This was not done before the security release because the latest CVE was
not known at the time.
PR-URL: https://github.com/nodejs/node/pull/45341
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Add a Github Action that checks for new versions of the `base64` C
library, and creates a PR to update it if a newer version than the one
present in the repo is found.
Refs: https://github.com/nodejs/security-wg/issues/828
PR-URL: https://github.com/nodejs/node/pull/45300
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Core modules are currently distinguished with the `node:` prefix.
This updates a few examples in docs to use the prefix for consistency.
Signed-off-by: Daeyeon Jeong <daeyeon.dev@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/45328
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Do not immediately check the `tcpserver` hook invocations when it
closes. Do it in the next iteration of the event loop.
PR-URL: https://github.com/nodejs/node/pull/42340
Refs: https://github.com/nodejs/node/pull/42340#issuecomment-1290964192
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Do not delay the call to `stream.end()` too much.
PR-URL: https://github.com/nodejs/node/pull/42340
Refs: https://github.com/nodejs/node/pull/42340#issuecomment-1261163284
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
The `'error'` event is not emitted because the socket is already
destroyed when `socket.write()` is called. Use the `socket.write()`
callback instead.
PR-URL: https://github.com/nodejs/node/pull/42340
Refs: https://github.com/nodejs/node/pull/42340#issuecomment-1182387070
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Make `os.userInfo()` convert the `uid` and `gid` fields to 32-bit signed
integers on Windows.
PR-URL: https://github.com/nodejs/node/pull/42340
Refs: https://github.com/libuv/libuv/commit/f3e0bffcb14
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Signed-off-by: Matteo Collina <hello@matteocollina.com>
PR-URL: https://github.com/nodejs/node/pull/45287
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/45315
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Danielle Adams <adamzdanielle@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
This is a security release.
Notable changes:
The following CVEs are fixed in this release:
- CVE-2022-3602: A buffer overrun can be triggered in X.509
certificate verification (High)
- CVE-2022-3786: A buffer overrun can be triggered in X.509
certificate verification (High)
- CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP
address (Medium)
PR-URL: https://github.com/nodejs-private/node-private/pull/365
After an OpenSSL source update, all the config files need to be
regenerated and committed by:
$ make -C deps/openssl/config clean
$ make -C deps/openssl/config
$ git add deps/openssl/config/archs
$ git add deps/openssl/openssl
$ git commit
CVE-ID: CVE-2022-3602, CVE-2022-3786
PR-URL: https://github.com/nodejs/node/pull/45286
Use inet_pton() to parse IP addresses, which restricts IP addresses
to a small number of well-defined formats. In particular, octal and
hexadecimal number formats are not allowed, and neither are leading
zeros. Also explicitly reject 0.0.0.0/8 and ::/128 as non-routable.
Refs: https://hackerone.com/reports/1710652
CVE-ID: CVE-2022-43548
PR-URL: https://github.com/nodejs-private/node-private/pull/354
Reviewed-by: Michael Dawson <midawson@redhat.com>
Reviewed-by: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-by: Rich Trott <rtrott@gmail.com>
This is a security release.
Notable changes:
The following CVEs are fixed in this release:
- CVE-2022-3786: A buffer overrun can be triggered in X.509
certificate verification (High)
- CVE-2022-3602: A buffer overrun can be triggered in X.509
certificate verification (High)
- CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP
address (Medium)
PR-URL: https://github.com/nodejs-private/node-private/pull/366
This is a security release.
Notable changes:
The following CVEs are fixed in this release:
- CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP
address (Medium)
PR-URL: https://github.com/nodejs-private/node-private/pull/363
This is a security release.
Notable changes:
The following CVEs are fixed in this release:
- CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP
address (Medium)
PR-URL: https://github.com/nodejs-private/node-private/pull/362
The name has been changed from nodejs-dev to nodejs-core.
PR-URL: https://github.com/nodejs/node/pull/45293
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Signed-off-by: Juan José Arboleda <soyjuanarbol@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/45146
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Gerhard Stöbich <deb2001-github@yahoo.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/45209
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
PR-URL: https://github.com/nodejs/node/pull/45209
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
PR-URL: https://github.com/nodejs/node/pull/45265
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
PR-URL: https://github.com/nodejs/node/pull/44937
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
PR-URL: https://github.com/nodejs/node/pull/42856
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Zijian Liu <lxxyxzj@gmail.com>
The `Shift_JIS` encoding may not be available, e.g. when Node.js is
configured with `--with-intl=small-icu`.
PR-URL: https://github.com/nodejs/node/pull/45225
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Kohei Ueno <kohei.ueno119@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Steven R Loomis <srloomis@us.ibm.com>
