News from 2020
-
Node v12.18.1 (LTS)
- deps:
-
Node v10.21.0 (LTS)
This is a security release.
Vulnerabilities fixed:
- CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
- CVE-2020-10531: ICU-20958 Prevent SEGV_MAPERR in append (High).
- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
-
Node v12.18.0 (LTS)
This is a security release.
Vulnerabilities fixed:
- CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
- CVE-2020-8174:
napi_get_value_string_*()
allows various kinds of memory corruption (High).
-
Node v14.4.0 (Current)
This is a security release.
Vulnerabilities fixed:
- CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
- CVE-2020-8174:
napi_get_value_string_*()
allows various kinds of memory corruption (High).
-
June 2020 Security Releases
Updates are now available for all supported Node.js release lines for the following issues.
The 'session' event could be emitted before the 'secureConnect' event. It should not be, because the connection may fail to be authorized. If it was saved an authorized connection could be established later with the session ticket. Note that the
https
agent caches sessions, so is vulnerable to this. - Node v12.17.0 (LTS)
- Node v14.3.0 (Current)
- Node v14.2.0 (Current)
-
Node v13.14.0 (Current)
- async_hooks:
- vm:
- Add
importModuleDynamically
option to compileFunction (Gus Caplan) #32985
- Add
-
Node v14.1.0 (Current)
- deps: upgrade openssl sources to 1.1.1g (Hassaan Pasha) #32971
- doc: add juanarbol as collaborator (Juan José Arboleda) #32906
- http: doc deprecate abort and improve docs (Robert Nagy) #32807
- module: do not warn when accessing
__esModule
of unfinished exports (Anna Henningsen) #33048 - n-api: detect deadlocks in thread-safe function (Gabriel Schulhof) #32860
- src: deprecate embedder APIs with replacements (Anna Henningsen) #32858
- stream:
- vm: add importModuleDynamically option to compileFunction (Gus Caplan) #32985
- Node v12.16.3 (LTS)
- Node v14.0.0 (Current)
- OpenSSL security releases do not require Node.js security releases
- Node v13.13.0 (Current)
- Node v10.20.1 (LTS)
- Node v12.16.2 (LTS)
- Node v10.20.0 (LTS)
- Changes to Release Schedule
- Node v13.12.0 (Current)
- Node v13.11.0 (Current)
- Node v13.10.1 (Current)
- Node v13.10.0 (Current)
- Node v13.9.0 (Current)
- Node v12.16.1 (LTS)
- Node v12.16.0 (LTS)
- February 2020 Security Releases
- Node v13.8.0 (Current)
- Node v12.15.0 (LTS)
- Node v10.19.0 (LTS)
- Node v13.7.0 (Current)
- Node v10.18.1 (LTS)
- Node v13.6.0 (Current)
- Node v12.14.1 (LTS)