - http2: improve nghttp2 error callback (Tobias Nießen) #​47840
• [a4fed6c580] - lib: update comment (sinkhaha) #​47884
• [fd8bec7b2b] - meta: bump step-security/harden-runner from 2.3.1 to 2.4.0 (Rich Trott) #​47980
• [f5b4b6d5dc] - meta: bump github/codeql-action from 2.3.2 to 2.3.3 (Rich Trott) #​47979
• [c05c0a2359] - meta: bump actions/setup-python from 4.5.0 to 4.6.0 (Rich Trott) #​47968
• [2a3d6d97cb] - meta: add security-wg ping to permission.js (Rafael Gonzaga) #​47941
• [6c158e8dd1] - meta: bump step-security/harden-runner from 2.2.1 to 2.3.1 (dependabot[bot]) #​47808
• [f7a8094d37] - meta: bump actions/setup-python from 4.5.0 to 4.6.0 (dependabot[bot]) #​47806
• [0f58e48792] - meta: bump actions/checkout from 3.3.0 to 3.5.2 (dependabot[bot]) #​47805
• [652b06dd82] - meta: remove extra space in scorecard workflow (Mestery) #​47805
• [9f06eaccaf] - meta: bump github/codeql-action from 2.2.9 to 2.3.2 (dependabot[bot]) #​47809
• [977fd7cf35] - meta: bump codecov/codecov-action from 3.1.1 to 3.1.3 (dependabot[bot]) #​47807
• [c19385c154] - module: refactor to use normalizeRequirableId in the CJS module loader (Darshan Sen) #​47896
• [739113f2fc] - module: block requiring test/reporters without scheme (Moshe Atlow) #​47831
• [f489c6710c] - (NODE-API-SEMVER-MAJOR) node-api: get Node API version used by addon (Vladimir Morozov) #​45715
• [7222f9d74b] - path: indicate index of wrong resolve() parameter (sosoba) #​47660
• [7dd32f1536] - permission: remove unused function declaration (Deokjin Kim) #​47957
• [af86625a05] - permission: resolve reference to absolute path only for fs permission (Daeyeon Jeong) #​47930
• [1625ae11fe] - quic: address recent coverity warning (Michael Dawson) #​47753
• [c4596b9ce7] - (SEMVER-MINOR) sea: add option to disable the experimental SEA warning (Darshan Sen) #​47588
• [1a7fc186bc] - sea: allow requiring core modules with the "node:" prefix (Darshan Sen) #​47779
• [786a1c5398] - src: deduplicate X509Certificate::Fingerprint* (Tobias Nießen) #​47978
• [060c1d502b] - src: stop copying code cache, part 2 (Keyhan Vakil) #​47958
• [1aec718619] - (SEMVER-MINOR) src: add cjs_module_lexer_version base64_version (Jithil P Ponnan) #​45629
• [0c06bfd8dc] - src: move BlobSerializerDeserializer to a separate header file (Darshan Sen) #​47933
• [bd553e7521] - src: rename SKIP_CHECK_SIZE to SKIP_CHECK_STRLEN (Tobias Nießen) #​47845
• [190596c189] - src: register external references for source code (Keyhan Vakil) #​47055
• [4293cc47f4] - src: support V8 experimental shared values in messaging (Shu-yu Guo) #​47706
• [9bc5d78f0c] - src: register ext reference for Fingerprint512 (Tobias Nießen) #​47892
• [a11507e23b] - src: stop copying code cache (Keyhan Vakil) #​47144
• [515c9b8de6] - src: clarify the parameter name in Permission::Apply (Daeyeon Jeong) #​47874
• [c4217613f5] - src: fix creating an ArrayBuffer from a Blob created with openAsBlob (Daeyeon Jeong) #​47691
• [4bc17fd67b] - src: avoid strcmp() with Utf8Value (Tobias Nießen) #​47827
• [d358317f70] - src: get binding data store directly from the realm (Joyee Cheung) #​47437
• [b04d51a0b5] - src: prefer data accessor of string and vector (Mohammed Keyvanzadeh) #​47750
• [2952cc576c] - src: add per-isolate SetFastMethod and Set[Fast]MethodNoSideEffect (Joyee Cheung) #​47768
• [010d2ecf94] - test: mark test-esm-loader-http-imports as flaky (Tobias Nießen) #​47987
• [bb33c74c07] - test: add getRandomValues return length (Jithil P Ponnan) #​46357
• [6e019586f7] - test: unskip negative-settimeout.any.js WPT (Filip Skokan) #​47946
• [8f547afe5f] - test: use appropriate usages for a negative import test (Filip Skokan) #​47878
• [7e34f77518] - test: fix webcrypto wrap unwrap tests (Filip Skokan) #​47876
• [30f4f35244] - test: fix output tests when path includes node version (Moshe Atlow) #​47843
• [54607bfd68] - test: reduce WPT concurrency (Filip Skokan) #​47834
• [17945a2495] - test: migrate a pseudo_tty test to use assertSnapshot (Moshe Atlow) #​47803
• [c9233679e8] - test: fix WPT state when process exits but workers are still running (Filip Skokan) #​47826
• [34bfb69b5b] - test: migrate message tests to use assertSnapshot (Moshe Atlow) #​47498
• [d25c785c2a] - test: allow SIGBUS in signal-handler abort test (Michaël Zasso) #​47851
• [aa2c7e00d7] - test,crypto: update WebCryptoAPI WPT (Filip Skokan) #​47921
• [da27542058] - test_runner: use v8.serialize instead of TAP (Moshe Atlow) #​47867
• [17befe008c] - (SEMVER-MINOR) test_runner: add shorthands to test (Chemi Atlow) #​47909
• [42db1d50a0] - test_runner: fix ordering of test hooks (Phil Nash) #​47931
• [d81c54e3a8] - test_runner: omit inaccessible files from coverage (Colin Ihrig) #​47850
• [a4e261e910] - tools: debug log for nghttp3 (Marco Ippolito) #​47992
• [f6ff318d4c] - tools: automate icu-small update (Marco Ippolito) #​47727
• [706c305381] - tools: update lint-md-dependencies to rollup@3.21.5 (Node.js GitHub Bot) #​47903
• [e22c686ca9] - tools: update eslint to 8.40.0 (Node.js GitHub Bot) #​47906
• [36f7cfac93] - tools: update eslint to 8.39.0 (Node.js GitHub Bot) #​47789
• [7323902a40] - tools: fix jsdoc lint (Moshe Atlow) #​47789
• [a0634d7f89] - (SEMVER-MINOR) url: add value argument to has and delete methods (Sankalp Shubham) #​47885
• [1b06c1e003] - url: improve isURL detection (Yagiz Nizipli) #​47886
• [2bd869d20c] - vm: fix crash when setting __proto__ on context's globalThis (Feng Yu) #​47939
• [e6685f9e82] - vm,lib: refactor microtaskQueue assignment logic (Khaidi Chu) #​47765
• [47fea13dac] - worker: support more cases when (de)serializing errors (Moshe Atlow) #​47925
• [6f3876c035] - worker: use snapshot in workers spawned by workers (Joyee Cheung) #​47731

v20.1.0: 2023-05-03, Version 20.1.0 (Current), @​targos

Compare Source

Notable Changes

• [5e99598639] - assert: deprecate CallTracker (Moshe Atlow) #​47740
• [2d97c89c6f] - crypto: update root certificates to NSS 3.89 (Node.js GitHub Bot) #​47659
• [ce8820e292] - (SEMVER-MINOR) dns: expose getDefaultResultOrder (btea) #​46973
• [9d30f469aa] - doc: add KhafraDev to collaborators (Matthew Aitken) #​47510
• [439ea47a77] - (SEMVER-MINOR) fs: add recursive option to readdir and opendir (Ethan Arrowood) #​41439
• [a54e898dc8] - (SEMVER-MINOR) fs: add support for mode flag to specify the copy behavior of the cp methods (Tetsuharu Ohzeki) #​47084
• [4fa773964b] - (SEMVER-MINOR) http: add highWaterMark option http.createServer (HinataKah0) #​47405
• [2b411f4b42] - (SEMVER-MINOR) stream: preserve object mode in compose (Raz Luvaton) #​47413
• [5327483f31] - (SEMVER-MINOR) test_runner: add testNamePatterns to run API (Chemi Atlow) #​47628
• [bdd02a467d] - (SEMVER-MINOR) test_runner: execute before hook on test (Chemi Atlow) #​47586
• [0e70c187bc] - (SEMVER-MINOR) test_runner: support combining coverage reports (Colin Ihrig) #​47686
• [75c1d1b66e] - (SEMVER-MINOR) wasi: make returnOnExit true by default (Michael Dawson) #​47390

Commits

• [33d1bd3e02] - assert: deprecate callTracker (Moshe Atlow) #​47740
• [6d87355e83] - benchmark: add eventtarget creation bench (Rafael Gonzaga) #​47774
• [40324a1dea] - benchmark: differentiate whatwg and legacy url (Yagiz Nizipli) #​47377
• [936d7cb069] - benchmark: add a benchmark for defaultResolve (Antoine du Hamel) #​47543
• [202042ee93] - bootstrap: support namespaced builtins in snapshot scripts (Joyee Cheung) #​47467
• [30af5cee55] - build: use pathlib for paths (Mohammed Keyvanzadeh) #​47581
• [089c9c51e9] - build: refactor configure.py (Mohammed Keyvanzadeh) #​47667
• [5b851c8074] - build: add devcontainer configuration (Tierney Cyren) #​40825
• [35e8b3b467] - build: bump ossf/scorecard-action from 2.1.2 to 2.1.3 (dependabot[bot]) #​47367
• [78c08243df] - build: replace Python linter flake8 with ruff (Christian Clauss) #​47519
• [2d97c89c6f] - crypto: update root certificates to NSS 3.89 (Node.js GitHub Bot) #​47659
• [420feb41cf] - crypto: remove INT_MAX restriction in randomBytes (Tobias Nießen) #​47559
• [6046779dd9] - deps: disable V8 concurrent sparkplug compilation (Michaël Zasso) #​47450
• [00d461e93f] - deps: V8: cherry-pick c5ab3e4 (Richard Lau) #​47736
• [d08dd8069f] - deps: update ada to 2.3.0 (Node.js GitHub Bot) #​47737
• [996245976b] - deps: update undici to 5.22.0 (Node.js GitHub Bot) #​47679
• [f3ee3126df] - deps: update ada to 2.2.0 (Node.js GitHub Bot) #​47678
• [1391d3b9ff] - deps: add minimatch as a dependency (Moshe Atlow) #​47499
• [315454350d] - deps: update ada to 2.1.0 (Node.js GitHub Bot) #​47598
• [7f7735cad9] - deps: update ICU to 73.1 release (Steven R. Loomis) #​47456
• [13105c12b7] - deps: patch V8 to 11.3.244.8 (Michaël Zasso) #​47536
• [ede69d272a] - deps: update undici to 5.21.2 (Node.js GitHub Bot) #​47508
• [64b5a5f872] - deps: update simdutf to 3.2.8 (Node.js GitHub Bot) #​47507
• [2664536796] - deps: V8: cherry-pick 8e10685 (Jiawen Geng) #​47440
• [ba9ec91f0e] - deps: update undici to 5.21.1 (Node.js GitHub Bot) #​47488
• [ce8820e292] - (SEMVER-MINOR) dns: expose getDefaultResultOrder (btea) #​46973
• [4c26e28c33] - doc: create maintaining folder for deps (Marco Ippolito) #​47589
• [aa0ef3eabd] - doc: fix --allow-* CLI flag references (Tobias Nießen) #​47804
• [98603b6fd3] - doc: clarify fs permissions only affect fs module (Tobias Nießen) #​47782
• [3befe5dac9] - doc: add copy node executable guide on windows (XLor) #​47781
• [98450d9892] - doc: remove MoLow from Triagers (Moshe Atlow) #​47792
• [d75036410d] - doc: fix typo in webstreams.md (Christian Takle) #​47766
• [ceba37a74f] - doc: move BethGriggs to regular member (Rich Trott) #​47776
• [b954ea9781] - doc: mark signing the binary is macOS and Windows only in SEA (Xuguang Mei) #​47722
• [26bccbcd10] - doc: move addaleax to TSC emeriti (Anna Henningsen) #​47752
• [20b0de242f] - doc: add link to news for Node.js core (Michael Dawson) #​47704
• [5709133dc7] - doc: fix a typo in permissions.md (Daeyeon Jeong) #​47730
• [c5c40a89f2] - doc: async_hooks asynchronous content example add mjs code (btea) #​47401
• [a1403a8df2] - doc: clarify concurrency model of test runner (Tobias Nießen) #​47642
• [c0c23fbe42] - doc: fix a typo in fs.openAsBlob (Daeyeon Jeong) #​47693
• [4cef98812d] - doc: fix typos (Mohammed Keyvanzadeh) #​47685
• [f30ef242ef] - doc: fix capitalization of ASan (Mohammed Keyvanzadeh) #​47676
• [78a3503406] - doc: fix typos in SECURITY.md (Mohammed Keyvanzadeh) #​47677
• [9101630e05] - doc: update error code of buffer (Deokjin Kim) #​47617
• [183f0c3e79] - doc: change offset of example in Buffer.copyBytesFrom (Deokjin Kim) #​47606
• [d11ff4bc53] - doc: improve fs permissions description (Tobias Nießen) #​47596
• [b58920c3a9] - doc: remove markdown link from heading (Tobias Nießen) #​47585
• [c36634e880] - doc: fix history ordering of WASI constructor (Antoine du Hamel) #​47611
• [d3fadd889d] - doc: fix release-post script location (Rafael Gonzaga) #​47517
• [2a0bbe7883] - doc: fix typo in webcrypto metadata (Tobias Nießen) #​47595
• [b0b16ee9f6] - doc: add link for news from uvwasi team (Michael Dawson) #​47531
• [7ca416af15] - doc: add missing setEncoding call in ESM example (Anna Henningsen) #​47558
• [f9abd59b41] - doc: update darwin-x64 toolchain used for Node.js 20 releases (Michaël Zasso) #​47546
• [0dc508070f] - doc: fix split infinitive in Hooks caveat (Jacob Smith) #​47550
• [4046280475] - doc: fix typo in util.types.isNativeError() (Julian Dax) #​47532
• [9d30f469aa] - doc: add KhafraDev to collaborators (Matthew Aitken) #​47510
• [537c17ec48] - doc: create maintaining-brotli.md (Marco Ippolito) #​47380
• [09ff9eafd9] - doc,fs: update description of fs.stat() method (Mert Can Altın) #​47654
• [185d6090cd] - doc,test: fix concurrency option of test() (Tobias Nießen) #​47734
• [a793cf401d] - esm: rename URLCanParse to be consistent (Antoine du Hamel) #​47668
• [fbb6b72f87] - esm: remove support for deprecated hooks (Antoine du Hamel) #​47580
• [c150976c4f] - esm: initialize import.meta on eval (Antoine du Hamel) #​47551
• [55f70f6395] - esm: propagate process.exit from the loader thread to the main thread (Antoine du Hamel) #​47548
• [269482f61f] - esm: avoid accessing lazy getters for urls (Yagiz Nizipli) #​47542
• [889add68e5] - esm: avoid try/catch when validating urls (Yagiz Nizipli) #​47541
• [439ea47a77] - (SEMVER-MINOR) fs: add recursive option to readdir and opendir (Ethan Arrowood) #​41439
• [a54e898dc8] - (SEMVER-MINOR) fs: add support for mode flag to specify the copy behavior (Tetsuharu Ohzeki) #​47084
• [96f93cc500] - (SEMVER-MINOR) http: remove internal error in assignSocket (Matteo Collina) #​47723
• [4fa773964b] - (SEMVER-MINOR) http: add highWaterMark opt in http.createServer (HinataKah0) #​47405
• [94a5abb1e0] - inspector: add tips for Session (theanarkh) #​47195
• [21ff33127a] - lib: improve esm resolve performance (Yagiz Nizipli) #​46652
• [b8bdaf86c4] - lib: disallow file-backed blob cloning (James M Snell) #​47574
• [e8bc03b372] - lib: use webidl DOMString converter in EventTarget (Matthew Aitken) #​47514
• [91e4a7cdee] - loader: use default loader as cascaded loader in the in loader worker (Joyee Cheung) #​47620
• [d5089fe00a] - meta: fix dependabot commit message (Mestery) #​47810
• [92794400ce] - meta: ping nodejs/startup for startup test changes (Joyee Cheung) #​47771
• [8d43689077] - meta: add mailmap entry for KhafraDev (Rich Trott) #​47512
• [4d02901935] - node-api: test passing NULL to napi_define_class (Gabriel Schulhof) #​47567
• [568256dca0] - node-api: test passing NULL to number APIs (Gabriel Schulhof) #​47549
• [12f0fa386d] - node-api: remove unused mark_arraybuffer_as_untransferable (Chengzhong Wu) #​47557
• [e8ea83416a] - quic: add more QUIC implementation (James M Snell) #​47494
• [af227b159d] - readline: fix issue with newline-less last line (Ian Harris) #​47317
• [e948bec969] - src: avoid copying string in fs_permission (Yagiz Nizipli) #​47746
• [dc43ce7706] - src: replace idna functions with ada::idna (Yagiz Nizipli) #​47735
• [1f9e7ce7e8] - src: fix typo in comment in quic/sessionticket.cc (Tobias Nießen) #​47754
• [2acb57b777] - src: mark fatal error functions as noreturn (Chengzhong Wu) #​47695
• [4431df7481] - src: split BlobSerializer/BlobDeserializer (Joyee Cheung) #​47458
• [bf9a52cb3d] - src: prevent changing FunctionTemplateInfo after publish (Shelley Vohr) #​46979
• [872e6706ca] - src: add v8 fast api for url canParse (Matthew Aitken) #​47552
• [cfafe431f2] - src: make AliasedBuffers in the binding data weak (Joyee Cheung) #​47354
• [cf48db0034] - src: use v8::Boolean(b) over b ? True() : False() (Tobias Nießen) #​47554
• [ba255eda37] - src: fix typo in process.env accessor error message (Moritz Raho) #​47014
• [daf0c78232] - src: replace static const string_view by static constexpr (Daniel Lemire) #​47524
• [57e7ed7f47] - src: fix CSMRNG when length exceeds INT_MAX (Tobias Nießen) #​47515
• [cda36bfd8f] - src: use correct variable in node_builtins.cc (Michaël Zasso) #​47343
• [adc1601ccd] - src: slim down stream_base-inl.h (lilsweetcaligula) #​46972
• [f88132f1b8] - stream: prevent pipeline hang with generator functions (Debadree Chatterjee) #​47712
• [2b411f4b42] - (SEMVER-MINOR) stream: preserve object mode in compose (Raz Luvaton) #​47413
• [159cf02920] - test: refactor to use getEventListeners in timers (Deokjin Kim) #​47759
• [97a3d39b8f] - test: add and use tmpdir.hasEnoughSpace() (Tobias Nießen) #​47767
• [5bb7b26bb5] - test: remove spaces from test runner test names (Tobias Nießen) #​47733
• [84fa9fd725] - test: refactor WPTRunner and enable parallel WPT execution (Filip Skokan) #​47635
• [9d3768eb01] - Revert "test: run WPT files in parallel again" (Filip Skokan) #​47627
• [826f4041d1] - test: mark test-cluster-primary-error flaky on asan (Yagiz Nizipli) #​47422
• [e5251e31eb] - test_runner: fix --require with --experimental-loader (Moshe Atlow) #​47751
• [6ee5e42c73] - (SEMVER-MINOR) test_runner: support combining coverage reports (Colin Ihrig) #​47686
• [f8581e7629] - test_runner: remove no-op validation (Colin Ihrig) #​47687
• [40b38797c5] - test_runner: fix test runner concurrency (Moshe Atlow) #​47675
• [2d7cac0c5b] - test_runner: fix test counting (Moshe Atlow) #​47675
• [5a9b71a52e] - test_runner: fix nested hooks (Moshe Atlow) #​47648
• [5327483f31] - (SEMVER-MINOR) test_runner: add testNamePatterns to run api (Chemi Atlow) #​47628
• [b6fb7914ca] - test_runner: support coverage of unnamed functions (Colin Ihrig) #​47652
• [1f120a396f] - test_runner: move coverage collection to root.postRun() (Colin Ihrig) #​47651
• [bdd02a467d] - (SEMVER-MINOR) test_runner: execute before hook on test (Chemi Atlow) #​47586
• [ec24abaa03] - test_runner: avoid reporting parents of failing tests in summary (Moshe Atlow) #​47579
• [4203057740] - test_runner: fix spec skip detection (Moshe Atlow) #​47537
• [57c69987ba] - tls: accept SecureContext object in server.addContext() (HinataKah0) #​47570
• [c620eb80a0] - tools: update doc to highlight.js@11.8.0 (Node.js GitHub Bot) #​47786
• [326c3f1593] - tools: add the missing LoongArch64 definition in the v8.gyp file (Sun Haiyong) #​47641
• [8d1588acdc] - tools: update lint-md-dependencies to rollup@3.21.1 (Node.js GitHub Bot) #​47787
• [226e5b83ee] - tools: move update-npm to dep updaters (Marco Ippolito) #​47619
• [9d0bef6c0a] - tools: fix update-v8-patch cache (Marco Ippolito) #​47725
• [63e8c95a66] - tools: automate v8 patch update (Marco Ippolito) #​47594
• [d2994e52d3] - tools: fix skip message in update-cjs-module-lexer (Tobias Nießen) #​47701
• [ccf9c37b43] - tools: update lint-md-dependencies to @​rollup/plugin-commonjs@​24.1.0 (Node.js GitHub Bot) #​47577
• [0887fa0464] - tools: keep MR titles/description up-to-date (Tobias Nießen) #​47621
• [b8927ddf16] - tools: fix updating root certificates (Richard Lau) #​47607
• [87cae0cb59] - tools: update MR label config (Mohammed Keyvanzadeh) #​47593
• [c17f2688b8] - Revert "tools: ensure failed daily wpt run still generates a report" (Filip Skokan) #​47627
• [fbe7d73234] - tools: add execution permission to uvwasi script (Mert Can Altın) #​47600
• [e3f4ff439e] - tools: add update script for googletest (Tobias Nießen) #​47482
• [7c552e650a] - tools: add option to run workflow with specific tool id (Michaël Zasso) #​47591
• [1509312170] - tools: automate zlib update (Marco Ippolito) #​47417
• [6af7f1ee03] - tools: add url and whatwg-url labels automatically (Yagiz Nizipli) #​47545
• [ff73c05d54] - tools: add performance label to benchmark changes (Yagiz Nizipli) #​47545
• [9e3e0b0a84] - tools: automate uvwasi dependency update (Ranieri Innocenti Spada) #​47509
• [233b628f22] - tools: add missing pinned dependencies (Mateo Nunez) #​47346
• [e4d95859f5] - tools: automate ngtcp2 and nghttp3 update (Marco Ippolito) #​47402
• [2e8338126b] - tools: move update-undici.sh to dep_updaters and create maintain md (Marco Ippolito) #​47380
• [8712eafc87] - typings: fix syntax error in tsconfig (Mohammed Keyvanzadeh) #​47584
• [e4b6b79f18] - url: reduce revokeObjectURL cpp calls (Yagiz Nizipli) #​47728
• [9aae76727f] - url: handle URL.canParse without base parameter (Yagiz Nizipli) #​47547
• [180d365439] - url: validate URL constructor arg length (Matthew Aitken) #​47513
• [4839fc4369] - url: validate argument length in canParse (Matthew Aitken) #​47513
• [606523d37e] - v8: fix ERR_NOT_BUILDING_SNAPSHOT is not a constructor (Chengzhong Wu) #​47721
• [75c1d1b66e] - (SEMVER-MINOR) wasi: make returnOnExit true by default (Michael Dawson) #​47390

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

---

• If you want to rebase/retry this MR, check this box