- Update to 20.12.1:
* CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session()
leads to HTTP/2 server crash- (High) (bsc#1222244)
* CVE-2024-27982 - HTTP Request Smuggling via Content Length
Obfuscation- (Medium) (bsc#1222384)
* updated dependencies:
+ llhttp version 9.2.1
+ undici version 5.28.4 (bsc#1222530, bsc#1222603,
CVE-2024-30260, CVE-2024-30261)
- node-gyp-addon-gypi.patch: adapted for new unit test layouts
- fix_ci_tests.patch: add benchmark fix
- Update to 20.12.0:
* crypto: implement crypto.hash()
* util: add loading and parsing environment variables
* new connection attempt events: connectionAttempt,
connectionAttemptFailed, connectionAttemptTimeout
* sea: support embedding assets
* support configurable snapshot through --build-snapshot-config flag
* util.styleText(format, text): This function returns a formatted
text considering the format passed.
* vm: support using the default loader to handle dynamic import()
- c-ares-fixes.patch: removed, upstreamed
- nodejs-libpath.patch, versioned.patch: refreshed
* libuv version 1.48.0 (CVE-2024-24806, bsc#1220053)
OBS-URL: https://build.opensuse.org/request/show/1166624
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nodejs20?expand=0&rev=23
* crypto: implement crypto.hash()
* util: add loading and parsing environment variables
* new connection attempt events: connectionAttempt,
connectionAttemptFailed, connectionAttemptTimeout
* sea: support embedding assets
* support configurable snapshot through --build-snapshot-config flag
* util.styleText(format, text): This function returns a formatted
text considering the format passed.
* vm: support using the default loader to handle dynamic import()
- c-ares-fixes.patch: removed, upstreamed
- nodejs-libpath.patch, versioned.patch: refreshed
* libuv version 1.48.0 (CVE-2024-24806, bsc#1220053)
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs20?expand=0&rev=70
- Update to 20.11.1: (security updates)
* (CVE-2024-21892, bsc#1219992) - Code injection and privilege escalation through Linux capabilities- (High)
* (CVE-2024-22019, bsc#1219993) - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
* (CVE-2024-21896, bsc#1219994) - Path traversal by monkey-patching Buffer internals- (High)
* (CVE-2024-22017, bsc#1219995) - setuid() does not drop all privileges due to io_uring - (High)
* (CVE-2023-46809, bsc#1219997) - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
* (CVE-2024-21891, bsc#1219998) - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
* (CVE-2024-21890, bsc#1219999) - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
* (CVE-2024-22025, bsc#1220014) - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
* undici version 5.28.3 (CVE-2024-24758, bsc#1220017)
* libuv version 1.48.0 (CVE-2024-24806, bsc#1219724)
OBS-URL: https://build.opensuse.org/request/show/1147152
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nodejs20?expand=0&rev=22
* (CVE-2024-21892, bsc#1219992) - Code injection and privilege escalation through Linux capabilities- (High)
* (CVE-2024-22019, bsc#1219993) - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
* (CVE-2024-21896, bsc#1219994) - Path traversal by monkey-patching Buffer internals- (High)
* (CVE-2024-22017, bsc#1219995) - setuid() does not drop all privileges due to io_uring - (High)
* (CVE-2023-46809, bsc#1219997) - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
* (CVE-2024-21891, bsc#1219998) - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
* (CVE-2024-21890, bsc#1219999) - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
* (CVE-2024-22025, bsc#1220014) - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
* undici version 5.28.3 (CVE-2024-24758, bsc#1220017)
* libuv version 1.48.0 (CVE-2024-24806, bsc#1219724)
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs20?expand=0&rev=68
- update to 20.11.0:
* esm: add import.meta.dirname and import.meta.filename
* fs: add c++ fast path for writeFileSync utf8
* module: remove useCustomLoadersIfPresent flag
* module: bootstrap module loaders in shadow realm
* src: add --disable-warning option
* src: create per isolate proxy env template
* src: make process binding data weak
* stream: use Array for Readable buffer
* stream: optimize creation
* test_runner: adds built in lcov reporter
* test_runner: add Date to the supported mock APIs
* test_runner, cli: add --test-timeout flag
- c-ares-fixes.patch, fix_ci_tests.patch: refreshed
OBS-URL: https://build.opensuse.org/request/show/1146411
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nodejs20?expand=0&rev=21
* esm: add import.meta.dirname and import.meta.filename
* fs: add c++ fast path for writeFileSync utf8
* module: remove useCustomLoadersIfPresent flag
* module: bootstrap module loaders in shadow realm
* src: add --disable-warning option
* src: create per isolate proxy env template
* src: make process binding data weak
* stream: use Array for Readable buffer
* stream: optimize creation
* test_runner: adds built in lcov reporter
* test_runner: add Date to the supported mock APIs
* test_runner, cli: add --test-timeout flag
- c-ares-fixes.patch: refreshed
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs20?expand=0&rev=64
- Update to 20.10.0:
* --experimental-default-type flag to flip module defaults
* The new flag --experimental-detect-module can be used to
automatically run ES modules when their syntax can be detected.
* Added flush option in file system functions for fs.writeFile functions
* Added experimental WebSocket client
* vm: fix V8 compilation cache support for vm.Script. This fixes
performance regression since v16.x when support for
importModuleDynamically was added to vm.Script
For details, see
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#20.10.0
- nodejs20-zlib-1.3.patch: upstreamed, removed
- fix_ci_tests.patch, node-gyp-addon-gypi.patch: refreshed
- Update to 20.9.0:
* No changes, just LTS transition
OBS-URL: https://build.opensuse.org/request/show/1133875
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nodejs20?expand=0&rev=17
* --experimental-default-type flag to flip module defaults
* The new flag --experimental-detect-module can be used to
automatically run ES modules when their syntax can be detected.
* Added flush option in file system functions for fs.writeFile functions
* Added experimental WebSocket client
* vm: fix V8 compilation cache support for vm.Script. This fixes
performance regression since v16.x when support for
importModuleDynamically was added to vm.Script
For details, see
https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#20.10.0
- nodejs20-zlib-1.3.patch: upstreamed, removed
- fix_ci_tests.patch, node-gyp-addon-gypi.patch: refreshed
- Update to 20.9.0:
* No changes, just LTS transition
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs20?expand=0&rev=50
