Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merged PR 12242: Update Node.js to v20
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [node](https://github.com/nodejs/node) | engines | major | [`18.x` -> `20.x`](https://renovatebot.com/diffs/npm/node/v18.18.2/v20.9.0) | --- ### Release Notes <details> <summary>nodejs/node (node)</summary> ### [`v20.9.0`](https://github.com/nodejs/node/releases/tag/v20.9.0): 2023-10-24, Version 20.9.0 'Iron' (LTS), @​richardlau [Compare Source](nodejs/node@v20.8.1...v20.9.0) ##### Notable Changes This release marks the transition of Node.js 20.x into Long Term Support (LTS) with the codename 'Iron'. The 20.x release line now moves into "Active LTS" and will remain so until October 2024. After that time, it will move into "Maintenance" until end of life in April 2026. ##### Known issue Collecting code coverage via the `NODE_V8_COVERAGE` environment variable may lead to a hang. This is not thought to be a regression in Node.js 20 (some reports are on Node.js 18). For more information, including some potential workarounds, see issue [#​49344](nodejs/node#49344). ### [`v20.8.1`](https://github.com/nodejs/node/releases/tag/v20.8.1): 2023-10-13, Version 20.8.1 (Current), @​RafaelGSS [Compare Source](nodejs/node@v20.8.0...v20.8.1) This is a security release. ##### Notable Changes The following CVEs are fixed in this release: - [CVE-2023-44487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487): `nghttp2` Security Release (High) - [CVE-2023-45143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45143): `undici` Security Release (High) - [CVE-2023-39332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39332): Path traversal through path stored in Uint8Array (High) - [CVE-2023-39331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39331): Permission model improperly protects against path traversal (High) - [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium) - [CVE-2023-39333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39333): Code injection via WebAssembly export names (Low) More detailed information on each of the vulnerabilities can be found in [October 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/) blog post. ##### Commits - \[[`c86883e844`](nodejs/node@c86883e844)] - **deps**: update nghttp2 to 1.57.0 (James M Snell) [#​50121](nodejs/node#50121) - \[[`2860631359`](nodejs/node@2860631359)] - **deps**: update undici to v5.26.3 (Matteo Collina) [#​50153](nodejs/node#50153) - \[[`cd37838bf8`](nodejs/node@cd37838bf8)] - **lib**: let deps require `node` prefixed modules (Matthew Aitken) [#&...
- Loading branch information