* esm: mark import attributes and JSON module as stable
* deps:
+ upgrade npm to 10.8.2
+ update simdutf to 5.6.0
+ update brotli to 1.1.0
+ update ada to 2.8.0
+ update acorn to 8.13.0
+ update acorn-walk to 8.3.4
+ update c-ares to 1.29.0
- CVE-2024-21538.patch: fixes regular expression denial of service
(bsc#1233856, CVE-2024-21538)
- fix_ci_tests.patch, versioned.patch: refreshed
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs18?expand=0&rev=83
were fixed:
* (CVE-2023-32002, bsc#1214150): Policies can be bypassed
via Module._load (High)
* (CVE-2023-32006, bsc#1214156): Policies can be bypassed by
module.constructor.createRequire (Medium)
* (CVE-2023-32559, bsc#1214154): Policies can be bypassed via
process.binding (Medium)
- Changes included in LTS version 18.17.0:
* dns: expose getDefaultResultOrder
* events: add getMaxListeners method
* fs:
+ add support for mode flag to specify the copy behavior
+ add recursive option to readdir and opendir
+ add support for mode flag to specify the copy behavior
+ implement byob mode for readableWebStream()
* http:
+ prevent writing to the body when not allowed by HTTP spec
+ remove internal error in assignSocket
+ add highWaterMark opt in http.createServer
* lib:
+ add webstreams to Duplex.from()
+ implement AbortSignal.any()
* module:
+ change default resolver to not throw on unknown scheme
* node-api:
+ define version 9
+ deprecate napi_module_register
* stream:
+ preserve object mode in compose
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs18?expand=0&rev=64
CVEs are fixed in this release:
* (CVE-2023-30581, bsc#1212574): mainModule.__proto__ Bypass
Experimental Policy Mechanism (High)
* (CVE-2023-30585, bsc#1212579): Privilege escalation via
Malicious Registry Key manipulation during Node.js
installer repair process (Medium)
* (CVE-2023-30588, bsc#1212581): Process interuption due to invalid
Public Key information in x509 certificates (Medium)
* (CVE-2023-30589, bsc#1212582): HTTP Request Smuggling via
Empty headers separated by CR (Medium)
* (CVE-2023-30590, bsc#1212583): DiffieHellman does not
generate keys after setting a private key (Medium)
* c-ares security issues:
+ CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service
(bsc#1211604)
+ CVE-2023-31147 Moderate. Insufficient randomness in generation
of DNS query IDs (bsc#1211605)
+ CVE-2023-31130. Moderate. Buffer Underwrite in
ares_inet_net_pton() (bsc#1211606)
+ CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE
during cross compilation (bsc#1211607)
- fix_ci_tests.patch: increase default timeout on unit tests
to 20min from 2min. This seems to have lead to build failures
on some platforms, like s390x in Factory. (bsc#1211407)
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs18?expand=0&rev=61
* lib - add diagnostics channel for process and worker
* os - add machine method
* report - expose report public native apis
* src - expose environment RequestInterrupt api
* vm - include vm context in the embedded snapshot
- Changes in 18.8.0:
* bootstrap: implement run-time user-land snapshots via
--build-snapshot and --snapshot-blob. See
* crypto:
+ allow zero-length IKM in HKDF and in webcrypto PBKDF2
+ allow zero-length secret KeyObject
* deps: upgrade npm to 8.18.0
* http: make idle http parser count configurable
* net: add local family
* src: print source map error source on demand
* tls: pass a valid socket on tlsClientError
- dns.patch: upstreamed, removed
- nodejs-libpath.patch, versioned.patch: refreshed
- fix_ci_tests.patch: partially upstreamed
- openssl3_fixups.patch: fix unit tests with openssl 1.1.1
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs18?expand=0&rev=7
