Skip to content
This repository has been archived by the owner on Mar 17, 2023. It is now read-only.

chore(deps): update node.js to v18 #65

Open
wants to merge 1 commit into
base: rewrite
Choose a base branch
from
Open

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 25, 2022

Mend Renovate

This PR contains the following updates:

Package Type Update Change Age Adoption Passing Confidence
node major 16.18.0 -> 18.15.0 age adoption passing confidence
@types/node (source) devDependencies major ^16.11.21 -> ^18.0.0 age adoption passing confidence

Release Notes

nodejs/node

v18.15.0: 2023-03-07, Version 18.15.0 'Hydrogen' (LTS), @​BethGriggs prepared by @​juanarbol

Compare Source

Notable Changes
Commits

v18.14.2: 2023-02-21, Version 18.14.2 'Hydrogen' (LTS), @​MylesBorins

Compare Source

Notable Changes
Commits

v18.14.1: 2023-02-16, Version 18.14.1 'Hydrogen' (LTS), @​RafaelGSS prepared by @​juanarbol

Compare Source

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

  • CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High)
  • CVE-2023-23919: Node.js OpenSSL error handling issues in nodejs crypto library (Medium)
  • CVE-2023-23936: Fetch API in Node.js did not protect against CRLF injection in host headers (Medium)
  • CVE-2023-24807: Regular Expression Denial of Service in Headers in Node.js fetch API (Low)
  • CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low)

More detailed information on each of the vulnerabilities can be found in February 2023 Security Releases blog post.

This security release includes OpenSSL security updates as outlined in the recent
OpenSSL security advisory.

Commits

v18.14.0: 2023-02-02, Version 18.14.0 'Hydrogen' (LTS), @​BethGriggs prepared by @​juanarbol

Compare Source

Notable changes
Updated npm to 9.3.1

Based on the list of guidelines we've established on integrating npm and node,
here is a grouped list of the breaking changes with the reasoning as to why they
fit within the guidelines linked above. Note that all the breaking changes were
made in 9.0.0.
All subsequent minor and patch releases after [email protected] do not contain any
breaking changes.

Engines

Explanation: the node engines supported by npm@9 make it safe to allow npm@9 as the default in any LTS version of 14 or 16, as well as anything later than or including 18.0.0

  • npm is now compatible with the following semver range for node: ^14.17.0 || ^16.13.0 || >=18.0.0
Filesystem

Explanation: when run as root previous versions of npm attempted to manage file ownership automatically on the user's behalf. this behavior was problematic in many cases and has been removed in favor of allowing users to manage their own filesystem permissions

  • npm will no longer attempt to modify ownership of files it creates.
Auth

Explanation: any errors thrown from users having unsupported auth configurations will show npm config fix in the remediation instructions, which will allow the user to automatically have their auth config fixed.

  • The presence of auth related settings that are not scoped to a specific
    registry found in a config file is no longer supported and will throw errors.
Login

Explanation: the default auth-type has changed and users can opt back into the old behavior with npm config set auth-type=legacy. login and adduser have also been seperated making each command more closely match it's name instead of being aliases for each other.

  • Legacy auth types sso, saml & legacy have been consolidated into "legacy".
  • auth-type defaults to "web"
  • login and adduser are now separate commands that send different data to the registry.
  • auth-type config values web and legacy only try their respective methods,
    npm no longer tries them all and waits to see which one doesn't fail.
Tarball Packing

Explanation: previously using multiple ignore/allow lists when packing was an undefined behavior, and now the order of operations is strictly defined when packing a tarball making it easier to follow and should only affect users relying on the previously undefined behavior.

  • npm pack now follows a strict order of operations when applying ignore rules.
    If a files array is present in the package.json, then rules in .gitignore
    and .npmignore files from the root will be ignored.
Display/Debug/Timing Info

Explanation: these changes center around the display of information to the terminal including timing and debug log info. We do not anticipate these changes breaking any existing workflows.

  • Links generated from git urls will now use HEAD instead of master as the default ref.
  • timing has been removed as a value for --loglevel.
  • --timing will show timing information regardless of --loglevel, except when --silent.
  • When run with the --timing flag, npm now writes timing data to a file
    alongside the debug log data, respecting the logs-dir option and falling
    back to <CACHE>/_logs/ dir, instead of directly inside the cache directory.
  • The timing file data is no longer newline delimited JSON, and instead each run
    will create a uniquely named <ID>-timing.json file, with the <ID> portion
    being the same as the debug log.
  • npm now outputs some json errors on stdout. Previously npm would output
    all json formatted errors on stderr, making it difficult to parse as the
    stderr stream usually has logs already written to it.
Config/Command Deprecations or Removals

Explanation: install-links is the only config or command in the list that has an effect on package installs. We fixed a number of issues that came up during prereleases with this change. It will also only be applied to new package trees created without a package-lock.json file. Any install with an existing lock file will not be changed.

  • Deprecate boolean install flags in favor of --install-strategy.
  • npm config set will no longer accept deprecated or invalid config options.
  • install-links config defaults to "true".
  • node-version config has been removed.
  • npm-version config has been removed.
  • npm access subcommands have been renamed.
  • npm birthday has been removed.
  • npm set-script has been removed.
  • npm bin has been removed (use npx or npm exec to execute binaries).
Other notable changes
  • doc:
    • add parallelism note to os.cpus() (Colin Ihrig) #​45895
  • http:
    • join authorization headers (Marco Ippolito) #​45982
    • improved timeout defaults handling (Paolo Insogna) #​45778
  • stream:
    • implement finished() for ReadableStream and WritableStream (Debadree Chatterjee) #​46205
Commits

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the maintenance label Oct 25, 2022
@renovate renovate bot force-pushed the renovate/node-18.x branch from 1d7189e to aeeaafe Compare October 25, 2022 23:21
@renovate renovate bot force-pushed the renovate/node-18.x branch from aeeaafe to 5774012 Compare November 4, 2022 20:46
@renovate renovate bot force-pushed the renovate/node-18.x branch from 5774012 to c678491 Compare March 16, 2023 12:05
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants