Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency node to v20 #150

Closed
wants to merge 1 commit into from

Conversation

tradeshift-renovate[bot]
Copy link
Contributor

@tradeshift-renovate tradeshift-renovate bot commented Jan 21, 2024

This PR contains the following updates:

Package Update Change
node (source) major 16 -> 20

Release Notes

nodejs/node (node)

v20.11.1: 2024-02-14, Version 20.11.1 'Iron' (LTS), @​RafaelGSS prepared by @​marco-ippolito

Compare Source

Notable changes

This is a security release.

Notable changes
  • CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
  • CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
  • CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High)
  • CVE-2024-22017 - setuid() does not drop all privileges due to io_uring - (High)
  • CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
  • CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
  • CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
  • CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
  • undici version 5.28.3
  • libuv version 1.48.0
  • OpenSSL version 3.0.13+quic1
Commits

v20.11.0: 2024-01-09, Version 20.11.0 'Iron' (LTS), @​UlisesGascon

Compare Source

Notable Changes
Commits

v20.10.0: 2023-11-22, Version 20.10.0 'Iron' (LTS), @​targos

Compare Source

Notable Changes
--experimental-default-type flag to flip module defaults

The new flag --experimental-default-type can be used to flip the default
module system used by Node.js. Input that is already explicitly defined as ES
modules or CommonJS, such as by a package.json "type" field or .mjs/.cjs
file extension or the --input-type flag, is unaffected. What is currently
implicitly CommonJS would instead be interpreted as ES modules under
--experimental-default-type=module:

  • String input provided via --eval or STDIN, if --input-type is unspecified.

  • Files ending in .js or with no extension, if there is no package.json file
    present in the same folder or any parent folder.

  • Files ending in .js or with no extension, if the nearest parent
    package.json field lacks a type field; unless the folder is inside a
    node_modules folder.

In addition, extensionless files are interpreted as Wasm if
--experimental-wasm-modules is passed and the file contains the "magic bytes"
Wasm header.

Contributed by Geoffrey Booth in #​49869.

Detect ESM syntax in ambiguous JavaScript

The new flag --experimental-detect-module can be used to automatically run ES
modules when their syntax can be detected. For “ambiguous” files, which are
.js or extensionless files with no package.json with a type field, Node.js
will parse the file to detect ES module syntax; if found, it will run the file
as an ES module, otherwise it will run the file as a CommonJS module. The same
applies to string input via --eval or STDIN.

We hope to make detection enabled by default in a future version of Node.js.
Detection increases startup time, so we encourage everyone—especially package
authors—to add a type field to package.json, even for the default
"type": "commonjs". The presence of a type field, or explicit extensions
such as .mjs or .cjs, will opt out of detection.

Contributed by Geoffrey Booth in #​50096.

New flush option in file system functions

When writing to files, it is possible that data is not immediately flushed to
permanent storage. This allows subsequent read operations to see stale data.
This PR adds a 'flush' option to the fs.writeFile family of functions which
forces the data to be flushed at the end of a successful write operation.

Contributed by Colin Ihrig in #​50009 and #​50095.

Experimental WebSocket client

Adds a --experimental-websocket flag that adds a WebSocket
global, as standardized by WHATWG.

Contributed by Matthew Aitken in #​49830.

vm: fix V8 compilation cache support for vm.Script

Previously repeated compilation of the same source code using vm.Script
stopped hitting the V8 compilation cache after v16.x when support for
importModuleDynamically was added to vm.Script, resulting in a performance
regression that blocked users (in particular Jest users) from upgrading from
v16.x.

The recent fixes allow the compilation cache to be hit again
for vm.Script when --experimental-vm-modules is not used even in the
presence of the importModuleDynamically option, so that users affected by the
performance regression can now upgrade. Ongoing work is also being done to
enable compilation cache support for vm.CompileFunction.

Contributed by Joyee Cheung in #​49950
and #​50137.

Other notable changes
  • [21453ae555] - (SEMVER-MINOR) deps: update uvwasi to 0.0.19 (Node.js GitHub Bot) #​49908
  • [ee65e44c31] - esm: use import attributes instead of import assertions (Antoine du Hamel) [#​50

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@tradeshift-renovate tradeshift-renovate bot added the dependencies Pull requests that update a dependency file label Jan 21, 2024
@tssecurity tssecurity closed this Mar 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant