Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update node.js to v14 #373

Closed
wants to merge 1 commit into from
Closed

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 22, 2021

WhiteSource Renovate

This PR contains the following updates:

Package Update Change
node major 12.21.0 -> 14.16.1

Release Notes

nodejs/node

v14.16.1

Compare Source

This is a security release.

Notable Changes

Vulnerabilities fixed:

  • CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
  • CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
  • CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
    • This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in GHSA-c4w7-xm78-47vh
    • Impacts:
      • All versions of the 14.x, 12.x and 10.x releases lines
Commits

v14.16.0

Compare Source

This is a security release.

Notable changes

Vulnerabilities fixed:

  • CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
    • Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
  • CVE-2021-22884: DNS rebinding in --inspect
    • Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
  • CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
Commits

v14.15.5

Compare Source

Notable Changes
Commits

v14.15.4

Compare Source

This is a security release.

Notable Changes

Vulnerabilities fixed:

  • CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)

  • CVE-2020-8265: use-after-free in TLSWrap (High)

    • Affected Node.js versions are vulnerable to a use-after-free bug in
      its TLS implementation. When writing to a TLS enabled socket,
      node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
      allocated WriteWrap object as first argument. If the DoWrite method
      does not return an error, this object is passed back to the caller as
      part of a StreamWriteResult structure. This may be exploited to
      corrupt memory leading to a Denial of Service or potentially other
      exploits.
  • CVE-2020-8287: HTTP Request Smuggling in nodejs (Low)

    • Affected versions of Node.js allow two copies of a header field in
      a http request. For example, two Transfer-Encoding header fields. In
      this case Node.js identifies the first header field and ignores the
      second. This can lead to HTTP Request Smuggling
      (https://cwe.mitre.org/data/definitions/444.html).
Commits

v14.15.3

Compare Source

Notable Changes

Node.js v14.15.2 included a commit that has caused reported breakages when cloning request objects. This release reverts the commit that introduced the behaviour change. See #​36550 for more details.

Commits

v14.15.2

Compare Source

Notable Changes
  • deps:
    • upgrade npm to 6.14.9 (Myles Borins) #​36450
    • update acorn to v8.0.4 (Michaël Zasso) #​35791
  • doc: add release key for Danielle Adams (Danielle Adams) #​35545
  • http2: check write not scheduled in scope destructor (David Halls) #​36241
  • stream: fix regression on duplex end (Momtchil Momtchev) #​35941
Commits

v14.15.1

Compare Source

Notable changes

This is a security release.

Vulnerabilities fixed:

  • CVE-2020-8277: Denial of Service through DNS request (High). A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service by getting the application to resolve a DNS record with a larger number of responses.
Commits

v14.15.0

Compare Source

Notable Changes

This release marks the transition of Node.js 14.x into Long Term Support (LTS)
with the codename 'Fermium'. The 14.x release line now moves into "Active LTS"
and will remain so until October 2021. After that time, it will move into
"Maintenance" until end of life in April 2023.

Commits

v14.14.0

Compare Source

Notable Changes
Commits

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot requested a review from prisis as a code owner February 22, 2021 17:52
@renovate renovate bot added Changed Changelog Changed dependency Pull requests that update a dependency file labels Feb 22, 2021
@renovate renovate bot force-pushed the renovate/node-14.x branch from 086f348 to 9e3807b Compare February 23, 2021 13:57
@renovate renovate bot force-pushed the renovate/node-14.x branch from 9e3807b to 38ad32b Compare March 12, 2021 12:28
@renovate renovate bot force-pushed the renovate/node-14.x branch from 38ad32b to 0a9a131 Compare April 6, 2021 21:10
@prisis prisis closed this Sep 24, 2021
@renovate
Copy link
Contributor Author

renovate bot commented Sep 24, 2021

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 14.x releases. But if you manually upgrade to 14.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

@renovate renovate bot deleted the renovate/node-14.x branch September 24, 2021 10:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Changed Changelog Changed dependency Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants