Skip to content
This repository has been archived by the owner on Nov 13, 2021. It is now read-only.

chore(deps): update node.js to v12.22.7 #159

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 24, 2020

WhiteSource Renovate

This PR contains the following updates:

Package Update Change
node minor 12.19.1 -> 12.22.7

Release Notes

nodejs/node

v12.22.7

Compare Source

This is a security release.

Notable changes
  • CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
    • The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). More details will be available at CVE-2021-22959 after publication.
  • CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
    • The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. More details will be available at CVE-2021-22960 after publication.
Commits

v12.22.6

Compare Source

This is a security release.

Notable Changes

These are vulnerabilities in the node-tar, arborist, and npm cli modules which
are related to the initial reports and subsequent remediation of node-tar
vulnerabilities CVE-2021-32803
and CVE-2021-32804.
Subsequent internal security review of node-tar and additional external bounty
reports have resulted in another 5 CVE being remediated in core npm CLI
dependencies including node-tar, and npm arborist.

You can read more about it in:

Commits

v12.22.5

Compare Source

This is a security release.

Notable Changes
  • CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
    • Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
  • CVE-2021-22940: Use after free on close http2 on stream canceling (High)
  • CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
    • If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.
Commits

v12.22.4

Compare Source

This is a security release.

Notable Changes
Commits

v12.22.3

Compare Source

Notable Changes

Node.js 12.22.2 introduced a regression in the Windows installer on
non-English locales that is being fixed in this release. There is no
need to download this release if you are not using the Windows
installer.

Commits

v12.22.2

Compare Source

This is a security release.

Notable Changes

Vulnerabilities fixed:

  • CVE-2021-22918: libuv upgrade - Out of bounds read (Medium)
    • Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918
  • CVE-2021-22921: Windows installer - Node Installer Local Privilege Escalation (Medium)
    • Node.js is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22921
  • CVE-2021-27290: npm upgrade - ssri Regular Expression Denial of Service (ReDoS) (High)
    • This is a vulnerability in the ssri npm mudule which may be vulnerable to denial of service attacks. You can read more about it in GHSA-vx3p-948g-6vhq
  • CVE-2021-23362: npm upgrade - hosted-git-info Regular Expression Denial of Service (ReDoS) (Medium)
Commits

v12.22.1

Compare Source

This is a security release.

Notable Changes

Vulnerabilities fixed:

  • CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
  • CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
  • CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
    • This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in GHSA-c4w7-xm78-47vh
    • Impacts:
      • All versions of the 14.x, 12.x and 10.x releases lines
Commits

v12.22.0

Compare Source

Notable changes
The legacy HTTP parser is runtime deprecated

The legacy HTTP parser, selected by the --http-parser=legacy command line
option, is deprecated with the pending End-of-Life of Node.js 10.x (where it
is the only HTTP parser implementation provided) at the end of April 2021. It
will now warn on use but otherwise continue to function and may be removed in
a future Node.js 12.x release.

The default HTTP parser based on llhttp is not affected. By default it is
stricter than the now deprecated legacy HTTP parser. If interoperability with
HTTP implementations that send invalid HTTP headers is required, the HTTP
parser can be started in a less secure mode with the --insecure-http-parser
command line option.

Contributed by Beth Griggs #​37603.

ES Modules

ES Modules are now considered stable.

Contributed by Guy Bedford #​35781

node-api

Updated to node-api version 8 and added an experimental API to allow retrieval of the add-on file name.

Contributed by Gabriel Schulhof #​37652 and #​37195.

New API's to control code coverage data collection

v8.stopCoverage() and v8.takeCoverage() have been added.

Contributed by Joyee Cheung #​33807.

New API to monitor event loop utilization by Worker threads

worker.performance.eventLoopUtilization() has been added.

Contributed by Trevor Norris #​35664.

Commits

v12.21.0

Compare Source

This is a security release.

Notable changes

Vulnerabilities fixed:

  • CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
    • Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
  • CVE-2021-22884: DNS rebinding in --inspect
    • Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
  • CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
Commits

v12.20.2

Compare Source

Notable changes
  • deps:
    • upgrade npm to 6.14.11 (Ruy Adorno) #​37173
Commits

v12.20.1

Compare Source

Notable changes

This is a security release.

Vulnerabilities fixed:

  • CVE-2020-8265: use-after-free in TLSWrap (High)
    Affected Node.js versions are vulnerable to a use-after-free bug in its
    TLS implementation. When writing to a TLS enabled socket,
    node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
    allocated WriteWrap object as first argument. If the DoWrite method does
    not return an error, this object is passed back to the caller as part of
    a StreamWriteResult structure. This may be exploited to corrupt memory
    leading to a Denial of Service or potentially other exploits
  • CVE-2020-8287: HTTP Request Smuggling in nodejs
    Affected versions of Node.js allow two copies of a header field in a
    http request. For example, two Transfer-Encoding header fields. In this
    case Node.js identifies the first header field and ignores the second.
    This can lead to HTTP Request Smuggling
    (https://cwe.mitre.org/data/definitions/444.html).
  • CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
    This is a vulnerability in OpenSSL which may be exploited through Node.js.
    You can read more about it in
    https://www.openssl.org/news/secadv/20201208.txt
Commits

v12.20.0

Compare Source

Notable Changes
Commits

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/node-12.x branch 2 times, most recently from ee62e17 to 990a5fc Compare December 2, 2020 23:03
@renovate renovate bot force-pushed the renovate/node-12.x branch 4 times, most recently from 7081483 to 26b2e90 Compare December 12, 2020 04:34
@renovate renovate bot force-pushed the renovate/node-12.x branch 2 times, most recently from 1562c45 to ab4d2e1 Compare December 20, 2020 04:19
@renovate renovate bot force-pushed the renovate/node-12.x branch 2 times, most recently from 63c3a8c to ff8f6e0 Compare January 4, 2021 19:52
@renovate renovate bot changed the title chore(deps): update node.js to v12.20.0 chore(deps): update node.js to v12.20.1 Jan 4, 2021
@renovate renovate bot force-pushed the renovate/node-12.x branch 3 times, most recently from 2cb5559 to d8df37f Compare January 8, 2021 12:10
@renovate renovate bot force-pushed the renovate/node-12.x branch 3 times, most recently from ab38416 to a3f7b16 Compare January 22, 2021 01:26
@renovate renovate bot force-pushed the renovate/node-12.x branch 2 times, most recently from b313910 to 4bf641f Compare February 4, 2021 08:10
@renovate renovate bot force-pushed the renovate/node-12.x branch from 4bf641f to f085e64 Compare February 10, 2021 21:33
@renovate renovate bot changed the title chore(deps): update node.js to v12.20.1 chore(deps): update node.js to v12.20.2 Feb 10, 2021
@renovate renovate bot force-pushed the renovate/node-12.x branch 4 times, most recently from 9eb2dee to c9e3647 Compare February 19, 2021 19:59
@renovate renovate bot force-pushed the renovate/node-12.x branch 2 times, most recently from 58691ef to 05f4e51 Compare February 23, 2021 14:08
@renovate renovate bot changed the title chore(deps): update node.js to v12.20.2 chore(deps): update node.js to v12.21.0 Feb 23, 2021
@renovate renovate bot force-pushed the renovate/node-12.x branch from 05f4e51 to 2ef69f4 Compare March 1, 2021 01:12
@renovate renovate bot force-pushed the renovate/node-12.x branch from 2ef69f4 to 9786eed Compare March 10, 2021 16:02
@renovate renovate bot force-pushed the renovate/node-12.x branch 2 times, most recently from c41257a to 1f38946 Compare July 5, 2021 16:25
@renovate renovate bot changed the title chore(deps): update node.js to v12.22.2 chore(deps): update node.js to v12.22.3 Jul 5, 2021
@renovate renovate bot force-pushed the renovate/node-12.x branch from 1f38946 to b0929e4 Compare July 8, 2021 01:01
@renovate renovate bot force-pushed the renovate/node-12.x branch 3 times, most recently from 6ecf7ed to c6721b6 Compare July 23, 2021 00:57
@renovate renovate bot force-pushed the renovate/node-12.x branch from c6721b6 to 421ec79 Compare July 29, 2021 17:43
@renovate renovate bot changed the title chore(deps): update node.js to v12.22.3 chore(deps): update node.js to v12.22.4 Jul 29, 2021
@renovate renovate bot force-pushed the renovate/node-12.x branch from 421ec79 to 967c46c Compare August 1, 2021 02:34
@renovate renovate bot force-pushed the renovate/node-12.x branch 2 times, most recently from bad3b1a to ba623a6 Compare August 11, 2021 17:00
@renovate renovate bot changed the title chore(deps): update node.js to v12.22.4 chore(deps): update node.js to v12.22.5 Aug 11, 2021
@renovate renovate bot force-pushed the renovate/node-12.x branch 2 times, most recently from c413bc1 to 8e73a31 Compare August 13, 2021 23:37
@renovate renovate bot force-pushed the renovate/node-12.x branch 2 times, most recently from d5ecbc8 to 0ad5cba Compare August 26, 2021 03:34
@renovate renovate bot force-pushed the renovate/node-12.x branch from 0ad5cba to 391dfd0 Compare August 31, 2021 15:19
@renovate renovate bot changed the title chore(deps): update node.js to v12.22.5 chore(deps): update node.js to v12.22.6 Aug 31, 2021
@renovate renovate bot force-pushed the renovate/node-12.x branch 3 times, most recently from 7b0b9aa to db689ec Compare September 18, 2021 09:49
@renovate renovate bot force-pushed the renovate/node-12.x branch from db689ec to 97dcc75 Compare October 19, 2021 02:38
@renovate renovate bot changed the title chore(deps): update node.js to v12.22.6 chore(deps): update node.js to v12.22.7 Oct 19, 2021
@renovate renovate bot force-pushed the renovate/node-12.x branch 4 times, most recently from 50610da to 116789e Compare October 21, 2021 09:53
@renovate renovate bot force-pushed the renovate/node-12.x branch from 116789e to 21441d8 Compare October 22, 2021 14:29
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant