Back

Node.js Foundation
Patches for Node.js x64
Windows
26 patches available
Node. js is primarily used for non-blocking, event-driven servers, due to its single-threaded nature.
Node.js x64 Version 22.17.0
Release Date
5/15/2025
Bug Fix?
No
Minor Release?
Yes
Patch Notes

2025-06-24; Version 22.17.0 Jod (LTS);$$$Notable Changes$$$?? Deprecations$$$Instantiating node:http classes without new$$$Constructing classes like IncomingMessage or ServerResponse without the new$$$keyword is now discouraged. This clarifies API expectations and aligns with standard$$$JavaScript behavior. It may warn or error in future versions.$$$$$$Contributed by Yagiz Nizipli in #58518.$$$$$$options.shell = in node:child_process$$$Using an empty string for shell previously had undefined behavior. This change$$$encourages explicit choices (e.g.; shell: true or a shell path) and avoids$$$relying on implementation quirks.$$$$$$Contributed by Antoine du Hamel and Renegade334 #58564.$$$$$$HTTP/2 priority signaling$$$The HTTP/2 prioritization API (e.g.; stream.priority) is now deprecated due to$$$poor real-world support. Applications should avoid using priority hints and expect future removal.$$$$$$Contributed by Matteo Collina and Antoine du Hamel #58313.$$$$$$? Features graduated to stable$$$assert.partialDeepStrictEqual()$$$This method compares only a subset of properties in deep object comparisons;$$$useful for flexible test assertions. Its stabilization means its now safe for$$$general use and wont change unexpectedly in future releases.$$$$$$Contributed by Ruben Bridgewater in #57370.$$$$$$Miscellaneous$$$dirent.parentPath$$$filehandle.readableWebStream()$$$fs.glob()$$$fs.openAsBlob()$$$node:readline/promises$$$port.hasRef()$$$readable.compose()$$$readable.iterator()$$$readable.readableAborted$$$readable.readableDidRead$$$Duplex.fromWeb()$$$Duplex.toWeb()$$$Readable.fromWeb()$$$Readable.isDisturbed()$$$Readable.toWeb()$$$stream.isErrored()$$$stream.isReadable()$$$URL.createObjectURL()$$$URL.revokeObjectURL()$$$v8.setHeapSnapshotNearHeapLimit()$$$Writable.fromWeb()$$$Writable.toWeb()$$$writable.writableAborted$$$Startup Snapshot API$$$ERR_INPUT_TYPE_NOT_ALLOWED$$$ERR_UNKNOWN_FILE_EXTENSION$$$ERR_UNKNOWN_MODULE_FORMAT$$$ERR_USE_AFTER_CLOSE
Node.js x64 Version 22.15.1
Release Date
5/15/2025
Bug Fix?
No
Minor Release?
No
Patch Notes

This is a security release.$$$$$$Notable Changes$$$(CVE-2025-23166) fix error handling on async crypto operation$$$(CVE-2025-23165) add missing call to uv_fs_req_cleanup
Node.js x64 Version 22.15.1
Release Date
5/15/2025
Bug Fix?
No
Minor Release?
No
Patch Notes

This is a security release.$$$$$$Notable Changes$$$(CVE-2025-23166) fix error handling on async crypto operation$$$(CVE-2025-23165) add missing call to uv_fs_req_cleanup
Node.js x64 Version 22.15.0
Release Date
4/23/2025
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

Notable Changes$$$[3c88f3938b] - (SEMVER-MINOR) assert: implement partial error comparison$$$[db19a3f9fc] - (SEMVER-MINOR) assert: improve partialDeepStrictEqual$$$[1ee5f840b4] - (SEMVER-MINOR) cli: allow --cpu-prof* in NODE_OPTIONS $$$[872ee0f2ac] - crypto: update root certificates to NSS 3.108 $$$[03a0f3a56b] - (SEMVER-MINOR) crypto: support --use-system-ca on Windows $$$[94647bbdb2] - (SEMVER-MINOR) crypto: added support for reading certificates from macOS system store $$$[8f7b86a6e7] - deps: update timezone to 2025a $$$[f9f611fb58] - (SEMVER-MINOR) deps;tools: add zstd 1.5.6 $$$[07a6d5f8cf] - (SEMVER-MINOR) dns: add TLSA record query and parsing$$$[d8a83ef2f3] - doc: add @geeksilva97 to collaborators $$$[6b93ba723b] - (SEMVER-MINOR) module: use synchronous hooks for preparsing in import(cjs) $$$[b2e44a8079] - (SEMVER-MINOR) module: implement module.registerHooks() $$$[dc91ae7471] - (SEMVER-MINOR) process: add execve$$$[bc672fcfdd] - (SEMVER-MINOR) sqlite: allow returning ArrayBufferViews from user-defined functions $$$[5edee197ab] - (SEMVER-MINOR) tls: implement tls.getCACertificates()$$$[f9fe0e09ee] - (SEMVER-MINOR) util: expose diff function used by the assertion errors $$$[673a424180] - (SEMVER-MINOR) v8: add v8.getCppHeapStatistics() method$$$[4991e5d826] - (SEMVER-MINOR) zlib: add zstd support$$$$$$Refer - https://github.com/nodejs/node/releases/tag/v22.15.0
Node.js x64 Version 22.14.0
Release Date
2/11/2025
Bug Fix?
Yes
Minor Release?
No
Patch Notes

2025-02-11; Version 22.14.0 Jod (LTS); @aduh95$$$Notable Changes$$$[82a9000e9e] - crypto: update root certificates to NSS 3.107 (Node.js GitHub Bot) #56566$$$[b7fe54fc88] - (SEMVER-MINOR) fs: allow exclude option in globs to accept glob patterns (Daeyeon Jeong) #56489$$$[3ac92ef607] - (SEMVER-MINOR) lib: add typescript support to STDIN eval (Marco Ippolito) #56359$$$[1614e8e7bc] - (SEMVER-MINOR) module: add ERR_UNSUPPORTED_TYPESCRIPT_SYNTAX (Marco Ippolito) #56610$$$[6d6cffa9cc] - (SEMVER-MINOR) module: add findPackageJSON util (Jacob Smith) #55412$$$[d35333ae18] - (SEMVER-MINOR) process: add process.ref() and process.unref() methods (James M Snell) #56400$$$[07ff3ddcb5] - (SEMVER-MINOR) sqlite: support TypedArray and DataView in StatementSync (Alex Yang) #56385$$$[94d3fe1b62] - (SEMVER-MINOR) src: add --disable-sigusr1 to prevent signal i/o thread (Rafael Gonzaga) #56441$$$[5afffb4415] - (SEMVER-MINOR) src;worker: add isInternalWorker (Carlos Espa) #56469$$$[697a851fb3] - (SEMVER-MINOR) test_runner: add TestContext.prototype.waitFor() (Colin Ihrig) #56595$$$[047537b48c] - (SEMVER-MINOR) test_runner: add t.assert.fileSnapshot() (Colin Ihrig) #56459$$$[926cf84e95] - (SEMVER-MINOR) test_runner: add assert.register() API (Colin Ihrig) #56434$$$[c658a8afdf] - (SEMVER-MINOR) worker: add eval ts input (Marco Ippolito) #56394$$$Commits$$$[bad1ad8650] - assert: make myers_diff function more performant (Giovanni Bucci) #56303$$$[e222e36f3b] - assert: make partialDeepStrictEqual work with urls and File prototypes (Giovanni Bucci) #56231$$$[e232789fe2] - assert: show diff when doing partial comparisons (Giovanni Bucci) #56211$$$[c99de1fdcf] - assert: make partialDeepStrictEqual throw when comparing [0] with [-0] (Giovanni) #56237$$$[2386fd5840] - benchmark: add validateStream to styleText bench (Rafael Gonzaga) #56556$$$[b197dfa7ec] - build: fix GN build for ngtcp2 (Cheng) #56300$$$[2a3cdd34ff] - build: test macos-13 on GitHub actions (Michaël Zasso) #56307$$$[12f716be0a] - build: build v8 with -fvisibility=hidden on macOS (Joyee Cheung) #56275$$$[c5ca15bd34] - child_process: fix parsing messages with splitted length field (Maksim Gorkov) #56106$$$[8346b8fc2c] - crypto: add missing return value check (Michael Dawson) #56615$$$[82a9000e9e] - crypto: update root certificates to NSS 3.107 (Node.js GitHub Bot) #56566$$$[890eef20a1] - crypto: fix checkPrime crash with large buffers (Santiago Gimeno) #56559$$$[5edb7b5e87] - crypto: fix warning of ignoring return value (Cheng) #56527$$$[b89f123a0b] - crypto: make generatePrime/checkPrime interruptible (James M Snell) #56460$$$[63c1859e01] - deps: update corepack to 0.31.0 (Node.js GitHub Bot) #56795$$$[a48430d4d3] - deps: move inspector_protocol to deps (Chengzhong Wu) #56649$$$[74cccc824f] - deps: macro ENODATA is deprecated in libc++ (Cheng) #56698$$$[fa869ea0f2] - deps: fixup some minor coverity warnings (James M Snell) #56612$$$[1a4fa2b015] - deps: update amaro to 0.3.0 (Node.js GitHub Bot) #56568$$$[b47076fd82] - deps: update amaro to 0.2.2 (Node.js GitHub Bot) #56568$$$[46bd4b8731] - deps: update simdutf to 6.0.3 (Node.js GitHub Bot) #56567$$$[8ead9c693b] - deps: update simdutf to 5.7.2 (Node.js GitHub Bot) #56388$$$[18d4b502af] - deps: update amaro to 0.2.1 (Node.js GitHub Bot) #56390$$$[d938d7cc86] - deps: update googletest to 7d76a23 (Node.js GitHub Bot) #56387$$$[9761e7dccb] - deps: update googletest to e54519b (Node.js GitHub Bot) #56370$$$[8319dc6bc5] - deps: update ngtcp2 to 1.10.0 (Node.js GitHub Bot) #56334$$$[6eacd19d6a] - deps: update simdutf to 5.7.0 (Node.js GitHub Bot) #56332$$$[28bec2dda3] - diagnostics_channel: capture console messages (Stephen Belanger) #56292$$$[d519d33502] - doc: update macOS and Xcode versions for releases (Michaël Zasso) #56337$$$[fcfe650507] - doc: add note for features using InternalWorker with permission model (Antoine du Hamel) #56706$$$[efbba182b5] - doc: add entry to changelog about SQLite Session Extension (Bart Louwers) #56318$$$[31bf9c7dd9] - doc: move anatoli to emeritus (Michael Daws
Node.js x64 Version 22.13.1
Release Date
1/21/2025
Bug Fix?
Yes
Minor Release?
No
Patch Notes

2025-01-21; Version 22.13.1 Jod (LTS); @RafaelGSS$$$@RafaelGSS RafaelGSS released this last week$$$· 2275 commits to main since this release$$$ v22.13.1 $$$ e6c7018$$$This is a security release.$$$$$$Notable Changes$$$CVE-2025-23083 - src;loader;permission: throw on InternalWorker use when permission model is enabled (High)$$$CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium)$$$CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)$$$Dependency update:$$$$$$CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)
Node.js x64 Version 22.13.0
Release Date
1/7/2025
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

2025-01-07; Version 22.13.0 Jod (LTS); @ruyadorno$$$$$$Notable Changes$$$Stabilize Permission Model$$$Upgrades the Permission Model status from Active Development to Stable.$$$$$$Contributed by Rafael Gonzaga #56201$$$$$$Graduate WebCryptoAPI Ed25519 and X25519 algorithms as stable$$$Following the merge of Curve25519 into the Web Cryptography API Editors Draft the Ed25519 and X25519 algorithm identifiers are now stable and will no longer emit an ExperimentalWarning upon use.$$$$$$Contributed by (Filip Skokan) #56142$$$$$$Other Notable Changes$$$[05d6227a88] - (SEMVER-MINOR) assert: add partialDeepStrictEqual (Giovanni Bucci) #54630$$$[a933103499] - (SEMVER-MINOR) cli: implement --trace-env and --trace-env-[js|native]-stack (Joyee Cheung) #55604$$$[ba9d5397de] - (SEMVER-MINOR) dgram: support blocklist in udp (theanarkh) #56087$$$[f6d0c01303] - doc: stabilize util.styleText (Rafael Gonzaga) #56265$$$[34c68827af] - doc: move typescript support to active development (Marco Ippolito) #55536$$$[dd14b80350] - doc: add LJHarb to collaborators (Jordan Harband) #56132$$$[5263086169] - (SEMVER-MINOR) doc: add report version and history section (Chengzhong Wu) #56130$$$[8cb3c2018d] - (SEMVER-MINOR) doc: sort --report-exclude alphabetically (Rafael Gonzaga) #55788$$$[55239a48b6] - (SEMVER-MINOR) doc;lib;src;test: unflag sqlite module (Colin Ihrig) #55890$$$[7cbe3de1d8] - (SEMVER-MINOR) module: only emit require(esm) warning under --trace-require-module (Joyee Cheung) #56194$$$[6575b76042] - (SEMVER-MINOR) module: add module.stripTypeScriptTypes (Marco Ippolito) #55282$$$[bacfe6d5c9] - (SEMVER-MINOR) net: support blocklist in net.connect (theanarkh) #56075$$$[b47888d390] - (SEMVER-MINOR) net: support blocklist for net.Server (theanarkh) #56079$$$[566f0a1d25] - (SEMVER-MINOR) net: add SocketAddress.parse (James M Snell) #56076$$$[ed7eab1421] - (SEMVER-MINOR) net: add net.BlockList.isBlockList(value) (James M Snell) #56078$$$[ea4891856d] - (SEMVER-MINOR) process: deprecate features.{ipv6;uv} and features.tls_* (René) #55545$$$[01eb308f26] - (SEMVER-MINOR) report: fix typos in report keys and bump the version (Yuan-Ming Hsu) #56068$$$[97c38352d0] - (SEMVER-MINOR) sqlite: aggregate constants in a single property (Edigleysson Silva (Edy)) #56213$$$[b4041e554a] - (SEMVER-MINOR) sqlite: add StatementSync.prototype.iterate method (tpoisseau) #54213$$$[2e3ca1bbdd] - (SEMVER-MINOR) src: add cli option to preserve env vars on diagnostic reports (Rafael Gonzaga) #55697$$$[bcfe9c80fc] - (SEMVER-MINOR) util: add sourcemap support to getCallSites (Marco Ippolito) #55589
Node.js x64 Version 22.12.0
Release Date
12/3/2024
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

2024-12-03; Version 22.12.0 Jod (LTS); @ruyadorno$$$Notable Changes$$$require(esm) is now enabled by default$$$Support for loading native ES modules using require() had been available on v20.x and v22.x under the command line flag --experimental-require-module; and available by default on v23.x. In this release; it is now no longer behind a flag on v22.x.$$$$$$This feature is still experimental; and we are looking for user feedback to make more final tweaks before fully stabilizing it. For this reason; on v23.x; when the Node.js instance encounters a native ES module in require() for the first time; it will emit an experimental warning unless require() comes from a path that contains node_modules. If there happens to be any regressions caused by this feature; users can report it to the Node.js issue tracker. Meanwhile this feature can also be disabled using --no-experimental-require-module as a workaround.$$$$$$With this feature enabled; Node.js will no longer throw ERR_REQUIRE_ESM if require() is used to load a ES module. It can; however; throw ERR_REQUIRE_ASYNC_MODULE if the ES module being loaded or its dependencies contain top-level await. When the ES module is loaded successfully by require(); the returned object will either be a ES module namespace object similar to whats returned by import(); or what gets exported as module.exports in the ES module.$$$$$$Users can check process.features.require_module to see whether require(esm) is enabled in the current Node.js instance. For packages; the module-sync exports condition can be used as a way to detect require(esm) support in the current Node.js instance and allow both require() and import to load the same native ES module. See the documentation for more details about this feature.
Node.js x64 Version 22.11.0
Release Date
10/29/2024
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

2024-10-29; Version 22.11.0 Jod (LTS); @richardlau$$$Notable Changes$$$This release marks the transition of Node.js 22.x into Long Term Support (LTS) with the codename Jod. The 22.x release line now moves into Active LTS and will remain so until October 2025. After that time; it will move into Maintenance until end of life in April 2027.$$$$$$Other than updating metadata; such as the process.release object; to reflect that the release is LTS; no further changes from Node.js 22.10.0 are included.$$$$$$OpenSSL 3.x$$$Official binaries for Node.js 22.x currently include OpenSSL 3.0.x (more specifically; the quictls OpenSSL fork). OpenSSL 3.0.x is the currently designated long term support version that is scheduled to be supported until 7th September 2026; which is within the expected lifetime of Node.js 22.x. We are expecting upstream OpenSSL to announce a successor long term support version prior to that date and since OpenSSL now follows a semantic versioning-like versioning scheme we expect to be able to update to the next long term supported version of OpenSSL during the lifetime of Node.js 22.x.
Node.js x64 Version 20.18.0
Release Date
10/3/2024
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

2024-10-03; Version 20.18.0 Iron (LTS); @targos$$$Notable Changes$$$Experimental Network Inspection Support in Node.js$$$This update introduces the initial support for network inspection in Node.js. Currently; this is an experimental feature; so you need to enable it using the --experimental-network-inspection flag. With this feature enabled; you can inspect network activities occurring within a JavaScript application.$$$$$$To use network inspection; start your Node.js application with the following command:$$$$$$$ node --inspect-wait --experimental-network-inspection index.js$$$Shell Session$$$Copy to clipboard$$$Please note that the network inspection capabilities are in active development. We are actively working on enhancing this feature and will continue to expand its functionality in future updates.$$$$$$Network inspection is limited to the http and https modules only.$$$The Network tab in Chrome DevTools will not be available until the feature request on the Chrome DevTools side is addressed.$$$Contributed by Kohei Ueno in #53593 and #54246$$$$$$Exposes X509_V_FLAG_PARTIAL_CHAIN to tls.createSecureContext$$$This releases introduces a new option to the API tls.createSecureContext. From now on; tls.createSecureContext({ allowPartialTrustChain: true }) can be used to treat intermediate (non-self-signed) certificates in the trust CA certificate list as trusted.$$$$$$Contributed by Anna Henningsen in #54790$$$$$$New option for vm.createContext() to create a context with a freezable globalThis$$$Node.js implements a flavor of vm.createContext() and friends that creates a context without contextifying its global object when vm.constants.DONT_CONTEXTIFY is used. This is suitable when users want to freeze the context (impossible when the global is contextified i.e. has interceptors installed) or speed up the global access if they dont need the interceptor behavior.$$$$$$Contributed by Joyee Cheung in #54394$$$$$$Deprecations$$$[64aa31f6e5] - repl: doc-deprecate instantiating node:repl classes without new (Aviv Keller) #54842$$$[4c52ee3d7f] - zlib: deprecate instantiating classes without new (Yagiz Nizipli) #54708$$$Other Notable Changes$$$[b80da2f964] - buffer: optimize createFromString (Robert Nagy) #54324$$$[02b36cbd2d] - (SEMVER-MINOR) lib: add EventSource Client (Aras Abbasi) #51575$$$[879546a9bf] - (SEMVER-MINOR) src;lib: add performance.uvMetricsInfo (Rafael Gonzaga) #54413$$$[f789f4c92d] - (SEMVER-MINOR) test_runner: support module mocking (Colin Ihrig) #52848$$$[4eb0749b6c] - (SEMVER-MINOR) url: implement parse method for safer URL parsing (Ali Hassan) #52280$$$Commits$$$[013c48f0e9] - benchmark: --no-warnings to avoid DEP/ExpWarn log (Rafael Gonzaga) #54928$$$[194fc113ac] - benchmark: add buffer.isAscii benchmark (RafaelGSS) #54740$$$[7410d51cb9] - benchmark: add buffer.isUtf8 bench (RafaelGSS) #54740$$$[2393f21e8a] - benchmark: add access async version to bench (Rafael Gonzaga) #54747$$$[b8779721f0] - benchmark: enhance dc publish benchmark (Rafael Gonzaga) #54745$$$[4078aa83ff] - benchmark: add match and doesNotMatch bench (RafaelGSS) #54734$$$[66acab9976] - benchmark: add rejects and doesNotReject bench (RafaelGSS) #54734$$$[6db777fb3a] - benchmark: add throws and doesNotThrow bench (RafaelGSS) #54734$$$[8f101560ce] - benchmark: add strictEqual and notStrictEqual bench (RafaelGSS) #54734$$$[2c9e4c936e] - benchmark: adds groups to better separate benchmarks (Giovanni Bucci) #54393$$$[671c3ac633] - benchmark: fix benchmark for file path and URL conversion (Early Riser) #54190$$$[8c8708cb5b] - benchmark: use assert.ok searchparams (Rafael Gonzaga) #54334$$$[8b71fa79e2] - benchmark: add stream.compose benchmark (jakecastelli) #54308$$$[93ee36e3a0] - benchmark: rename count to n (Rafael Gonzaga) #54271$$$[f2971b6f0b] - benchmark: change assert() to assert.ok() (Rafael Gonzaga) #54254$$$[f48f2c212c] - benchmark: support --help in CLI (Aviv Keller) #53358$$$[0309b0520b] - benchmark: remove force option as force defaults to true (Yelim Koo) #54203$$$[b6e8305b2d] - benchmar
Node.js x64 Version 20.17.0
Release Date
8/21/2024
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

2024-08-21; Version 20.17.0 Iron (LTS); @marco-ippolito$$$module: support require()ing synchronous ESM graphs$$$This release adds require() support for synchronous ESM graphs under the flag --experimental-require-module.$$$$$$If --experimental-require-module is enabled; and the ECMAScript module being loaded by require() meets the following requirements:$$$$$$Explicitly marked as an ES module with a type: module field in the closest package.json or a .mjs extension.$$$Fully synchronous (contains no top-level await).$$$require() will load the requested module as an ES Module; and return the module name space object. In this case it is similar to dynamic import() but is run synchronously and returns the name space object directly.$$$$$$Contributed by Joyee Cheung in #51977$$$$$$path: add matchesGlob method$$$Glob patterns can now be tested against individual paths via the path.matchesGlob(path; pattern) method.$$$$$$Contributed by Aviv Keller in #52881$$$$$$stream: expose DuplexPair API$$$The function duplexPair returns an array with two items; each being a Duplex stream connected to the other side:$$$$$$const [sideA; sideB] = duplexPair();$$$JavaScript$$$Copy to clipboard$$$Whatever is written to one stream is made readable on the other. It provides behavior analogous to a network connection; where the data written by the client becomes readable by the server; and vice-versa.$$$$$$Contributed by Austin Wright in #34111$$$$$$Other Notable Changes$$$[8e64c02b19] - (SEMVER-MINOR) http: add diagnostics channel http.client.request.error (Kohei Ueno) #54054$$$[ae30674991] - meta: add jake to collaborators (jakecastelli) #54004$$$[4a3ecbfc9b] - (SEMVER-MINOR) stream: implement min option for ReadableStreamBYOBReader.read (Mattias Buelens) #50888$$$$$$Refer for more details - https://nodejs.org/en/blog/release/v20.17.0
Node.js x64 Version 20.16.0
Release Date
7/24/2024
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

2024-07-24; Version 20.16.0 Iron (LTS); @marco-ippolito$$$process: add process.getBuiltinModule(id)$$$process.getBuiltinModule(id) provides a way to load built-in modules in a globally available function. ES Modules that need to support other environments can use it to conditionally load a Node.js built-in when it is run in Node.js; without having to deal with the resolution error that can be thrown by import in a non-Node.js environment or having to use dynamic import() which either turns the module into an asynchronous module; or turns a synchronous API into an asynchronous one.
Node.js x64 Version 20.15.1
Release Date
7/8/2024
Bug Fix?
No
Minor Release?
No
Patch Notes

2024-07-08; Version 20.15.1 Iron (LTS); @RafaelGSS$$$This is a security release.$$$$$$Notable Changes$$$CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)$$$CVE-2024-22020 - Bypass network import restriction via data URL (Medium)$$$CVE-2024-22018 - fs.lstat bypasses permission model (Low)$$$CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)$$$CVE-2024-37372 - Permission model improperly processes UNC paths (Low)
Node.js x64 Version 20.15.0
Release Date
6/20/2024
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

Other Notable Changes$$$[12512c3d0e] - doc: add pimterry to collaborators (Tim Perry) #52874$$$[9d485b40bb] - (SEMVER-MINOR) tools: fix get_asan_state() in tools/test.py (Joyee Cheung) #52766$$$[e98c305f52] - (SEMVER-MINOR) tools: support max_virtual_memory test configuration (Joyee Cheung) #52766$$$[dce0300896] - (SEMVER-MINOR) tools: support != in test status files (Joyee Cheung) #52766$$$Commits$$$[227093bfec] - assert: add deep equal check for more Error type (Zhenwei Jin) #51805$$$[184cfe5a71] - benchmark: filter non-present deps from start-cli-version (Adam Majer) #51746$$$[8b3e83bb53] - buffer: even faster atob (Daniel Lemire) #52443$$$[8d628c3255] - buffer: use size_t instead of uint32_t to avoid segmentation fault (Xavier Stouder) #48033$$$[16ae2b2933] - buffer: remove lines setting indexes to integer value (Zhenwei Jin) #52588$$$[48c15d0dcd] - build: remove deprecated calls for argument groups (Mohammed Keyvanzadeh) #52913$$$[1be8232d17] - build: drop base64 dep in GN build (Cheng) #52856$$$[918962d6e7] - build: make simdjson a public dep in GN build (Cheng) #52755$$$[5215b6fd8e] - build; tools: copy release assets to staging R2 bucket once built (flakey5) #51394$$$[473fa73857] - (SEMVER-MINOR) cli: allow running wasm in limited vmem with --disable-wasm-trap-handler (Joyee Cheung) #52766$$$[954d2aded4] - cluster: replace forEach with for-of loop (Jérôme Benoit) #50317$$$[794e450ea7] - console: colorize console error and warn (Jithil P Ponnan) #51629$$$[0fb7c18f10] - crypto: fix duplicated switch-case return values (Mustafa Ates UZUN) #49030$$$[cd1415c8b2] - Revert crypto: make timingSafeEqual faster for Uint8Array (Tobias Nießen) #53390$$$[b774544bb1] - deps: enable unbundling of simdjson; simdutf; ada (Daniel Lemire) #52924$$$[da4dbfc5fd] - doc: remove reference to AUTHORS file (Marco Ippolito) #52960$$$[2f3f2ff8af] - doc: update hljs with the latest styles (Aviv Keller) #52911$$$[3a1d17a9b1] - doc: mention quicker way to build docs (Alex Crawford) #52937$$$[be309bd19d] - doc: mention push.followTags config (Rafael Gonzaga) #52906$$$[e62c6e2684] - doc: document pipeline with end option (Alois Klink) #48970$$$[af27225cf6] - doc: add example for execFileSync method and ref to stdio (Evan Shortiss) #39412$$$[086626f9b1] - doc: add examples and notes to http server.close et al (mary marchini) #49091$$$[3aa3337a00] - doc: fix dns.lookup family 0 and all descriptions (Adam Jones) #51653$$$[585f2a2e7f] - doc: update fs.realpath documentation (sinkhaha) #48170$$$[4bf3d44e1d] - doc: update fs read documentation for clarity (Mert Can Altin) #52453$$$[ae5d47dde3] - doc: watermark string behavior (Benjamin Gruenbaum) #52842$$$[1e429d10d3] - doc: exclude commits with baking-for-lts (Marco Ippolito) #52896$$$[3df3e37cdb] - doc: add names next to release key bash commands (Aviv Keller) #52878$$$[12512c3d0e] - doc: add pimterry to collaborators (Tim Perry) #52874$$$[97e0fef019] - doc: add more definitions to GLOSSARY.md (Aviv Keller) #52798$$$[91fadac162] - doc: make docs more welcoming and descriptive for newcomers (Serkan Özel) #38056$$$[a3b20126fd] - doc: add OpenSSL errors to API docs (John Lamp) #34213$$$[9587ae9b5b] - doc: simplify copy-pasting of branch-diff commands (Antoine du Hamel) #52757$$$[6ea72a53c3] - doc: add test_runner to subsystem (Raz Luvaton) #52774$$$[972eafd983] - events: update MaxListenersExceededWarning message log (sinkhaha) #51921$$$[74753ed1fe] - events: add stop propagation flag to Event.stopImmediatePropagation (Mickael Meausoone) #39463$$$[75dd009649] - events: replace NodeCustomEvent with CustomEvent (Feng Yu) #43876$$$[7d38c2e012] - fs: keep fs.promises.readFile read until EOF is reached (Zhenwei Jin) #52178$$$[8cb13120d3] - (SEMVER-MINOR) inspector: introduce the --inspect-wait flag (Kohei Ueno) #52734$$$[d5ab1de1fd] - meta: move @anonrig to TSC regular member (Yagiz Nizipli) #52932$$$[f82d086e90] - path: fix toNamespacedPath on Windows (Hüseyin Açacak) #52915$$$[121ea13b50] - process: improve event-loop (Aras Abbasi) #52108$$$[eceac784aa]
Node.js x64 Version 20.14.0
Release Date
5/28/2024
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

2024-05-28; Version 20.14.0 Iron (LTS); @marco-ippolito$$$Notable Changes$$$[28d2baa17c] - src;permission: throw async errors on async APIs (Rafael Gonzaga) #52730$$$[77e2bf029a] - (SEMVER-MINOR) test_runner: support forced exit (Colin Ihrig) #52038$$$Commits$$$[e3ad05d8b0] - deps: V8: cherry-pick 500de8bd371b (Richard Lau) #52676$$$[053282e661] - deps: V8: backport c4be0a97f981 (Richard Lau) #52183$$$[200dadb879] - deps: V8: cherry-pick f8d5e576b814 (Richard Lau) #52183$$$[f5cd125e02] - deps: update googletest to fa6de7f (Node.js GitHub Bot) #52949$$$[bbbfd7f4e1] - deps: update corepack to 0.28.1 (Node.js GitHub Bot) #52946$$$[7ba30a57a6] - deps: update simdutf to 5.2.8 (Node.js GitHub Bot) #52727$$$[b21a480a28] - deps: update simdutf to 5.2.6 (Node.js GitHub Bot) #52727$$$[6cfad60d97] - deps: update googletest to 2d16ed0 (Node.js GitHub Bot) #51657$$$[34708d1429] - deps: update googletest to d83fee1 (Node.js GitHub Bot) #51657$$$[c1d3e558e8] - deps: update googletest to 5a37b51 (Node.js GitHub Bot) #51657$$$[69959d0fca] - deps: update googletest to 5197b1a (Node.js GitHub Bot) #51657$$$[c8305f6057] - deps: update googletest to eff443c (Node.js GitHub Bot) #51657$$$[760b788704] - deps: update googletest to c231e6f (Node.js GitHub Bot) #51657$$$[301541cc8f] - deps: update googletest to e4fdb87 (Node.js GitHub Bot) #51657$$$[981d57e401] - deps: update googletest to 5df0241 (Node.js GitHub Bot) #51657$$$[a1817f534d] - deps: update googletest to b75ecf1 (Node.js GitHub Bot) #51657$$$[42070ca189] - deps: update googletest to 4565741 (Node.js GitHub Bot) #51657$$$[edc3e5d056] - deps: update uvwasi to 0.0.21 (Node.js GitHub Bot) #52863$$$[26b1231ffb] - deps: upgrade npm to 10.7.0 (npm team) #52767$$$[e6d9fbece2] - doc: update process.versions properties (ishabi) #52736$$$[8c1f837c0a] - doc: remove mold use on mac for speeding up build (Cong Zhang) #52252$$$[d9c5114694] - doc: fix grammatical mistake (codershiba) #52808$$$[b350f435b7] - meta: add mailmap entry for legendecas (Chengzhong Wu) #52795$$$[61f9f12eff] - meta: bump actions/checkout from 4.1.1 to 4.1.4 (dependabot[bot]) #52787$$$[ac563667d6] - meta: bump github/codeql-action from 3.24.9 to 3.25.3 (dependabot[bot]) #52786$$$[70611d7924] - meta: bump actions/upload-artifact from 4.3.1 to 4.3.3 (dependabot[bot]) #52785$$$[30482ea273] - meta: bump actions/download-artifact from 4.1.4 to 4.1.7 (dependabot[bot]) #52784$$$[d1607cdebb] - meta: bump codecov/codecov-action from 4.1.1 to 4.3.1 (dependabot[bot]) #52783$$$[21f1b6bfc3] - meta: bump step-security/harden-runner from 2.7.0 to 2.7.1 (dependabot[bot]) #52782$$$[0c6019a222] - meta: standardize regex (Aviv Keller) #52693$$$[28d2baa17c] - src;permission: throw async errors on async APIs (Rafael Gonzaga) #52730$$$[cffd2cc0c9] - Revert stream: revert fix cloned webstreams not being unrefd (Marco Ippolito) #53144$$$[3dd96f1fab] - stream: implement TransformStream cleanup using transformer.cancel (Debadree Chatterjee) #50126$$$[8e7e778e01] - test: skip v8-updates/test-linux-perf (Michaël Zasso) #49639$$$[f8e18869e9] - test: replace always-opt flag with alway-turbofan (Michaël Zasso) #50115$$$[a501860d63] - test_runner: dont await the same promise for each test (Colin Ihrig) #52185$$$[e2ae4367f4] - test_runner: run top level tests in a microtask (Colin Ihrig) #52092$$$[77e2bf029a] - (SEMVER-MINOR) test_runner: support forced exit (Colin Ihrig) #52038$$$[b7bc63565e] - test_runner: ignore todo flag when running suites (Colin Ihrig) #52117$$$[be587e3ae3] - test_runner: use paths for test locations (Colin Ihrig) #52010$$$[743281ab25] - test_runner: support source mapped test locations (Colin Ihrig) #52010$$$[4051316d95] - tools: update lint-md-dependencies to rollup@4.17.0 (Node.js GitHub Bot) #52729
Node.js x64 Version 20.13.1
Release Date
5/9/2024
Bug Fix?
Yes
Minor Release?
No
Patch Notes

2024-05-09; Version 20.13.1 Iron (LTS); @marco-ippolito$$$Revert tools: install npm PowerShell scripts on Windows$$$Due to a regression in the npm installation on Windows; this commit reverts the change that installed npm PowerShell scripts on Windows.$$$$$$Commits$$$[b7d80802cc] - Revert tools: install npm PowerShell scripts on Windows (marco-ippolito) #52897
Node.js x64 Version 20.13.0
Release Date
5/7/2024
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

2024-05-07; Version 20.13.0 Iron (LTS); @marco-ippolito$$$buffer: improve base64 and base64url performance$$$The performance of the base64 and base64url encoding and decoding functions has been improved significantly.$$$$$$Contributed by Yagiz Nizipli in #52428$$$$$$crypto: deprecate implicitly shortened GCM tags$$$This release; introduces a doc-only deprecation of using GCM authentication tags that are shorter than the ciphers block size; unless the user specified the authTagLength option.$$$$$$Contributed by Tobias Nießen in #52345$$$$$$events;doc: mark CustomEvent as stable$$$From this release CustomEvent has been marked stable.$$$$$$Contributed by Daeyeon Jeong in #52618$$$$$$fs: add stacktrace to fs/promises$$$Sync functions in fs throwed an error with a stacktrace which is helpful for debugging. But functions in fs/promises throwed an error without a stacktrace. This commit adds stacktraces by calling Error.captureStacktrace and re-throwing the error.$$$$$$Contributed by ? / green in #49849$$$$$$report: add --report-exclude-network option$$$New option --report-exclude-network; also available as report.excludeNetwork; enables the user to exclude networking interfaces in their diagnostic report. On some systems; this can cause the report to take minutes to generate so this option can be used to optimize that.$$$$$$Contributed by Ethan Arrowood in #51645$$$$$$src: add uv_get_available_memory to report and process$$$From this release it is possible to get the available memory in the system by calling process.getAvailableMemory().$$$$$$Contributed by theanarkh #52023$$$$$$stream: support typed arrays$$$This commit adds support for typed arrays in streams.$$$$$$Contributed by IlyasShabi #51866$$$$$$util: support array of formats in util.styleText$$$It is now possible to pass an array of format strings to util.styleText to apply multiple formats to the same text.$$$$$$console.log($$$ util.styleText([underline; italic]; My italic underlined message)$$$);$$$JavaScript$$$Copy to clipboard$$$Contributed by Marco Ippolito in #52040$$$$$$v8: implement v8.queryObjects() for memory leak regression testing$$$This is similar to the queryObjects() console API provided by the Chromium DevTools console. It can be used to search for objects that have the matching constructor on its prototype chain in the heap after a full garbage collection; which can be useful for memory leak regression tests. To avoid surprising results; users should avoid using this API on constructors whose implementation they dont control; or on constructors that can be invoked by other parties in the application.$$$$$$To avoid accidental leaks; this API does not return raw references to the objects found. By default; it returns the count of the objects found. If options.format is summary; it returns an array containing brief string representations for each object. The visibility provided in this API is similar to what the heap snapshot provides; while users can save the cost of serialization and parsing and directly filer the target objects during the search.$$$$$$We have been using this API internally for the test suite; which has been more stable than any other leak regression testing strategies in the CI. With a public implementation we can now use the public API instead.$$$$$$const { queryObjects } = require(node:v8);$$$class A {$$$ foo = bar;$$$}$$$console.log(queryObjects(A)); // 0$$$let a = new A();$$$console.log(queryObjects(A)); // 1$$$// [ A { foo: bar } ]$$$console.log(queryObjects(A; { format: summary }));$$$// Release the object.$$$a = null;$$$// Search again. queryObjects() includes a full garbage collection$$$// so a should disappear.$$$console.log(queryObjects(A)); // 0$$$class B extends A {$$$ bar = qux;$$$}$$$// The child class Bs prototype has As prototype on its prototype chain$$$// so the prototype object shows up too.$$$console.log(queryObjects(A; { format: summary })); // [ A {} ]$$$JavaScript$$$Copy to clipboard$$$Contributed by Joyee Cheung in #51927$$$$$$watch: mark as stable$$$From th
Node.js x64 Version 20.12.2
Release Date
4/10/2024
Bug Fix?
No
Minor Release?
No
Patch Notes

2024-04-10; Version 20.12.2 Iron (LTS); @RafaelGSS$$$This is a security release.$$$$$$Notable Changes$$$CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows$$$Commits$$$[69ffc6d50d] - src: disallow direct .bat and .cmd file spawning (Ben Noordhuis) nodejs-private/node-private#563
Node.js x64 Version 20.12.1
Release Date
4/3/2024
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

2024-04-03; Version 20.12.1 Iron (LTS); @RafaelGSS$$$This is a security release$$$$$$Notable Changes$$$CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)$$$CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)$$$llhttp version 9.2.1$$$undici version 5.28.4$$$Commits$$$[bd8f10a257] - deps: update undici to v5.28.4 (Matteo Collina) nodejs-private/node-private#576$$$[5e34540a96] - http: do not allow OBS fold in headers by default (Paolo Insogna) nodejs-private/node-private#557$$$[ba1ae6d188] - src: ensure to close stream when destroying session (Anna Henningsen) nodejs-private/node-private#561
Node.js x64 Version 20.11.1
Release Date
2/14/2024
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

2024-02-14; Version 20.11.1 Iron (LTS); @RafaelGSS prepared by @marco-ippolito$$$Notable changes$$$This is a security release.$$$$$$Notable changes$$$CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)$$$CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)$$$CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High)$$$CVE-2024-22017 - setuid() does not drop all privileges due to io_uring - (High)$$$CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)$$$CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)$$$CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)$$$CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)$$$undici version 5.28.3$$$libuv version 1.48.0$$$OpenSSL version 3.0.13+quic1$$$Commits$$$[7079c062bb] - crypto: disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525$$$[186a6e1ffb] - deps: fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) #51737$$$[686da19abb] - deps: disable io_uring support in libuv by default (Tobias Nießen) nodejs-private/node-private#529$$$[f7b44bfbce] - deps: update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614$$$[7a30fecea2] - deps: upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614$$$[480fc169a8] - fs: protect against modified Buffer internals in possiblyTransformPath (Tobias Nießen) nodejs-private/node-private#497$$$[77ac7c3153] - http: add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#519$$$[ed7d149675] - lib: use cache fs internals against path traversal (RafaelGSS) nodejs-private/node-private#516$$$[89bd5fc38f] - lib: update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#539$$$[d01dd4291d] - permission: fix wildcard when children > 1 (Rafael Gonzaga) #51209$$$[40ff37dfcc] - src: fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505$$$[3f6addd590] - src;deps: disable setuid() etc if io_uring enabled (Tobias Nießen) nodejs-private/node-private#529$$$[d6da413aa4] - test;doc: clarify wildcard usage (RafaelGSS) nodejs-private/node-private#517$$$[c213910aea] - zlib: pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#541
Node.js x64 Version 20.11.0
Release Date
1/9/2024
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

Node v20.11.0 (LTS)$$$By Ulises Gascón; Jan 10; 2024$$$2024-01-09; Version 20.11.0 Iron (LTS); @UlisesGascon$$$Notable Changes$$$[833190fe7c] - crypto: update root certificates to NSS 3.95 (Node.js GitHub Bot) #50805$$$[a541b78bdb] - doc: add MrJithil to collaborators (Jithil P Ponnan) #50666$$$[d4be8fad83] - doc: add Ethan-Arrowood as a collaborator (Ethan Arrowood) #50393$$$[c1a196c897] - (SEMVER-MINOR) esm: add import.meta.dirname and import.meta.filename (James Sumners) #48740$$$[aa3209b880] - fs: add c++ fast path for writeFileSync utf8 (CanadaHonk) #49884$$$[8e886a2fff] - (SEMVER-MINOR) module: remove useCustomLoadersIfPresent flag (Chengzhong Wu) #48655$$$[21ab3c0f0b] - (SEMVER-MINOR) module: bootstrap module loaders in shadow realm (Chengzhong Wu) #48655$$$[29d91b13e3] - (SEMVER-MINOR) src: add --disable-warning option (Ethan Arrowood) #50661$$$[11b3e470db] - (SEMVER-MINOR) src: create per isolate proxy env template (Chengzhong Wu) #48655$$$[621c4d66c2] - (SEMVER-MINOR) src: make process binding data weak (Chengzhong Wu) #48655$$$[139d6c8d3b] - stream: use Array for Readable buffer (Robert Nagy) #50341$$$[6206957e8d] - stream: optimize creation (Robert Nagy) #50337$$$[e64378643d] - (SEMVER-MINOR) test_runner: adds built in lcov reporter (Phil Nash) #50018$$$[4a830c2d9d] - (SEMVER-MINOR) test_runner: add Date to the supported mock APIs (Lucas Santos) #48638$$$[842dc01def] - (SEMVER-MINOR) test_runner; cli: add --test-timeout flag (Shubham Pandey) #50443
Node.js x64 Version 20.10.0
Release Date
11/22/2023
Bug Fix?
Yes
Minor Release?
No
Patch Notes

2023-11-22; Version 20.10.0 Iron (LTS); @targos$$$Notable Changes$$$--experimental-default-type flag to flip module defaults$$$The new flag --experimental-default-type can be used to flip the default module system used by Node.js. Input that is already explicitly defined as ES modules or CommonJS; such as by a package.json type field or .mjs/.cjs file extension or the --input-type flag; is unaffected. What is currently implicitly CommonJS would instead be interpreted as ES modules under --experimental-default-type=module:$$$$$$String input provided via --eval or STDIN; if --input-type is unspecified.$$$$$$Files ending in .js or with no extension; if there is no package.json file present in the same folder or any parent folder.$$$$$$Files ending in .js or with no extension; if the nearest parent package.json field lacks a type field; unless the folder is inside a node_modules folder.$$$$$$In addition; extensionless files are interpreted as Wasm if --experimental-wasm-modules is passed and the file contains the magic bytes Wasm header.$$$$$$Contributed by Geoffrey Booth in #49869.
Node.js x64 Version 18.20.5
Release Date
11/12/2023
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

2024-11-12; Version 18.20.5 Hydrogen (LTS); @aduh95$$$@aduh95 aduh95 released this Nov 13$$$· 7028 commits to main since this release$$$ v18.20.5 $$$ f73db8f $$$Notable Changes$$$[ac37e554a5] - esm: mark import attributes and JSON module as stable (Nicolò Ribaudo) #55333$$$Commits$$$[c2e6a8f215] - benchmark: fix napi/ref addon (Michaël Zasso) #53233$$$[4c2e07aaac] - build: pin doc workflow to Node.js 20 (Richard Lau) #55755$$$[6ba4ebd060] - build: fix build with Python 3.12 (Luigi Pinca) #50582$$$[c50f01399e] - crypto: ensure invalid SubtleCrypto JWK data import results in DataError (Filip Skokan) #55041$$$[5c46782137] - crypto: make deriveBits length parameter optional and nullable (Filip Skokan) #53601$$$[6e7274fa53] - crypto: reject dh;x25519;x448 in {Sign;Verify}Final (Huáng Jùnliàng) #53774$$$[d2442044db] - crypto: reject Ed25519/Ed448 in Sign/Verify prototypes (Filip Skokan) #52340$$$[93670de499] - deps: upgrade npm to 10.8.2 (npm team) #53799$$$[8531c95587] - deps: upgrade npm to 10.8.1 (npm team) #53207$$$[fd9933ea0f] - deps: upgrade npm to 10.8.0 (npm team) #53014$$$[03852495d7] - deps: update simdutf to 5.6.0 (Node.js GitHub Bot) #55379$$$[3597be4146] - deps: update simdutf to 5.5.0 (Node.js GitHub Bot) #54434$$$[52d2c03738] - deps: update simdutf to 5.3.4 (Node.js GitHub Bot) #54312$$$[dd882ac483] - deps: update simdutf to 5.3.1 (Node.js GitHub Bot) #54196$$$[5fb8e1b428] - deps: update simdutf to 5.3.0 (Node.js GitHub Bot) #53837$$$[c952fd886d] - deps: update simdutf to 5.2.8 (Node.js GitHub Bot) #52727$$$[a1ae050ed5] - deps: update simdutf to 5.2.6 (Node.js GitHub Bot) #52727$$$[96ec48da7f] - deps: update brotli to 1.1.0 (Node.js GitHub Bot) #50804$$$[11242bcfb4] - deps: update zlib to 1.3.0.1-motley-71660e1 (Node.js GitHub Bot) #53464$$$[64f98a9869] - deps: update zlib to 1.3.0.1-motley-c2469fd (Node.js GitHub Bot) #53464$$$[4b815550e0] - deps: update zlib to 1.3.0.1-motley-68e57e6 (Node.js GitHub Bot) #53464$$$[f6b2f68ce7] - deps: update zlib to 1.3.0.1-motley-8b7eff8 (Node.js GitHub Bot) #53464$$$[e151ebef86] - deps: update zlib to 1.3.0.1-motley-e432200 (Node.js GitHub Bot) #53464$$$[637a306e02] - deps: update zlib to 1.3.0.1-motley-887bb57 (Node.js GitHub Bot) #53464$$$[569a739569] - deps: update zlib to 1.3.0.1-motley-209717d (Node.js GitHub Bot) #53156$$$[033f1e2ba5] - deps: update zlib to 1.3.0.1-motley-4f653ff (Node.js GitHub Bot) #53052$$$[aaa857fc01] - deps: update ada to 2.8.0 (Node.js GitHub Bot) #53254$$$[d577321877] - deps: update acorn to 8.13.0 (Node.js GitHub Bot) #55558$$$[55b3c8a41f] - deps: update acorn-walk to 8.3.4 (Node.js GitHub Bot) #54950$$$[50a9456f1e] - deps: update acorn-walk to 8.3.3 (Node.js GitHub Bot) #53466$$$[f56cfe776b] - deps: update acorn to 8.12.1 (Node.js GitHub Bot) #53465$$$[fce3ab686d] - deps: update archs files for openssl-3.0.15+quic1 (Node.js GitHub Bot) #55184$$$[46c782486e] - deps: upgrade openssl sources to quictls/openssl-3.0.15+quic1 (Node.js GitHub Bot) #55184$$$[4a18581dc3] - deps: update corepack to 0.29.4 (Node.js GitHub Bot) #54845$$$[67e98831ab] - deps: update archs files for openssl-3.0.14+quic1 (Node.js GitHub Bot) #54336$$$[c60c6630af] - deps: upgrade openssl sources to quictls/openssl-3.0.14+quic1 (Node.js GitHub Bot) #54336$$$[935a506377] - deps: update corepack to 0.29.3 (Node.js GitHub Bot) #54072$$$[dbdfdd0226] - deps: update corepack to 0.29.2 (Node.js GitHub Bot) #53838$$$[395ee44608] - deps: update corepack to 0.28.2 (Node.js GitHub Bot) #53253$$$[6ba8bc0618] - deps: update c-ares to 1.29.0 (Node.js GitHub Bot) #53155$$$[81c3260cd2] - deps: update corepack to 0.28.1 (Node.js GitHub Bot) #52946$$$[e4739e9aa6] - doc: only apply content-visibility on all.html (Filip Skokan) #53510$$$[4d2ac5d98f] - doc: move release key for Myles Borins (Richard Lau) #54059$$$[1c4decc998] - doc: add release key for aduh95 (Antoine du Hamel) #55349$$$[a4f6f0918f] - doc: add names next to release key bash commands (Aviv Keller) #52878$$$[c679348f83] - errors: use determineSpecificType in more error messages (Antoine du
Node.js x64 Version 18.20.4
Release Date
7/8/2023
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

2024-07-08; Version 18.20.4 Hydrogen (LTS); @RafaelGSS$$$This is a security release.$$$$$$Notable Changes$$$CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)$$$CVE-2024-22020 - Bypass network import restriction via data URL (Medium)$$$Commits$$$[85abedf1ff] - lib;esm: handle bypass network-import via data: (RafaelGSS) nodejs-private/node-private#522$$$[eccd63b865] - src: handle permissive ex
Node.js x64 Version 18.13.0
Release Date
1/6/2023
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

Notable changes$$$Add support for externally shared js builtins$$$By default Node.js is built so that all dependencies are bundled into the Node.js binary itself. Some Node.js distributions prefer to manage dependencies externally. There are existing build options that allow dependencies with native code to be externalized. This commit adds additional options so that dependencies with JavaScript code (including WASM) can also be externalized. This addition does not affect binaries shipped by the Node.js project but will allow other distributions to externalize additional dependencies when needed.$$$$$$Contributed by Michael Dawson in #44376$$$$$$Refer the below url for more details$$$https://nodejs.org/en/blog/release/v18.13.0/
Node.js x64 Version 18.12.1
Release Date
11/4/2022
Bug Fix?
No
Minor Release?
Yes
Patch Notes

Notable changes$$$The following CVEs are fixed in this release:$$$$$$CVE-2022-3602: X.509 Email Address 4-byte Buffer Overflow (High)$$$CVE-2022-3786: X.509 Email Address Variable Length Buffer Overflow (High)$$$CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP address (Medium)$$$More detailed information on each of the vulnerabilities can be found in November 2022 Security Releases blog post.$$$$$$Commits$$$[39f8a672e3] - deps: update archs files for quictls/openssl-3.0.7+quic nodejs/node#45286$$$[80218127c8] - deps: upgrade openssl sources to quictls/openssl-3.0.7+quic nodejs/node#45286$$$[165342beac] - inspector: harden IP address validation again (Tobias Nießen) nodejs-private/node-private#354
Node.js x64 Version 18.12.0
Release Date
10/25/2022
Bug Fix?
No
Minor Release?
Yes
Patch Notes

Notable Changes$$$This release marks the transition of Node.js 18.x into Long Term Support (LTS) with the codename Hydrogen. The 18.x release line now moves into Active LTS and will remain so until October 2023. After that time; it will move into Maintenance until end of life in April 2025.
Node.js x64 Version 16.17.1
Release Date
9/23/2022
Bug Fix?
No
Minor Release?
No
Patch Notes

This is a security release.$$$$$$Notable changes$$$The following CVEs are fixed in this release:$$$$$$CVE-2022-32212: DNS rebinding in --inspect on macOS (High)$$$CVE-2022-32213: bypass via obs-fold mechanic (Medium)$$$CVE-2022-35255: Weak randomness in WebCrypto keygen$$$CVE-2022-35256: HTTP Request Smuggling - Incorrect Parsing of Header Fields (Medium)$$$More detailed information on each of the vulnerabilities can be found in September 22nd 2022 Security Releases blog post.
Interested in automating patching for Node.js x64?