chore(deps): update all (major)

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
actions/cache	action	major	v2 -> v4
actions/checkout	action	major	v2 -> v4
actions/setup-node	action	major	v2 -> v4
luxon	devDependencies	major	2.3.0 -> 3.5.0
node (source)		major	18 -> 20
p-each-series	devDependencies	major	2.2.0 -> 3.0.0
prettier (source)	devDependencies	major	2.5.1 -> 3.3.3
sort-keys	devDependencies	major	4.2.0 -> 5.1.0
stefanzweifel/git-auto-commit-action	action	major	v4 -> v5

---

Release Notes

actions/cache (actions/cache)

v4

Compare Source

v3

Compare Source

actions/checkout (actions/checkout)

v4

Compare Source

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in https://github.com/actions/checkout/pull/1739
• Bump actions/checkout from 3 to 4 by @​dependabot in https://github.com/actions/checkout/pull/1697
• Check out other refs/* by commit by @​orhantoy in https://github.com/actions/checkout/pull/1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in https://github.com/actions/checkout/pull/1776

v3

Compare Source

• Fix: Mark test scripts with Bash'isms to be run via Bash
• Add option to fetch tags even if fetch-depth > 0

actions/setup-node (actions/setup-node)

v4

Compare Source

v3

Compare Source

moment/luxon (luxon)

v3.5.0

Compare Source

• Various performance improvements
• throwOnInvalid causes the constructor to throw if the year is invalid

v3.4.4

Compare Source

• Localized week support (#​1454)
• Added custom inspect for Node (#​1526)
• Fix sorting in Interval.splitAt (#​1524)

v3.4.3

Compare Source

• Fixes another regression from 3.4.0 (#​1496)

v3.4.2

Compare Source

• Fixes regression from 3.4.1 (#​1493)

v3.4.1

Compare Source

• Fixes for regressions from 3.4.0 (#​1482 and #​1488)

v3.4.0

Compare Source

• Fix type checking on input zones
• Fix Islamic months listing
• Fix normalize() for negative inputs

v3.3.0

Compare Source

• Fix off-by-one in Interval#count (#​1308)
• Support formatting for custom zones (#​1377)
• Fix parsing for narrow spaces (#​1369)
• Handle leap year issue with AD 100 (#​1390)
• Allow parsing of just an offset

v3.2.1

Compare Source

• Fix for RFC-2822 regex vulnerability
• Better handling of BCP tags with -x- extensions

v3.2.0

Compare Source

• Allow timeZone to be specified as an intl option
• Fix for diff's handling of end-of-month when crossing leap years (#​1340)
• Add Interval.toLocaleString() (#​1320)

v3.1.1

Compare Source

• Add Settings.twoDigitCutoffYear

v3.1.0

Compare Source

• Add Duration.rescale

v3.0.4

Compare Source

• Fix quarters in diffs (#​1279)
• Export package.json in package (#​1239)

v3.0.3

Compare Source

v3.0.2

Compare Source

• Lots of doc changes
• Added DateTime.expandFormat
• Added support for custom conversion matrices in Durations

v3.0.1

Compare Source

• Add DateTime.parseFormatForOpts

v3.0.0

Compare Source

• Add "default" as an option for specifying a zone, and change "system" to really mean the system zone (breaking change)

v2.5.2

Compare Source

v2.5.1

Compare Source

v2.5.0

Compare Source

• Support for ESM-style node imports
• Fix Wednesday parsing for RFC 850 strings
• Increase number of digits allowed in ISO durations

2.4.0 (2022-05-08)

• Add support for parsing the ISO zone extension, like 2022-05-08T20:42:00.000-04:00[America/New_York]
• Add an extendedZone option to toISO() and toISOTime
• Improvements to DateTime.isInDST()
• Fix for parsing in Vietnames (and probably other languages)

2.3.2 (2022-04-17)

• Fix timezone calculations for negative years
• add week formatting token "w" for durations
• fix weekday computation for years 0-100

2.3.1 (2022-02-23)

• Added an includeOffsetSpace option to toSQL and toSQLTime
• Added toUnixInteger
• Don't use -0 when negating durations with zeros in them

2.3.0 (2022-01-02)

• Major perf improvements to toISO(), toISODate(), toISOTime(), and toSQLDate()
• Fixed date padding for negative years in toISO()
• Added Duration#toHuman()

2.2.0 (2021-12-10)

• Allow offsets to pick among ambiguous times when both an offset and zone are provided to fromFormat
• Fix a floating point bug in Duration.shiftTo()

2.1.1 (2021-11-08)

• Fix issue in quirky environments that lack hourCycle support and sometimes computed offsets 12 hours off

2.1.0 (2021-11-07)

• Stop special casing of Etc/GMT* zones
• export fromDurationLike
• memoize zone validation
• Support for fractional elements in duration ISO parsing
• Added uu and uuu tokens for fractional millisecond parsing

2.0.2 (2021-08-08)

Fix locale defaulting

2.0.0 (2021-07-3)

See Upgrading section

1.28.0 (2021-07-03)

• Fix ISO parsing for offset specifiers in Year-Ordinal formats

1.27.0 (2021-05-08)

• Fix GMT zone parsing for older versions of Node
• Support multiple units in toRelative
• Various documentation updates

1.26.0 (2021-02-13)

• Add fromISOTime, toISOTime and toMillis to Duration (#​803)
• Fix padding of negative years in IsoDate (#​871)
• Fix hasSame unit comparison (#​798)
• Export VERSION information (#​794)
• Durations are considered equal with extra zero units. Fixes #​809 (#​811)

1.25.0 (2020-08-23)

• fix fromFormat with Intl formats containing non-breaking spaces
• Support higher precision in ISO milliseconds
• Some fixes for 00:30 timezones
• Fix some throwOnInvalid for invalid Intervals
• Various doc fixes
• Fix Interval#isSame for empty intervals
• Mark package as side effect-free
• Add support for intervals with a large number of seconds

1.24.1 (2020-05-04)

• Remove erroneous console.log call

1.24.0 (2020-05-03)

• Update polyfills for pollyfilled build

1.23.0 (2020-04-02)

• Allow minus sign prefix when creating Duration from ISO

1.22.2 (2020-03-25)

• Added more details to error messages for type errors

1.22.1 (2020-03-19)

• Added support for ISO basic format to DateTime#toISO

1.22.0 (2020-01-26)

• Fix setZone's handling of pre-1970 dates with millisecond components
• Fix keepLocalTime for large jumps near the target zone's DST
• Fix cache perf for toRelative()

1.21.3 (2019-11-28)

• Fix parsing of meridiems in macro tokens in newer versions of v8

1.21.2 (2019-11-18)

• Fix bug in Chrome Canary that threw off time zone calculations

1.21.1 (2019-11-03)

• Fix for quarter parsing
• Some documentation updates

1.21.0 (2019-10-30)

• Added quarter support to the parser
• Fix some rounding issues in ISO formatting

1.20.0 (2019-10-29)

• Added Duration#mapUnits
• added Interval#toISODate and Interval#toISOTime
• Some documentation fixes

1.19.3

• Cache offset values
• Fix handling of negative sub 1-hour offsets

1.19.2

• Speculative fix for Node 6

1.19.1

• Fix Intl.DateTimeFormat usage for polyfills

1.19.0

• Interval#splitAt now ignores input dates outside the interval
• Don't allow decimals in DateTime creation

1.18.2

• Fix handling of decimals in DateTime#plus and #minus

1.18.1

• Fix validity when adding or subtracting time that exceeds Date max/min boundaries

1.18.0

• Add support for macro tokens in the parser

1.17.2

• Fix issue with toRelative using style: short with plural days

1.17.1

• Reject out-of-range numbers in DateTime.fromMillis
• Reject 0s in ISO date inputs

1.17.0

• DateTime.min and DateTime.max throw if they get the wrong kind of arguments
• Fixed throwOnInvalid logic for Interval
• Added DATETIME_MED_WITH_WEEKDAY preset

1.16.1

• Catch errors trying to use Intl in weird versions of IE 11

1.16.0

• Fixed locale default logic for `DateTime#toFormat("ZZZZ")

1.15.0

• Added formatOffset to Zones

1.14.0

• Allow the zone argument to Interval.fromISO with duration components
• Ignore the zone argument to Duration factory methods

1.13.3

• Fix keepLocalTime calculations that span offset changes

1.13.2

• Fixed ISO formatting for dates > 999

1.13.1

• Performance improvements for regex parsing

1.13.0

• Support numberSystem in fromFormat
• Fix validity for bad initial zone specifiers

1.12.1

• Fix cross-month diffs in some scenarios
• Fix time zone parsing when the time zone isn't at the end
• Memoize IANA zone creation

1.12.0

• Add some explicit CDN support to the NPM package
• Add week token to duration ISO support
• Lots of cleanup and test coverage changes

1.11.4

• setZone("local") now returns the defaultZone if it is set
• Fixes for the polyfilled build

1.11.3

• Allow 24:00 in ISO (and other) strings
• Fix some bugs with the typecheck functions like DateTime.isDateTime()

1.11.2

• Fixed handling of some characters in fromFormat literal sections
• Handle string values in object arguments to DateTime methods
• Fixed toRelativeCalendar's handling of zones in the base date

1.11.1

• Fix DateTime#plus() when spanning across AD 100

1.11.0

• Fix low-year handling for IANA zones
• DateTime#toLocal() now uses the default locale
• Fix zero duration formatting
• Many documentation fixes

1.10.0

• Fix endOf("day") during DSTs (#​399)
• Add `Interval#mapEndpoints (#​400)
• Add DateTime#zone and Info.normalizeZone (#​404)

1.9.0

• Add DateTime#toRelative and DateTime#toRelativeCalendar

1.8.3

• Allow "UTC" in the zone position of fromSQL
• Force isDateTime and isDuration to return booleans in all cases

1.8.2

• Trim leading \u200e characters from offset names in Edge 16 and 17

1.8.1

• Add DateTime.fromSeconds and DateTime#toSeconds

1.7.1

• Floor the seconds instead of rounding them when outputting the 'X' format
• Change the options to toLocale to override the configuration (the previous options were essentially ignored)

1.6.2

• Fixing merge error that resulted in bad error messages

1.6.0

• midly breaking Rework negative durations
• Fix handling

v2.4.0

Compare Source

• Add support for parsing the ISO zone extension, like 2022-05-08T20:42:00.000-04:00[America/New_York]
• Add an extendedZone option to toISO() and toISOTime
• Improvements to DateTime.isInDST()
• Fix for parsing in Vietnames (and probably other languages)

v2.3.2

Compare Source

• Fix timezone calculations for negative years
• add week formatting token "w" for durations
• fix weekday computation for years 0-100

v2.3.1

Compare Source

• Added an includeOffsetSpace option to toSQL and toSQLTime
• Added toUnixInteger
• Don't use -0 when negating durations with zeros in them

nodejs/node (node)

v20.17.0

Compare Source

v20.16.0

Compare Source

v20.15.1

Compare Source

v20.15.0: 2024-06-20, Version 20.15.0 'Iron' (LTS), @​marco-ippolito

Compare Source

test_runner: support test plans

It is now possible to count the number of assertions and subtests that are expected to run within a test. If the number of assertions and subtests that run does not match the expected count, the test will fail.

test('top level test', (t) => {
  t.plan(2);
  t.assert.ok('some relevant assertion here');
  t.subtest('subtest', () => {});
});

Contributed by Colin Ihrig in #​52860

inspector: introduce the --inspect-wait flag

This release introduces the --inspect-wait flag, which allows debugger to wait for attachement. This flag is useful when you want to debug the code from the beginning. Unlike --inspect-brk, which breaks on the first line, this flag waits for debugger to be connected and then runs the code as soon as a session is established.

Contributed by Kohei Ueno in #​52734

zlib: expose zlib.crc32()

This release exposes the crc32() function from zlib to user-land.

It computes a 32-bit Cyclic Redundancy Check checksum of data. If
value is specified, it is used as the starting value of the checksum,
otherwise, 0 is used as the starting value.

The CRC algorithm is designed to compute checksums and to detect error
in data transmission. It's not suitable for cryptographic authentication.

const zlib = require('node:zlib');
const { Buffer } = require('node:buffer');

let crc = zlib.crc32('hello');  // 907060870
crc = zlib.crc32('world', crc);  // 4192936109

crc = zlib.crc32(Buffer.from('hello', 'utf16le'));  // 1427272415
crc = zlib.crc32(Buffer.from('world', 'utf16le'), crc);  // 4150509955

Contributed by Joyee Cheung in #​52692

cli: allow running wasm in limited vmem with --disable-wasm-trap-handler

By default, Node.js enables trap-handler-based WebAssembly bound
checks. As a result, V8 does not need to insert inline bound checks
int the code compiled from WebAssembly which may speedup WebAssembly
execution significantly, but this optimization requires allocating
a big virtual memory cage (currently 10GB). If the Node.js process
does not have access to a large enough virtual memory address space
due to system configurations or hardware limitations, users won't
be able to run any WebAssembly that involves allocation in this
virtual memory cage and will see an out-of-memory error.

$ ulimit -v 5000000
$ node -p "new WebAssembly.Memory({ initial: 10, maximum: 100 });"
[eval]:1
new WebAssembly.Memory({ initial: 10, maximum: 100 });
^

RangeError: WebAssembly.Memory(): could not allocate memory
    at [eval]:1:1
    at runScriptInThisContext (node:internal/vm:209:10)
    at node:internal/process/execution:118:14
    at [eval]-wrapper:6:24
    at runScript (node:internal/process/execution:101:62)
    at evalScript (node:internal/process/execution:136:3)
    at node:internal/main/eval_string:49:3

--disable-wasm-trap-handler disables this optimization so that
users can at least run WebAssembly (with a less optimial performance)
when the virtual memory address space available to their Node.js
process is lower than what the V8 WebAssembly memory cage needs.

Contributed by Joyee Cheung in #​52766

Other Notable Changes

• [12512c3d0e] - doc: add pimterry to collaborators (Tim Perry) #​52874
• [9d485b40bb] - (SEMVER-MINOR) tools: fix get_asan_state() in tools/test.py (Joyee Cheung) #​52766
• [e98c305f52] - (SEMVER-MINOR) tools: support max_virtual_memory test configuration (Joyee Cheung) #​52766
• [dce0300896] - (SEMVER-MINOR) tools: support != in test status files (Joyee Cheung) #​52766

Commits

• [227093bfec] - assert: add deep equal check for more Error type (Zhenwei Jin) #​51805
• [184cfe5a71] - benchmark: filter non-present deps from start-cli-version (Adam Majer) #​51746
• [8b3e83bb53] - buffer: even faster atob (Daniel Lemire) #​52443
• [8d628c3255] - buffer: use size_t instead of uint32_t to avoid segmentation fault (Xavier Stouder) #​48033
• [16ae2b2933] - buffer: remove lines setting indexes to integer value (Zhenwei Jin) #​52588
• [48c15d0dcd] - build: remove deprecated calls for argument groups (Mohammed Keyvanzadeh) #​52913
• [1be8232d17] - build: drop base64 dep in GN build (Cheng) #​52856
• [918962d6e7] - build: make simdjson a public dep in GN build (Cheng) #​52755
• [5215b6fd8e] - build, tools: copy release assets to staging R2 bucket once built (flakey5) #​51394
• [473fa73857] - (SEMVER-MINOR) cli: allow running wasm in limited vmem with --disable-wasm-trap-handler (Joyee Cheung) #​52766
• [954d2aded4] - cluster: replace forEach with for-of loop (Jérôme Benoit) #​50317
• [794e450ea7] - console: colorize console error and warn (Jithil P Ponnan) #​51629
• [0fb7c18f10] - crypto: fix duplicated switch-case return values (Mustafa Ateş UZUN) #​49030
• [cd1415c8b2] - Revert "crypto: make timingSafeEqual faster for Uint8Array" (Tobias Nießen) #​53390
• [b774544bb1] - deps: enable unbundling of simdjson, simdutf, ada (Daniel Lemire) #​52924
• [da4dbfc5fd] - doc: remove reference to AUTHORS file (Marco Ippolito) #​52960
• [2f3f2ff8af] - doc: update hljs with the latest styles (Aviv Keller) #​52911
• [3a1d17a9b1] - doc: mention quicker way to build docs (Alex Crawford) #​52937
• [be309bd19d] - doc: mention push.followTags config (Rafael Gonzaga) #​52906
• [e62c6e2684] - doc: document pipeline with end option (Alois Klink) #​48970
• [af27225cf6] - doc: add example for execFileSync method and ref to stdio (Evan Shortiss) #​39412
• [086626f9b1] - doc: add examples and notes to http server.close et al (mary marchini) #​49091
• [3aa3337a00] - doc: fix dns.lookup family 0 and all descriptions (Adam Jones) #​51653
• [585f2a2e7f] - doc: update fs.realpath documentation (sinkhaha) #​48170
• [4bf3d44e1d] - doc: update fs read documentation for clarity (Mert Can Altin) #​52453
• [ae5d47dde3] - doc: watermark string behavior (Benjamin Gruenbaum) #​52842
• [1e429d10d3] - doc: exclude commits with baking-for-lts (Marco Ippolito) #​52896
• [3df3e37cdb] - doc: add names next to release key bash commands (Aviv Keller) #​52878
• [12512c3d0e] - doc: add pimterry to collaborators (Tim Perry) #​52874
• [97e0fef019] - doc: add more definitions to GLOSSARY.md (Aviv Keller) #​52798
• [91fadac162] - doc: make docs more welcoming and descriptive for newcomers (Serkan Özel) #​38056
• [a3b20126fd] - doc: add OpenSSL errors to API docs (John Lamp) #​34213
• [9587ae9b5b] - doc: simplify copy-pasting of branch-diff commands (Antoine du Hamel) #​52757
• [6ea72a53c3] - doc: add test_runner to subsystem (Raz Luvaton) #​52774
• [972eafd983] - events: update MaxListenersExceededWarning message log (sinkhaha) #​51921
• [74753ed1fe] - events: add stop propagation flag to Event.stopImmediatePropagation (Mickael Meausoone) #​39463
• [75dd009649] - events: replace NodeCustomEvent with CustomEvent (Feng Yu) #​43876
• [7d38c2e012] - fs: keep fs.promises.readFile read until EOF is reached (Zhenwei Jin) #​52178
• [8cb13120d3] - (SEMVER-MINOR) inspector: introduce the --inspect-wait flag (Kohei Ueno) #​52734
• [d5ab1de1fd] - meta: move @anonrig to TSC regular member (Yagiz Nizipli) #​52932
• [f82d086e90] - path: fix toNamespacedPath on Windows (Hüseyin Açacak) #​52915
• [121ea13b50] - process: improve event-loop (Aras Abbasi) #​52108
• [eceac784aa] - repl: fix disruptive autocomplete without inspector (Nitzan Uziely) #​40661
• [89a910be82] - src: fix Worker termination in inspector.waitForDebugger (Daeyeon Jeong) #​52527
• [033f985e8a] - src: use S_ISDIR to check if the file is a directory (theanarkh) #​52164
• [95128399f8] - src: allow preventing debug signal handler start (Shelley Vohr) #​46681
• [b162aeae9e] - src: fix typo Unabled -> Unable (Simon Siefke) #​52820
• [2dcbf1894a] - src: avoid unused variable 'error' warning (Michaël Zasso) #​52886
• [978ee0a635] - src: only apply fix in main thread (Paolo Insogna) #​52702
• [8fc52b38c6] - src: fix test local edge case (Paolo Insogna) #​52702
• [d02907ecc4] - src: remove misplaced windows code under posix guard in node.cc (Ali Hassan) #​52545
• [af29120fa7] - stream: use ByteLengthQueuingStrategy when not in objectMode (Jason) #​48847
• [a5f3dd137c] - string_decoder: throw an error when writing a too long buffer (zhenweijin) #​52215
• [65fa95d57d] - test: add Debugger.setInstrumentationBreakpoint known issue (Konstantin Ulitin) #​31137
• [0513e07805] - test: use for-of instead of forEach (Gibby Free) #​49790
• [1d01325928] - test: verify request payload is uploaded consistently (Austin Wright) #​34066
• [7dda156872] - test: add fuzzer for native/js string conversion (Adam Korczynski) #​51120
• [5fb829b340] - test: add fuzzer for ClientHelloParser (AdamKorcz) #​51088
• [cc74bf789f] - test: fix broken env fuzzer by initializing process (AdamKorcz) #​51080
• [800b6f65cf] - test: replace forEach() in test-stream-pipe-unpipe-stream (Dario) #​50786
• [d08c9a6a31] - test: test pipeline end on transform streams (Alois Klink) #​48970
• [0be8123ede] - test: improve coverage of lib/readline.js (Rongjian Zhang) #​38646
• [410224415c] - test: updated for each to for of in test file (lyannel) #​50308
• [556e9a2127] - test: move test-http-server-request-timeouts-mixed to sequential (Madhuri) #​45722
• [0638274c07] - test: fix DNS cancel tests (Szymon Marczak) #​44432
• [311bdc62bd] - test: add http agent to executionAsyncResource (psj-tar-gz) #​34966
• [6001b164ab] - test: reduce memory usage of test-worker-stdio (Adam Majer) #​37769
• [986bfa26e9] - test: add common.expectRequiredModule() (Joyee Cheung) #​52868
• [2246d4fd1e] - test: crypto-rsa-dsa testing for dynamic openssl (Michael Dawson) #​52781
• [1dce5dea0b] - test: skip some console tests on dumb terminal (Adam Majer) #​37770
• [0addeb240c] - test: skip v8-updates/test-linux-perf-logger (Michaël Zasso) #​52821
• [56e19e38f3] - test: drop test-crypto-timing-safe-equal-benchmarks (Rafael Gonzaga) #​52751
• [0c5e58958c] - test, crypto: use correct object on assert (响马) #​51820
• [d54aa47ec1] - (SEMVER-MINOR) test_runner: support test plans (Colin Ihrig) #​52860
• [0289a023a5] - test_runner: fix watch mode race condition (Moshe Atlow) #​52954
• [cf817e192e] - test_runner: preserve hook promise when executed twice (Moshe Atlow) #​52791
• [de541235fe] - tools: fix v8-update workflow (Michaël Zasso) #​52957
• [f6290bc327] - tools: add --certify-safe to nci-ci (Matteo Collina) #​52940
• [0830b3115d] - tools: fix doc update action (Marco Ippolito) #​52890
• [9d485b40bb] - (SEMVER-MINOR) tools: fix get_asan_state() in tools/test.py (Joyee Cheung) #​52766
• [e98c305f52] - (SEMVER-MINOR) tools: support max_virtual_memory test configuration (Joyee Cheung) #​52766
• [dce0300896] - (SEMVER-MINOR) tools: support != in test status files (Joyee Cheung) #​52766
• [57006001ec] - tools: prepare custom rules for ESLint v9 (Michaël Zasso) #​52889
• [403a4a7557] - tools: update lint-md-dependencies to rollup@4.17.2 (Node.js GitHub Bot) #​52836
• [01eff5860e] - tools: update gr2m/create-or-update-pull-request-action (Antoine du Hamel) #​52843
• [514f01ed59] - tools: use sccache GitHub action (Michaël Zasso) #​52839
• [8f8fb91927] - tools: specify a commit-message for V8 update workflow (Antoine du Hamel) #​52844
• [b83fbf8709] - tools: fix V8 update workflow (Antoine du Hamel) #​52822
• [be9d6f2176] - url,tools,benchmark: replace deprecated substr() (Jungku Lee) #​51546
• [7603a51d45] - util: fix %s format behavior with Symbol.toPrimitive (Chenyu Yang) #​50992
• [d7eba50cf3] - util: improve isInsideNodeModules (uzlopak) #​52147
• [4ae4f7e517] - watch: allow listening for grouped changes (Matthieu Sieben) #​52722
• [1ff8f318c0] - watch: enable passthrough ipc in watch mode (Zack) #​50890
• [739adf90b1] - watch: fix arguments parsing (Moshe Atlow) #​52760
• [5161d95c30] - (SEMVER-MINOR) zlib: expose zlib.crc32() (Joyee Cheung) #​52692

v20.14.0

Compare Source

v20.13.1: 2024-05-09, Version 20.13.1 'Iron' (LTS), @​marco-ippolito

Compare Source

2024-05-09, Version 20.13.1 'Iron' (LTS), @​marco-ippolito

Revert "tools: install npm PowerShell scripts on Windows"

Due to a regression in the npm installation on Windows, this commit reverts the change that installed npm PowerShell scripts on Windows.

Commits

• [b7d80802cc] - Revert "tools: install npm PowerShell scripts on Windows" (marco-ippolito) #​52897

v20.13.0

Compare Source

v20.12.2: 2024-04-10, Version 20.12.2 'Iron' (LTS), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

• CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows

Commits

• [69ffc6d50d] - src: disallow direct .bat and .cmd file spawning (Ben Noordhuis) nodejs-private/node-private#563

v20.12.1

Compare Source

v20.12.0

Compare Source

v20.11.1

Compare Source

v20.11.0

Compare Source

v20.10.0

Compare Source

v20.9.0

Compare Source

v20.8.1: 2023-10-13, Version 20.8.1 (Current), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

• CVE-2023-44487: nghttp2 Security Release (High)
• CVE-2023-45143: undici Security Release (High)
• CVE-2023-39332: Path traversal through path stored in Uint8Array (High)
• CVE-2023-39331: Permission model improperly protects against path traversal (High)
• CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium)
• CVE-2023-39333: Code injection via WebAssembly export names (Low)

More detailed information on each of the vulnerabilities can be found in October 2023 Security Releases blog post.

Commits

• [c86883e844] - deps: update nghttp2 to 1.57.0 (James M Snell) #​50121
• [2860631359] - deps: update undici to v5.26.3 (Matteo Collina) #​50153
• [cd37838bf8] - lib: let deps require node prefixed modules (Matthew Aitken) #​50047
• [f5c90b2951] - module: fix code injection through export names (Tobias Nießen) nodejs-private/node-private#461
• [fa5dae1944] - permission: fix Uint8Array path traversal (Tobias Nießen) nodejs-private/node-private#456
• [cd35275111] - permission: improve path traversal protection (Tobias Nießen) nodejs-private/node-private#456
• [a4cb7fc7c0] - policy: use tamper-proof integrity check function (Tobias Nießen) nodejs-private/node-private#462

v20.8.0: 2023-09-28, Version 20.8.0 (Current), @​ruyadorno

Compare Source

Notable Changes

Stream performance improvements

Performance improvements to writable and readable streams, improving the creation and destruction by ±15% and reducing the memory overhead each stream takes in Node.js

Contributed by Benjamin Gruenbaum in #​49745 and Raz Luvaton in #​49834.

Performance improvements for readable webstream, improving readable stream async iterator consumption by ±140% and improving readable stream pipeTo consumption by ±60%

Contributed by Raz Luvaton in #​49662 and #​49690.

Rework of memory management in vm APIs with the importModuleDynamically option

This rework addressed a series of long-standing memory leaks and use-after-free issues in the following APIs that support importModuleDynamically:

• vm.Script
• vm.compileFunction
• vm.SyntheticModule
• vm.SourceTextModule

This should enable affected users (in particular Jest users) to upgrade from older versions of Node.js.

Contributed by Joyee Cheung in #​48510.

Other notable changes

• [32d4d29d02] - deps: add v8::Object::SetInternalFieldForNodeCore() (Joyee Cheung) #​49874
• [0e686d096b] - doc: deprecate fs.F_OK, fs.R_OK, fs.W_OK, fs.X_OK (Livia Medeiros) #​49683
• [a5dd057540] - doc: deprecate util.toUSVString (Yagiz Nizipli) #​49725
• [7b6a73172f] - doc: deprecate calling promisify on a function that returns a promise (Antoine du Hamel) #​49647
• [1beefd5f16] - esm: set all hooks as release candidate (Geoffrey Booth) #​49597
• [b0ce78a75b] - module: fix the leak in SourceTextModule and ContextifySript (Joyee Cheung) #​48510
• [4e578f8ab1] - module: fix leak of vm.SyntheticModule (Joyee Cheung) #​48510
• [69e4218772] - module: use symbol in WeakMap to manage host defined options (Joyee Cheung) #​48510
• [14ece0aa76] - (SEMVER-MINOR) src: allow embedders to override NODE_MODULE_VERSI

---

Configuration

📅 Schedule: Branch creation - "before 3am on Monday" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: eslint-plugin-import@2.25.4
npm ERR! Found: eslint@9.2.0
npm ERR! node_modules/eslint
npm ERR!   dev eslint@"9.2.0" from the root project
npm ERR!   peer eslint@">= 4.12.1" from babel-eslint@10.1.0
npm ERR!   node_modules/babel-eslint
npm ERR!     dev babel-eslint@"10.1.0" from the root project
npm ERR!   1 more (@eslint-community/eslint-utils)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer eslint@"^2 || ^3 || ^4 || ^5 || ^6 || ^7.2.0 || ^8" from eslint-plugin-import@2.25.4
npm ERR! node_modules/eslint-plugin-import
npm ERR!   dev eslint-plugin-import@"2.25.4" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: eslint@8.57.0
npm ERR! node_modules/eslint
npm ERR!   peer eslint@"^2 || ^3 || ^4 || ^5 || ^6 || ^7.2.0 || ^8" from eslint-plugin-import@2.25.4
npm ERR!   node_modules/eslint-plugin-import
npm ERR!     dev eslint-plugin-import@"2.25.4" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /tmp/renovate/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /tmp/renovate/cache/others/npm/_logs/2024-05-03T19_52_56_391Z-debug-0.log