Update Node.js to v14.15.4
Created by: renovate[bot]
This PR contains the following updates:
| Package | Type | Update | New value | References | Sourcegraph |
|---|---|---|---|---|---|
| node | patch | 14.15.4 | source |  |
|
| node | engines | patch | ^v14.15.4 | source | |
Release Notes
nodejs/node
v14.15.4
This is a security release.
Notable Changes
Vulnerabilities fixed:
-
CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
- This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt
-
CVE-2020-8265: use-after-free in TLSWrap (High)
- Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.
-
CVE-2020-8287: HTTP Request Smuggling in nodejs (Low)
- Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html).
Commits
- [
305c0f4977] - deps: upgrade npm to 6.14.10 (Ruy Adorno) #36571 - [
d62c650f75] - deps: update archs files for OpenSSL-1.1.1i (Myles Borins) #36521 - [
2de2672eb5] - deps: upgrade openssl sources to 1.1.1i (Myles Borins) #36521 - [
7ecac8143f] - http: add test for http transfer encoding smuggling (Matteo Collina) nodejs-private/node-private#228 - [
641f786bb1] - http: unsetF_CHUNKEDon newTransfer-Encoding(Matteo Collina) nodejs-private/node-private#228 - [
4f8772f9b7] - src: retain pointers to WriteWrap/ShutdownWrap (James M Snell) nodejs-private/node-private#23
v14.15.3
Notable Changes
Node.js v14.15.2 included a commit that has caused reported breakages when cloning request objects. This release reverts the commit that introduced the behaviour change. See #36550 for more details.
Commits
- [
4264d9aa67] - Revert "http: lazy create IncomingMessage.headers" (Beth Griggs) #36553
v14.15.2
Notable Changes
- deps:
- doc: add release key for Danielle Adams (Danielle Adams) #35545
- http2: check write not scheduled in scope destructor (David Halls) #36241
- stream: fix regression on duplex end (Momtchil Momtchev) #35941
Commits
- [
c508bfc66b] - assert: refactor to use more primordials (Antoine du Hamel) #35998 - [
a9d3a0df29] - assert,repl: enable ecmaVersion 2021 in acorn parser (Michaël Zasso) #35827 - [
6d43c8dd69] - async_hooks: refactor to use more primordials (Antoine du Hamel) #36168 - [
029ea16a24] - async_hooks: fix leak in AsyncLocalStorage exit (Stephen Belanger) #35779 - [
d49e0ca73a] - benchmark: fix build warnings (Gabriel Schulhof) #36157 - [
d027be0551] - benchmark: ignore build artifacts for napi addons (Richard Lau) #35970 - [
fdb1c0d31c] - benchmark: remove modules that require intl (Richard Lau) #35968 - [
f6487960b5] - benchmark: make the benchmark tool work with Node 10 (Joyee Cheung) #35817 - [
21d3ccf5df] - benchmark: add startup benchmark for loading public modules (Joyee Cheung) #35816 - [
0477e000bf] - bootstrap: refactor to use more primordials (Antoine du Hamel) #35999 - [
699bb348d9] - build: replace which with command -v (raisinten) #36118 - [
304e269001] - build: try “python3” as a last resort for 3.x (Ole André Vadla Ravnås) #35983 - [
6bafe04911] - build: conditionally clear vcinstalldir (Brian Ingenito) #36009 - [
f498127c41] - build: fix zlib inlining for IA-32 (raisinten) #35679 - [
f33fa264cc] - build: fix lint-js-fix target (Antoine du Hamel) #35927 - [
67d31827ac] - build: add vcbuilt test-doc target (Antoine du Hamel) #35708 - [
2a8c2ddcb1] - build: add license-builder GitHub Action (Tierney Cyren) #35712 - [
6c61b9372b] - build: use make functions instead of echo (Antoine du Hamel) #35707 - [
4813d913e3] - build: use GITHUB_ENV file to set env variables (Michaël Zasso) #35638 - [
71e0f33751] - build: do not install jq in workflows (Michaël Zasso) #35638 - [
8ab7f258d4] - build, tools: look for local installation of NASM (Richard Lau) #36014 - [
50552facb7] - build,tools: gitHub Actions: use Node.js Fermium (Antoine du Hamel) #35840 - [
77b7c985f6] - build,tools: add lint-js-doc target (Antoine du Hamel) #35708 - [
929e1272ee] - cluster: refactor to use more primordials (Antoine du Hamel) #36011 - [
568e6177c9] - console: use more primordials (Antoine du Hamel) #35734 - [
6cea3152fe] - deps: upgrade npm to 6.14.9 (Myles Borins) #36450 - [
d2ee676eb9] - deps: cherry-pick9a49b22from V8 upstream (Daniel Bevenius) #35939 - [
7367e6c6be] - deps: update acorn to v8.0.4 (Michaël Zasso) #35791 - [
4937a34be6] - deps: fix typo in zlib.gyp that break arm-fpu-neon build (lucasg) #35659 - [
1e8dfb9d2c] - deps: upgrade to [email protected] (Guy Bedford) #35928 - [
0356963f0e] - deps: update to [email protected] (Guy Bedford) #35901 - [
172be4ffe0] - deps: upgrade to [email protected] (Guy Bedford) #35871 - [
1f7740691d] - deps: update to [email protected] (Guy Bedford) #35745 - [
47bd445e56] - doc: remove stray comma in url.md (Rich Trott) #36175 - [
2f76a75fc6] - doc: revise agent.destroy() text (Rich Trott) #36163 - [
72fb6f88ab] - doc: add compatibility/interop technical value (Geoffrey Booth) #35323 - [
f5efd54727] - doc: de-emphasize wrapping in napi_define_class (Gabriel Schulhof) #36159 - [
8a7c2b951d] - doc: clarify text about process not responding (Rich Trott) #36117 - [
800e1db83d] - doc: esm docs consolidation and reordering (Guy Bedford) #36046 - [
4fad888fe1] - doc: move shigeki to emeritus (Rich Trott) #36093 - [
c088434b4d] - doc: document the error when cwd not exists in child_process.spawn (FeelyChau) #34505 - [
4dbbbaa2e9] - doc: fix typo in debugger.md (Rich Trott) #36066 - [
d796bc7348] - doc: update list styles for remark-parse@9 rendering (Rich Trott) #36049 - [
6daf204f32] - doc: escape asterisk in cctest gtest-filter (raisinten) #36034 - [
9470bf5872] - doc: move v8.getHeapCodeStatistics() (Rich Trott) #36027 - [
30cd797c15] - doc: add note regarding file structure in src/README.md (Denys Otrishko) #35000 - [
cddcfcde9f] - doc: advise users to import the full set of trusted release keys (Reşat SABIQ) #32655 - [
1ca1f262a5] - doc: fix crypto doc linter errors (Antoine du Hamel) #36035 - [
b11725eb9e] - doc: revise v8.getHeapSnapshot() (Rich Trott) #35849 - [
990facbc3e] - doc: update core-validate-commit link in guide (Daijiro Wachi) #35938 - [
773685c2a4] - doc: update benchmark CI test indicator in README (Rich Trott) #35945 - [
c90571ff2a] - doc: add new wordings to the API description (Pooja D.P) #35588 - [
6259c2d231] - doc: option --prof documentation help added (krank2me) #34991 - [
98e4b77b89] - doc: fix release-schedule link in backport guide (Daijiro Wachi) #35920 - [
51ce1a2fa8] - doc: update tables in README files for linting changes (Rich Trott) #35905 - [
513bed2776] - doc: temporarily disable list-item-bullet-indent (Nick Schonning) #35647 - [
733c9da1e9] - doc: disable no-undefined-references workarounds (Nick Schonning) #35647 - [
6e1612fa15] - doc: adjust table alignment for remark v13 (Nick Schonning) #35647 - [
a15dede26d] - doc: move bnoordhuis to emeritus (Ben Noordhuis) #35865 - [
26e42939f2] - doc: add on statement in the APIs docs (Pooja D.P) #35610 - [
9486f5fc37] - doc: move ronkorving to emeritus (Rich Trott) #35828 - [
3f3d2d781b] - doc: recommend test-doc instead of lint-md (Antoine du Hamel) #35708 - [
8131d954d9] - doc: fix reference to googletest test fixture (Tobias Nießen) #35813 - [
34d6ca3bef] - doc: add conditional example for setBreakpoint() (Chris Opperwall) #35823 - [
29849743b8] - doc: make small improvements to REPL doc (Rich Trott) #35808 - [
02f9a2a77a] - doc: update MessagePort documentation for EventTarget inheritance (Anna Henningsen) #35839 - [
9c7d4bd0f3] - doc: use case-sensitive in the example (Pooja D.P) #35624 - [
600cffae3c] - doc: consolidate and clarify breakOnSigInt text (Rich Trott) #35787 - [
0de3f564b2] - doc: add a subsystems header in pull-requests.md (Pooja D.P) #35718 - [
47b4b2be29] - doc: add require statement in the example (Pooja D.P) #35554 - [
77cfcba7c8] - doc: modified memory set statement set size (Pooja D.P) #35517 - [
41937f76f0] - doc: use kbd element in readline doc prose (Rich Trott) #35737 - [
eee62b05f6] - doc: fix header level in fs.md (ax1) #35771 - [
63533d7d56] - doc: remove stability warning in v8 module doc (Rich Trott) #35774 - [
62bf1a63d6] - doc: mark optional parameters in timers.md (Vse Mozhe Buty) #35764 - [
4dc5e4a354] - doc: add a example code to API doc property (Pooja D.P) #35738 - [
8ef0652566] - doc: update console.error example (Lee, Bonggi) #34964 - [
47ba12265e] - doc: improve text for breakOnSigint (Rich Trott) #35692 - [
c0d9756163] - doc: this prints replaced with this is printed (Pooja D.P) #35515 - [
2feb86e635] - doc: update package.json field definitions (Myles Borins) #35741 - [
d0d67c67c0] - doc: add Installing Node.js header in BUILDING.md (Pooja D.P) #35710 - [
7c089ad04c] - doc: use kbd element in readline doc (Rich Trott) #35698 - [
ba623ef35a] - doc: add release key for Danielle Adams (Danielle Adams) #35545 - [
df4043bed3] - doc: use kbd element in os doc (Rich Trott) #35656 - [
4d72e982de] - doc: add a statement in the documentation. (Pooja D.P) #35585 - [
238885288d] - doc: clarify experimental API elements in vm.md (Rich Trott) #35594 - [
806a269a83] - doc: importModuleDynamically gets Script, not Module (Simen Bekkhus) #35593 - [
6c4e697f56] - doc: fix EventEmitter examples (Sourav Shaw) #33513 - [
f6ebd81693] - doc: add example code for process.getgroups() (Pooja D.P) #35625 - [
2c342662e5] - doc: use kbd element in tty doc (Rich Trott) #35613 - [
f723335f9e] - doc: remove documentation for stream._construct() (Luigi Pinca) #36119 - [
e71b4baa88] - doc: Remove reference to io.js (Hussaina Begum Nandyala) #35618 - [
4faf71b474] - doc,crypto: added sign/verify method changes about dsaEncoding (Filip Skokan) #35480 - [
e9d485f878] - doc,esm: document experimental warning removal (Antoine du Hamel) #35750 - [
17c3fc67cf] - doc,fs: document value of stats.isDirectory on symbolic links (coderaiser) #27413 - [
fc17ead531] - doc,net: document socket.timeout (Brandon Kobel) #34543 - [
dc589b541f] - doc,src,test: revise C++ code for linter update (Rich Trott) #35719 - [
0a944a42c0] - doc,stream: write(chunk, encoding, cb) encoding can be null (dev-script) #35372 - [
be79250aad] - doc,test: update v8 method doc and comment (Rich Trott) #35795 - [
8fdf077efc] - doc,url: fix url.hostname example (Rishabh Mehan) #33735 - [
3a08afc402] - domain: refactor to use more primordials (Antoine du Hamel) #35885 - [
8d672b8e53] - esm: refactor to use more primordials (Antoine du Hamel) #36019 - [
570a8bfe12] - events: port some wpt tests (Benjamin Gruenbaum) #33621 - [
8ef4557c65] - events: make eventTarget.removeAllListeners() return this (Luigi Pinca) #35805 - [
d27e56356b] - fs: remove experimental from promises.rmdir recursive (Anders Kaseorg) #36131 - [
8d84bdc46b] - fs: filehandle read now accepts object as argument (Nikola Glavina) #34180 - [
7c3b6f17e3] - fs: replace finally with PromisePrototypeFinally (Baruch Odem (Rothkoff)) #35995 - [
2f692c4cc6] - fs: remove unnecessary Function#bind() in fs/promises (Ben Noordhuis) #35208 - [
5f0c8142b7] - fs: remove unused assignment (Rich Trott) #35642 - [
e2b8734d20] - gyp,build: consistent shared library location (Rod Vagg) #35635 - [
45aee0d25e] - http: fix typo in comment (Hollow Man) #36193 - [
b58725c4c0] - http: lazy create IncomingMessage.headers (Robert Nagy) #35281 - [
71c3efe278] - http2: check write not scheduled in scope destructor (David Halls) #36241 - [
ab2b066fc1] - http2: delay session.receive() by a tick (Szymon Marczak) #35985 - [
c4e17cfa25] - http2: add has method to proxySocketHandler (masx200) #35197 - [
c455b848d9] - http2: centralise socket event binding in Http2Session (Momtchil Momtchev) #35772 - [
dce01fd27f] - http2: move events to the JSStreamSocket (Momtchil Momtchev) #35772 - [
92bd7b522a] - http2: fix error stream write followed by destroy (David Halls) #35951 - [
ec9fae96bc] - http2: fix reinjection check (Momtchil Momtchev) #35678 - [
57f2fe0609] - http2: reinject data received before http2 is attached (Momtchil Momtchev) #35678 - [
2dbaaf92e5] - http2: remove unsupported %.* specifier (Momtchil Momtchev) #35694 - [
de3c8045ac] - lib: refactor to use more primordials (Antoine du Hamel) #35875 - [
41d997cc72] - lib: use primordials when calling methods of Error (Antoine du Hamel) #35837 - [
d58a466da0] - lib: honor setUncaughtExceptionCaptureCallback (Gireesh Punathil) #35595 - [
1fdf72765b] - module: only try to enrich CJS syntax errors (Michaël Zasso) #35691 - [
81b0562c62] - n-api: clean up binding creation (Gabriel Schulhof) #36170 - [
7a01e241ee] - n-api: fix test_async_context warnings (Gabriel Schulhof) #36171 - [
dde727e72f] - n-api: improve consistency of how we get context (Michael Dawson) #36068 - [
08657e7e11] - n-api: factor out calling pattern (Gabriel Schulhof) #36113 - [
88aa4e0d25] - n-api: unlink reference during its destructor (Gabriel Schulhof) #35933 - [
1cb50c17d3] - n-api: napi_make_callback emit async init with resource of async_context (legendecas) #32930 - [
f1e84f4dd8] - n-api: revert change to finalization (Michael Dawson) #35777 - [
e16124979d] - querystring: reduce memory usage by Int8Array (sapics) #34179 - [
5c81a1071e] - src: refactor using-declarations node_env_var.cc (raisinten) #36128 - [
2770cd941e] - src: remove duplicate logic for getting buffer (Yash Ladha) #34553 - [
f2300390aa] - src: create helper for reading Uint32BE (Juan José Arboleda) #34944 - [
34c870e9f0] - src: use MaybeLocal.ToLocal instead of IsEmpty (Daniel Bevenius) #35716 - [
00d9499b14] - src: large pages support in illumos/solaris systems (David Carlier) #34320 - [
7c99885a9b] - stream: fix thrown object reference (Gil Pedersen) #36065 - [
1cefb7e710] - stream: fix regression on duplex end (Momtchil Momtchev) #35941 - [
d1fd3f27e4] - stream: remove redundant context from comments (Yash Ladha) #35728 - [
fb14acb22c] - stream: move to internal/streams (Matteo Collina) #35239 - [
40d59281f7] - test: update comments in test-fs-read-offset-null (Rich Trott) #36152 - [
a563f79d80] - test: fix typo in inspector-helper.js (Luigi Pinca) #36127 - [
3e77536c6b] - test: deflake test-http-destroyed-socket-write2 (Luigi Pinca) #36120 - [
402e29a87c] - test: make test-http2-client-jsstream-destroy.js reliable (Rich Trott) #36129 - [
b6aa42c349] - test: add test for fs.read when offset key is null (mayank agarwal) #35918 - [
8516c2ef90] - test: improve test-stream-duplex-readable-end (Luigi Pinca) #36056 - [
b53068ec0d] - test: add util.inspect test for null maxStringLength (Rich Trott) #36086 - [
3029872631] - test: replace var with const (Aleksandr Krutko) #36069 - [
b05cdfee64] - test: remove flaky designation for fixed test (Rich Trott) #35961 - [
002005f537] - test: improve error message for policy failures (Bradley Meck) #35633 - [
1453de1381] - test: update old comment style test_util.cc (raisinten) #35884 - [
de375e16f4] - test: add missing ref comments to parallel.status (Rich Trott) #35896 - [
cab65fbe63] - test: mark test-worker-eventlooputil flaky (Myles Borins) #35886 - [
4ed4b64293] - test: mark test-http2-respond-file-error-pipe-offset flaky (Myles Borins) #35883 - [
a5b94180fe] - test: fix reference to WPT testharness.js (Tobias Nießen) #35814 - [
3bb7f3602b] - test: add onerror test cases to policy (Daijiro Wachi) #35797 - [
0aba12218a] - test: add upstream test cases to encoding (Daijiro Wachi) #35794 - [
f535d6252f] - test: add test for listen callback runtime binding (H Adinarayana) #35657 - [
d62e72b341] - test: refactor test-https-host-headers (himself65) #32805 - [
70cb70812d] - test: add common.mustSucceed (Tobias Nießen) #35086 - [
226c1800a8] - test: check for AbortController existence (James M Snell) #35616 - [
41aac465cc] - timers: correct explanation in comment (Turner Jabbour) #35437 - [
713d1ebe75] - tools: bump [email protected] to [email protected] (Rich Trott) #36106 - [
127a4fb810] - tools: only use 2 cores for macos action (Myles Borins) #36169 - [
75e49b833b] - tools: remove bashisms from license builder script (Antoine du Hamel) #36122 - [
28d6283f96] - tools: hide commit queue action link (Antoine du Hamel) #36124 - [
b7441ea4d2] - tools: update doc tools to [email protected] (Rich Trott) #36049 - [
5a41282ef5] - tools: enforce use of single quotes in editorconfig (Antoine du Hamel) #36020 - [
23dd2b00dd] - tools: fix config serialization w/ long strings (Ole André Vadla Ravnås) #35982 - [
4664681220] - tools: don't print gold linker warning w/o flag (Myles Borins) #35955 - [
dfd6ad9d99] - tools: refloat 7 Node.js patches to cpplint.py (Rich Trott) #35866 - [
d177cb3993] - tools: bump cpplint to 1.5.1 (Rich Trott) #35866 - [
b19a85ed2a] - tools: add update-npm script (Myles Borins) #35822 - [
07e5d35d14] - tools: refloat 7 Node.js patches to cpplint.py (Rich Trott) #35719 - [
c7301533de] - tools: bump cpplint to 1.5.0 (Rich Trott) #35719 - [
985efdfa09] - tools: update gyp-next to v0.6.2 (Michaël Zasso) #35690 - [
baca8ee873] - tools: update gyp-next to v0.6.0 (Ujjwal Sharma) #35635 - [
3e7598da9b] - tools,doc: enable ecmaVersion 2021 in acorn parser (Antoine du Hamel) #35994 - [
dfb353b882] - util: fix to inspect getters that access this (raisinten) #36052 - [
1906f19e49] - vm: refactor to use more primordials (Antoine du Hamel) #36023 - [
ffe517b40d] - win, build: fix build time on Windows (Bartosz Sosnowski) #35932 - [
c4c8541621] - win,build,tools: support VS prerelease (Baruch Odem) #36033 - [
f59e225675] - zlib: test BrotliCompress throws invalid arg value (raisinten) #35830
Renovate configuration
-
If you want to rebase/retry this PR, check this box
This PR has been generated by WhiteSource Renovate. View repository job log here.