SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for npm18-18.20.4-lp155.10.4.x86_64.rpm :

* Fri Jul 12 2024 Adam Majer - Update to 18.20.4
* Bypass incomplete fix of CVE-2024-27980 (bsc#1227560, CVE-2024-36138)
* Bypass network import restriction via data URL (bsc#1227554, CVE-2024-22020)
* Tue May 28 2024 Adam Majer - Update to 18.20.3:
* This release fixes a regression introduced in Node.js 18.19.0 where http.server.close() was incorrectly closing idle connections.
* deps: + acorn updated to 8.11.3. + acorn-walk updated to 8.3.2. + ada updated to 2.7.8. + c-ares updated to 1.28.1. + corepack updated to 0.28.0. + nghttp2 updated to 1.61.0. + ngtcp2 updated to 1.3.0. + npm updated to 10.7.0. Includes a fix from npmAATT10.5.1 to limit the number of open connections npm/cli#7324. + simdutf updated to 5.2.4.- Changes in 18.20.2:
* fixes bsc#1222665, CVE-2024-27980 - windows only bug- versioned.patch, npm_search_paths.patch: refreshed
* Tue Apr 09 2024 Adam Majer - Update to 18.20.1:
* CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High) (bsc#1222244)
* CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation- (Medium) (bsc#1222384)
* updated dependencies: + llhttp version 9.2.1 + undici version 5.28.4 (bsc#1222530, bsc#1222603, CVE-2024-30260, CVE-2024-30261)- cares_sle12_capabilities.patch: no get_random() on sle12
* Tue Apr 02 2024 Adam Majer - Update to 18.20.0:
* Added support for import attributes
* vm: fix V8 compilation cache support for vm.Script- versioned.patch: refreshed
* Fri Feb 16 2024 Adam Majer - Update to 18.19.1: (security updates)
* (CVE-2024-21892, bsc#1219992) - Code injection and privilege escalation through Linux capabilities- (High)
* (CVE-2024-22019, bsc#1219993) - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
* (CVE-2023-46809, bsc#1219997) - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
* (CVE-2024-22025, bsc#1220014) - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
* undici version 5.28.3 (CVE-2024-24758, bsc#1220017)
* libuv version 1.48.0 (CVE-2024-24806, bsc#1220053)
* Tue Dec 19 2023 Adam Majer - sle12-node-gyp-addon-gypi.patch: added variant of node-gyp-addon-gypi.patch for SLE12 compatibility. node-gyp-addon-gypi.patch is for SLE15+
* Mon Dec 18 2023 Adam Majer - 18.19.0- Update to LTS version 18.19.0
* deps: npm updates to 10.x
* esm: + Leverage loaders when resolving subsequent loaders + import.meta.resolve unflagged + --experimental-default-type flag to flip module defaults For details, see https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md- node-gyp-addon-gypi.patch, fix_ci_tests.patch, versioned.patch: refreshed
* Mon Oct 16 2023 Adam Majer - 18.18.2- Security update to version 18.18.2
* (CVE-2023-44487, bsc#1216190): nghttp2 Security Release
* (CVE-2023-45143, bsc#1216205): undici Security Release
* (CVE-2023-38552, bsc#1216272): Integrity checks according to policies can be circumvented
* (CVE-2023-39333, bsc#1216273): Code injection via WebAssembly export names
* Wed Oct 11 2023 Adam Majer - 18.18.1- Update to LTS version 18.18.1
* deps: libuv update in 18.18.0 broke webpack\'s thread-loader. This update should fix this.
* Tue Sep 19 2023 Adam Majer - Update to LTS version 18.18.0
* build: sync libuv header change
* deps: add missing thread-common.c in uv.gyp
* deps: upgrade to libuv 1.46.0
* doc: add atlowChemi to collaborators
* esm: add `--import` flag
* events: allow safely adding listener to abortSignal
* fs, stream: initial `Symbol.dispose` and `Symbol.asyncDispose` support
* net: add autoSelectFamily global getter and setter
* url: add value argument to has and delete methods- versioned.patch: refreshed
* Thu Aug 10 2023 Adam Majer - Update to LTS version 18.17.1 (security fixes). The following CVE were fixed:
* (CVE-2023-32002, bsc#1214150): Policies can be bypassed via Module._load (High)
* (CVE-2023-32006, bsc#1214156): Policies can be bypassed by module.constructor.createRequire (Medium)
* (CVE-2023-32559, bsc#1214154): Policies can be bypassed via process.binding (Medium)- Changes included in LTS version 18.17.0:
* dns: expose getDefaultResultOrder
* events: add getMaxListeners method
* fs: + add support for mode flag to specify the copy behavior + add recursive option to readdir and opendir + add support for mode flag to specify the copy behavior + implement byob mode for readableWebStream()
* http: + prevent writing to the body when not allowed by HTTP spec + remove internal error in assignSocket + add highWaterMark opt in http.createServer
* lib: + add webstreams to Duplex.from() + implement AbortSignal.any()
* module: + change default resolver to not throw on unknown scheme
* node-api: + define version 9 + deprecate napi_module_register
* stream: + preserve object mode in compose + add setter & getter for default highWaterMark
* test_runner: + add shorthands to `test` + support combining coverage reports + execute before hook on test + expose reporter for use in run api
* tools: update LICENSE and license-builder.sh
* url: implement URL.canParse
* wasi: no longer require flag to enable wasi- npm_search_paths.patch,fix_ci_tests.patch,versioned.patch: refreshed
* Wed Jun 21 2023 Adam Majer - Update to version 18.16.1 (security fixes only). The following CVEs are fixed in this release:
* (CVE-2023-30581, bsc#1212574): mainModule.__proto__ Bypass Experimental Policy Mechanism (High)
* (CVE-2023-30585, bsc#1212579): Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
* (CVE-2023-30588, bsc#1212581): Process interuption due to invalid Public Key information in x509 certificates (Medium)
* (CVE-2023-30589, bsc#1212582): HTTP Request Smuggling via Empty headers separated by CR (Medium)
* (CVE-2023-30590, bsc#1212583): DiffieHellman does not generate keys after setting a private key (Medium)
* c-ares security issues: + CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service (bsc#1211604) + CVE-2023-31147 Moderate. Insufficient randomness in generation of DNS query IDs (bsc#1211605) + CVE-2023-31130. Moderate. Buffer Underwrite in ares_inet_net_pton() (bsc#1211606) + CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE during cross compilation (bsc#1211607)- fix_ci_tests.patch: increase default timeout on unit tests to 20min from 2min. This seems to have lead to build failures on some platforms, like s390x in Factory. (bsc#1211407)
* Thu Apr 13 2023 Adam Majer - Update to NodeJS 18.16.0 LTS version
* Add initial support for single executable applications
* Replace url parser with Ada
* buffer: add Buffer.copyBytesFrom- refreshed patches: versioned.patch linker_lto_jobs.patch
* Mon Mar 13 2023 Adam Majer - relax Requires to Suggests for alts on TW
* Wed Mar 08 2023 Adam Majer - 18.15.0- Update to NodeJS 18.15.0 LTS version:
* test_runner: + add initial code coverate support + add reporters
* fs: add statfs()
* buffer: add isAscii()- s390.patch, sysctl.patch: upstreamed and removed
* Thu Feb 23 2023 Adam Majer - node-gyp_7.1.2.tar.xz: added dependencies so they don\'t conflict with npm dependencies.
* Wed Feb 22 2023 Adam Majer - Update to NodeJS 18.14.2 LTS:
* deps: upgrade npm to 9.5.0 (bsc#1208744, CVE-2022-25881)
* deps: update undici to 5.20.0- Changes in version 18.14.1:
* fixes permissions policies can be bypassed via process.mainModule (bsc#1208481, CVE-2023-23918)
* fixes insecure loading of ICU data through ICU_DATA environment variable (bsc#1208487, CVE-2023-23920)
* fixes OpenSSL error handling issues in nodejs crypto library (bsc#1208483, CVE-2023-23919)
* updates undici to v5.19.1 + Fetch API in Node.js did not protect against CRLF injection in host headers + Regular Expression Denial of Service in Headers in Node.js fetch API (bsc#1208413, bsc#1208485, CVE-2023-24807, CVE-2023-23936)- versioned.patch: refreshed- sysctl.patch: unit test fixes
* Fri Feb 03 2023 Adam Majer - Update to NodeJS 18.14.0 LTS:
* deps: + update npm to 9.2.0
* http: + join authorization headers + improved timeout defaults handling
* stream: + implement finished() for ReadableStream and WritableStream- refreshed patches: linker_lto_jobs.patch, npm_search_paths.patch, versioned.patch
* Wed Feb 01 2023 Dominique Leuenberger - Do not use pkg_vcmp to decide BuildDependencies: this works based on \'installed packages\' which is not interpreted correctly by the scheduler. Rather switch to boolean dependencies.
* Wed Jan 25 2023 Adam Majer - Again use openssl-3, if available.- _constraints: reset aarch64 memory requirements back to original otherwise some unit tests can fail- s390.patch: fix unit test on s390 with patched zlib
* Mon Jan 16 2023 Adam Majer - Update to NodejJS 18.13.0 LTS:
* build: disable v8 snapshot compression by default
* crypto: update root certificates
* deps: update ICU to 72.1
* doc: + add doc-only deprecation for headers/trailers setters + add Rafael to the tsc + deprecate use of invalid ports in url.parse + deprecate url.parse()
* lib: drop fetch experimental warning
* net: add autoSelectFamily and autoSelectFamilyAttemptTimeout options
* src: + add uvwasi version + add initial shadow realm support
* test_runner: + add t.after() hook + don\'t use a symbol for runHook()
* tls: + add \"ca\" property to certificate object
* util: + add fast path for utf8 encoding + improve textdecoder decode performance + add MIME utilities- new_python3.patch, icu721_fixes.patch: upstreamed, removed
* Fri Dec 23 2022 Guillaume GARDET - Update _constraints:
* Less RAM for aarch64 and 32-bit arm
* Use \'asimdrdm\' cpu flag to use aarch64 workers where tests are more stable
* Thu Nov 10 2022 Adam Majer - icu721_fixes.patch: fixes compatibility with ICU 72.1 (bsc#1205236)
* Mon Nov 07 2022 Adam Majer - Fix migration to openssl-3 (bsc#1205042)
* Mon Nov 07 2022 Adam Majer - Update to NodeJS 18.12.1 LTS:
* inspector: DNS rebinding in --inspect via invalid octal IP (bsc#1205119, CVE-2022-43548)
* Fri Oct 28 2022 Adam Majer - Update to NodeJS 18.12.0 LTS:
* Running in \'watch\' mode using node --watch restarts the process when an imported file is changed.
* fs: add FileHandle.prototype.readLines
* http: add writeEarlyHints function to ServerResponse
* http2: make early hints generic
* util: add default value option to parsearg
* Mon Oct 17 2022 Adam Majer - Update to NodeJS 18.11.0:
* added experimental watch mode -- running in \'watch\' mode using node --watch restarts the process when an imported file is changed
* fs: add FileHandle.prototype.readLines
* http: add writeEarlyHints function to ServerResponse
* http2: make early hints generic
* lib: refactor transferable AbortSignal
* src: add detailed embedder process initialization API
* util: add default value option to parsearg- legacy_python.patch, versioned.patch: updated
* Wed Oct 12 2022 Adam Majer - qemu_timeouts_arches.patch: set timeouts on riscv5 to 7x normal
* Fri Oct 07 2022 Dirk Müller - skip more tests for riscv64/qemu emulation
* Thu Sep 29 2022 Adam Majer - Update to NodeJS 18.10.0:
* deps: upgrade npm to 8.19.2
* http: throw error on content-length mismatch
* stream: add ReadableByteStream.tee()- openssl3_fixups.patch: upstreamed and removed
* Mon Sep 26 2022 Adam Majer - Update to Nodejs 18.9.1:
* deps: llhttp updated to 6.0.10 + CVE-2022-32213 bypass via obs-fold mechanic (bsc#1201325) + Incorrect Parsing of Multi-line Transfer-Encoding (CVE-2022-32215, bsc#1201327) + Incorrect Parsing of Header Fields (CVE-2022-35256, bsc#1203832)
* crypto: fix weak randomness in WebCrypto keygen (CVE-2022-35255, bsc#1203831)
* Sat Sep 17 2022 Bruno Pitrus - Skip test-fs-utimes-y2K38.js on armv6hl as well as armv7hl.
* Thu Sep 15 2022 Adam Majer - Update to Nodejs 18.9.0:
* lib - add diagnostics channel for process and worker
* os - add machine method
* report - expose report public native apis
* src - expose environment RequestInterrupt api
* vm - include vm context in the embedded snapshot- Changes in 18.8.0:
* bootstrap: implement run-time user-land snapshots via - -build-snapshot and --snapshot-blob. See
* crypto: + allow zero-length IKM in HKDF and in webcrypto PBKDF2 + allow zero-length secret KeyObject
* deps: upgrade npm to 8.18.0
* http: make idle http parser count configurable
* net: add local family
* src: print source map error source on demand
* tls: pass a valid socket on tlsClientError- dns.patch: upstreamed, removed- nodejs-libpath.patch, versioned.patch: refreshed- fix_ci_tests.patch: partially upstreamed- openssl3_fixups.patch: fix unit tests with openssl 1.1.1- new_python3.patch: enable python 3.11 as valid interpreter
* Thu Aug 18 2022 Adam Majer - Update to Nodejs 18.7.0:
* events: add CustomEvent
* http: add drop request event for http server
* lib: improved diagnostics_channel subscribe/unsubscribe
* util: add tokens to parseArgs- enable crypto policy ciphers for TW and SLE15 SP4+ (bsc#1200303)
* Sun Jul 31 2022 Adam Majer - dns.patch: fix regression https://github.com/nodejs/node/issues/44003
* Sun Jul 24 2022 Adam Majer - Update to Nodejs 18.6.0:
* Experimental ESM Loader Hooks API. For details see, https://nodejs.org/api/esm.html
* dns: export error code constants from dns/promises
* esm: add chaining to loaders
* http: add diagnostics channel for http client
* http: add perf_hooks detail for http request and client
* module: add isBuiltIn method
* net: add drop event for net server
* test_runner: expose describe and it
* v8: add v8.startupSnapshot utils For details, see https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.6.0
* Mon Jul 11 2022 Adam Majer - Update to Nodejs 18.5.0:
* http: stricter Transfer-Encoding and header separator parsing (bsc#1201325, bsc#1201326, bsc#1201327, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215)
* src: fix IPv4 validation in inspector_socket (bsc#1201328, CVE-2022-32212) For details, see https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.5.0
* Tue Jun 28 2022 Adam Majer - Update to Nodejs 18.4.0. For detailed changes see, https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.4.0- refreshed: versioned.patch, linker_lto_jobs.patch, nodejs-libpath.patch
* Thu May 19 2022 Adam Majer - Initial packaging of Nodejs 18.2.0. For detailed changes since previous versions, see https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V18.md#18.2.0 Patches carried over from nodejs17: legacy_python.patch node-gyp-addon-gypi.patch openssl_binary_detection.patch test-skip-y2038-on-32bit-time_t.patch cares_public_headers.patch rsa-pss-revert.patch linker_lto_jobs.patch versioned.patch fix_ci_tests.patch manual_configure.patch npm_search_paths.patch skip_no_console.patch flaky_test_rerun.patch nodejs-libpath.patch sle12_python3_compat.patch
  
ICM