Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update node.js to v20 #220

Merged
merged 3 commits into from
Feb 19, 2024
Merged

chore(deps): update node.js to v20 #220

merged 3 commits into from
Feb 19, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 15, 2024

Mend Renovate

This PR contains the following updates:

Package Type Update Change Age Adoption Passing Confidence
node final major 18-bookworm-slim -> 20-bookworm-slim age adoption passing confidence
node stage major 18-bookworm-slim -> 20-bookworm-slim age adoption passing confidence
@types/node (source) devDependencies major ^12.0.0 -> ^20.0.0 age adoption passing confidence

Release Notes

nodejs/node (node)

v20.11.1: 2024-02-14, Version 20.11.1 'Iron' (LTS), @​RafaelGSS prepared by @​marco-ippolito

Compare Source

Notable changes

This is a security release.

Notable changes
  • CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
  • CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
  • CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High)
  • CVE-2024-22017 - setuid() does not drop all privileges due to io_uring - (High)
  • CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
  • CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
  • CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
  • CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
  • undici version 5.28.3
  • libuv version 1.48.0
  • OpenSSL version 3.0.13+quic1
Commits

v20.11.0: 2024-01-09, Version 20.11.0 'Iron' (LTS), @​UlisesGascon

Compare Source

Notable Changes
Commits

v20.10.0: 2023-11-22, Version 20.10.0 'Iron' (LTS), @​targos

Compare Source

Notable Changes
--experimental-default-type flag to flip module defaults

The new flag --experimental-default-type can be used to flip the default
module system used by Node.js. Input that is already explicitly defined as ES
modules or CommonJS, such as by a package.json "type" field or .mjs/.cjs
file extension or the --input-type flag, is unaffected. What is currently
implicitly CommonJS would instead be interpreted as ES modules under
--experimental-default-type=module:

  • String input provided via --eval or STDIN, if --input-type is unspecified.

  • Files ending in .js or with no extension, if there is no package.json file
    present in the same folder or any parent folder.

  • Files ending in .js or with no extension, if the nearest parent
    package.json field lacks a type field; unless the folder is inside a
    node_modules folder.

In addition, extensionless files are interpreted as Wasm if
--experimental-wasm-modules is passed and the file contains the "magic bytes"
Wasm header.

Contributed by Geoffrey Booth in #​49869.

Detect ESM syntax in ambiguous JavaScript

The new flag --experimental-detect-module can be used to automatically run ES
modules when their syntax can be detected. For “ambiguous” files, which are
.js or extensionless files with no package.json with a type field, Node.js
will parse the file to detect ES module syntax; if found, it will run the file
as an ES module, otherwise it will run the file as a CommonJS module. The same
applies to string input via --eval or STDIN.

We hope to make detection enabled by default in a future version of Node.js.
Detection increases startup time, so we encourage everyone—especially package
authors—to add a type field to package.json, even for the


Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added dependencies Pull requests that update a dependency file major labels Jan 15, 2024
@renovate renovate bot force-pushed the renovate/node-20.x branch 2 times, most recently from 74a316d to 982ea2a Compare January 20, 2024 16:28
@renovate renovate bot force-pushed the renovate/node-20.x branch 2 times, most recently from 3c6cd27 to b48af34 Compare January 31, 2024 13:21
@renovate renovate bot force-pushed the renovate/node-20.x branch 2 times, most recently from 23733f0 to 319bfb6 Compare February 10, 2024 15:00
@renovate renovate bot changed the title Update Node.js to v20 chore(deps): update node.js to v20 Feb 13, 2024
@renovate renovate bot force-pushed the renovate/node-20.x branch 2 times, most recently from 05cbff4 to 25a7517 Compare February 16, 2024 20:52
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/node-20.x branch from 25a7517 to 9731428 Compare February 19, 2024 14:43
Signed-off-by: Andre Wanlin <[email protected]>
Copy link
Contributor Author

renovate bot commented Feb 19, 2024

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

Warning: custom changes will be lost.

Signed-off-by: Andre Wanlin <[email protected]>
Copy link
Collaborator

@awanlin awanlin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 🚀

@awanlin awanlin merged commit dd624d9 into master Feb 19, 2024
3 checks passed
@awanlin awanlin deleted the renovate/node-20.x branch February 19, 2024 15:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file major
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant