Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Node.js v18.20.2 #5

Open
wants to merge 88 commits into
base: v18
Choose a base branch
from
Open

Node.js v18.20.2 #5

wants to merge 88 commits into from

Conversation

asana-kristoferbuno
Copy link

v18.20.2

RafaelGSS and others added 30 commits February 14, 2024 13:48
The warning message was inadvertently changed to a newer version of
g++ than the one being checked for when a refactor PR was merged to
v18.x-staging.

Refs: nodejs#47667
PR-URL: nodejs#51695
Reviewed-By: Ruy Adorno <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Mohammed Keyvanzadeh <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
PR-URL: nodejs#51792
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Moshe Atlow <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Joyee Cheung <[email protected]>
PR-URL: nodejs#51799
Reviewed-By: Filip Skokan <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
PR-URL: nodejs#51800
Fixes: nodejs#51789
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Replace the setInterval with a queueMicrotask to make test less flaky.

Fixes: nodejs#51883
PR-URL: nodejs#51943
Reviewed-By: Joyee Cheung <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Paolo Insogna <[email protected]>
Original commit message:

    [symbol-as-weakmap-key] Implement Symbol as WeakMap Keys

    Allow non-registered symbols as keys in weakmap and weakset.
    Allow non-registered symbols as target and unregisterToken in
    WeakRef and FinalizationRegistry.

    Bug: v8:12947
    Change-Id: Ieb63bda66e3cc378879ac651e23300b71caed627
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3865056
    Reviewed-by: Dominik Inführ <[email protected]>
    Commit-Queue: Marja Hölttä <[email protected]>
    Reviewed-by: Jakob Linke <[email protected]>
    Cr-Commit-Position: refs/heads/main@{#83313}

Refs: v8/v8@c400af4
PR-URL: nodejs#51004
Reviewed-By: Chengzhong Wu <[email protected]>
Original commit message:

    [symbol-as-weakmap-key] Add tests to check weak collection size

    ... after gc.

    This CL also adds a runtime test function GetWeakCollectionSize
    to get the weak collection size.

    Bug: v8:12947
    Change-Id: I4aff39165a54b63b3d690bfea71c2a439da01d00
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3905071
    Reviewed-by: Marja Hölttä <[email protected]>
    Commit-Queue: 王澳 <[email protected]>
    Cr-Commit-Position: refs/heads/main@{#83464}

Refs: v8/v8@7f5daed
PR-URL: nodejs#51004
Reviewed-By: Chengzhong Wu <[email protected]>
Original commit message:

    [symbol-as-weakmap-key] Stage the feature

    Bug: v8:12947
    Change-Id: I0a151a6b301ee93675cc9f87a4fa24cb1be76462
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3928061
    Auto-Submit: Shu-yu Guo <[email protected]>
    Commit-Queue: Marja Hölttä <[email protected]>
    Reviewed-by: Marja Hölttä <[email protected]>
    Cr-Commit-Position: refs/heads/main@{#83483}

Refs: v8/v8@9a98f96
PR-URL: nodejs#51004
Reviewed-By: Chengzhong Wu <[email protected]>
Original commit message:

    [symbol-as-weakmap-key] Fix DCHECKs and add CanBeHeldWeakly

    There are a few DCHECKs that weren't updated to allow for Symbols as
    weak collection keys. This CL updates those DCHECKs and also does the
    following refactors for clarity:

    - Add Object::CanBeHeldWeakly
    - Rename GotoIfCannotBeWeakKey -> GotoIfCannotBeHeldWeakly to align with
      spec AO name

    Bug: chromium:1370400, chromium:1370402, v8:12947
    Change-Id: I380840c8377497feae97e3fca37555dae0dcc255
    Fixed: chromium:1370400, chromium:1370402
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3928150
    Auto-Submit: Shu-yu Guo <[email protected]>
    Reviewed-by: Marja Hölttä <[email protected]>
    Commit-Queue: Marja Hölttä <[email protected]>
    Cr-Commit-Position: refs/heads/main@{#83507}

Refs: v8/v8@94e8282
PR-URL: nodejs#51004
Reviewed-By: Chengzhong Wu <[email protected]>
Original commit message:

    [inspector] Support Symbols in EntryPreview

    The Symbols-as-WeakMap-keys proposal allows non-Symbol.for Symbol values
    in weak collections, which means it can show in EntryPreviews.

    Also apparently Symbols in regular Maps and Sets were also unsupported.

    Bug: v8:13350, v8:12947
    Change-Id: Ib10476fa2f3c7f59af67933f0bf61640be1bbd97
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3930037
    Reviewed-by: Benedikt Meurer <[email protected]>
    Reviewed-by: Simon Zünd <[email protected]>
    Commit-Queue: Shu-yu Guo <[email protected]>
    Cr-Commit-Position: refs/heads/main@{#83518}

Refs: v8/v8@3dd9576
PR-URL: nodejs#51004
Reviewed-By: Chengzhong Wu <[email protected]>
Original commit message:

    [symbol-as-weakmap-key] Fix DCHECKs when clearing JS weakrefs

    Bug: chromium:1372500, v8:12947
    Fixed: chromium:1372500
    Change-Id: Id6330de5886e4ea72544b307c358e2190ea47d9c
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3942586
    Reviewed-by: Anton Bikineev <[email protected]>
    Commit-Queue: Shu-yu Guo <[email protected]>
    Cr-Commit-Position: refs/heads/main@{#83632}

Refs: v8/v8@1fada6b
PR-URL: nodejs#51004
Reviewed-By: Chengzhong Wu <[email protected]>
Original commit message:

    [symbol-as-weakmap-key] Ship the proposal

    I2S with 3 LGTMs:
    https://groups.google.com/a/chromium.org/g/blink-dev/c/E6pDZP_TiBA/m/ZcXLwiz8AAAJ

    Bug: v8:12947
    Change-Id: Ibce4abc8b0610afb2041d44cc9ed136db8b62c0d
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4004610
    Commit-Queue: Shu-yu Guo <[email protected]>
    Reviewed-by: Camillo Bruni <[email protected]>
    Cr-Commit-Position: refs/heads/main@{#84128}

Refs: v8/v8@705e374
PR-URL: nodejs#51004
Reviewed-By: Chengzhong Wu <[email protected]>
PR-URL: nodejs#49855
Backport-PR-URL: nodejs#51004
Fixes: nodejs#49848
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Benjamin Gruenbaum <[email protected]>
In preparation of https://chromium-review.googlesource.com/c/v8/v8/+/4707972
which changes the return value to v8::Data.

PR-URL: nodejs#48943
Backport-PR-URL: nodejs#51004
Reviewed-By: Juan José Arboleda <[email protected]>
Reviewed-By: Mohammed Keyvanzadeh <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Chengzhong Wu <[email protected]>
Reviewed-By: Stephen Belanger <[email protected]>
Reviewed-By: Jiawen Geng <[email protected]>
This is a non-ABI breaking solution for
v8/v8@b60a03d
and
v8/v8@0aa622e
which are necessary for backporting vm-related memory fixes to v18.x.

PR-URL: nodejs#49874
Backport-PR-URL: nodejs#51004
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Jiawen Geng <[email protected]>
There is no need to initialize the internal fields to undefined
and then initialize them to something else in the caller. Simply
pass the internal fields into the constructor to initialize
them just once.

PR-URL: nodejs#49391
Backport-PR-URL: nodejs#51004
Reviewed-By: Darshan Sen <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Stephen Belanger <[email protected]>
Reviewed-By: Chengzhong Wu <[email protected]>
Previously when managing the importModuleDynamically callback of
vm.compileFunction(), we use an ID number as the host defined option
and maintain a per-Environment ID -> CompiledFnEntry map to retain
the top-level referrer function returned by vm.compileFunction() in
order to pass it back to the callback, but it would leak because with
how we used v8::Persistent to maintain this reference, V8 would not
be able to understand the cycle and would just think that the
CompiledFnEntry was supposed to live forever. We made an attempt
to make that reference known to V8 by making the CompiledFnEntry weak
and using a private symbol to make CompiledFnEntry strongly
references the top-level referrer function in
nodejs#46785, but that turned out to be
unsound, because the there's no guarantee that the top-level function
must be alive while import() can still be initiated from that
function, since V8 could discard the top-level function and only keep
inner functions alive, so relying on the top-level function to keep
the CompiledFnEntry alive could result in use-after-free which caused
a revert of that fix.

With this patch we use a symbol in the host defined options instead of
a number, because with the stage-3 symbol-as-weakmap-keys proposal
we could directly use that symbol to keep the referrer alive using a
WeakMap. As a bonus this also keeps the other kinds of referrers
alive as long as import() can still be initiated from that
Script/Module, so this also fixes the long-standing crash caused by
vm.Script being GC'ed too early when its importModuleDynamically
callback still needs it.

PR-URL: nodejs#48510
Backport-PR-URL: nodejs#51004
Refs: nodejs#44211
Refs: nodejs#42080
Refs: nodejs#47096
Refs: nodejs#43205
Refs: nodejs#38695
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Reviewed-By: Stephen Belanger <[email protected]>
Previously we maintain a strong persistent reference to the
ModuleWrap to retrieve the ID-to-ModuleWrap mapping from
the HostImportModuleDynamicallyCallback using the number ID
stored in the host-defined options. As a result the ModuleWrap
would be kept alive until the Environment is shut down, which
would be a leak for user code. With the new symbol-based
host-defined option we can just get the ModuleWrap from the
JS-land WeakMap so there's now no need to maintain this
strong reference. This would at least fix the leak for
vm.SyntheticModule. vm.SourceTextModule is still leaking
due to the strong persistent reference to the v8::Module.

PR-URL: nodejs#48510
Backport-PR-URL: nodejs#51004
Refs: nodejs#44211
Refs: nodejs#42080
Refs: nodejs#47096
Refs: nodejs#43205
Refs: nodejs#38695
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Reviewed-By: Stephen Belanger <[email protected]>
Replace the persistent handles to v8::Module and
v8::UnboundScript with an internal reference that V8's GC is
aware of to fix the leaks.

PR-URL: nodejs#48510
Backport-PR-URL: nodejs#51004
Refs: nodejs#44211
Refs: nodejs#42080
Refs: nodejs#47096
Refs: nodejs#43205
Refs: nodejs#38695
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Reviewed-By: Stephen Belanger <[email protected]>
PR-URL: nodejs#49671
Backport-PR-URL: nodejs#51004
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
Previously we simply create a lot of the target objects and check
if the process crash due to OOM. Due to how we use emphemeron GC
to handle memory management, which is inefficient but necessary
for correctness, the tests can produce false positives as
the GC isn't efficient enough to catch up with a very fast
heap growth.

This patch uses a new checkIfCollectable() utility to terminate the
test early once we detect that any of the target object can actually
be garbage collected. This should lower the chance of false positives.
As a drive-by this also allows us to use setImmediate() to grow the
heap even faster to make the tests run faster.

PR-URL: nodejs#49671
Backport-PR-URL: nodejs#51004
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
Similar to the test-vm-source-text-module-leak fix, use a snapshot
to force a thorough GC in order to prevent false positives.

PR-URL: nodejs#49710
Backport-PR-URL: nodejs#51004
Refs: nodejs/reliability#669
Reviewed-By: Franziska Hinkelmann <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Rich Trott <[email protected]>
This makes it possile to hit the in-isolate compilation cache when
host-defined options are not necessary.

PR-URL: nodejs#49950
Backport-PR-URL: nodejs#51004
Refs: nodejs#35375
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Reviewed-By: Chengzhong Wu <[email protected]>
Reviewed-By: Stephen Belanger <[email protected]>
Set a default host-defined option for vm.compileFunction so that
it's consistent with vm.Script.

PR-URL: nodejs#50137
Backport-PR-URL: nodejs#51004
Refs: nodejs#35375
Reviewed-By: Geoffrey Booth <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Chengzhong Wu <[email protected]>
Reviewed-By: Antoine du Hamel <[email protected]>
Instead of using the public versions of the vm APIs internally,
use the internal versions so that we can skip unnecessary
argument validation.

The public versions would need special care to the generation
of host-defined options to hit the isolate compilation cache
when imporModuleDynamically isn't used, while internally it's
almost always used, so this allows us to handle the host-defined
options separately.

PR-URL: nodejs#50137
Backport-PR-URL: nodejs#51004
Refs: nodejs#35375
Reviewed-By: Geoffrey Booth <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Chengzhong Wu <[email protected]>
Reviewed-By: Antoine du Hamel <[email protected]>
Users cannot access any API that can be used to return a module or
module namespace in this callback without --experimental-vm-modules
anyway, so this would eventually lead to a rejection. This patch
rejects in this case with our own error message and use a constant
host-defined option for the rejection, so that scripts with the
same source can still be compiled using the compilation cache
if no `import()` is actually called in the script.

PR-URL: nodejs#50137
Backport-PR-URL: nodejs#51004
Refs: nodejs#35375
Reviewed-By: Geoffrey Booth <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Chengzhong Wu <[email protected]>
Reviewed-By: Antoine du Hamel <[email protected]>
PR-URL: nodejs#50515
Backport-PR-URL: nodejs#51973
Reviewed-By: Steven R Loomis <[email protected]>
Reviewed-By: LiviaMedeiros <[email protected]>
Refs: nodejs#51933
PR-URL: nodejs#51461
Backport-PR-URL: nodejs#51973
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Refs: nodejs#51933
nodejs-github-bot and others added 26 commits March 20, 2024 13:53
PR-URL: nodejs#51105
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
PR-URL: nodejs#51274
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
Fix `internet/test-inspector-help-page` to handle the relative
redirect of `https://nodejs.org/en/docs/inspector` to
`/en/docs/guides/debugging-getting-started`. Previously this
URL redirected to an absolute URL.

PR-URL: nodejs#51121
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
c-ares has made intentional changes to the behavior of TXT records
to comply with RFC 7208, which concatenates multiple strings for
the same TXT record into a single string.  Multiple TXT records
are not concatenated.

Also, response handling has changed, such that a response which is
completely invalid in formatting is thrown away as a malicious
forged/spoofed packet rather than returning EBADRESP.  This is one
step toward RFC 9018 (EDNS COOKIES) which will require the message
to at least be structurally valid to validate against spoofed
records.

Fix By: Brad House (@bradh352)

PR-URL: nodejs#50743
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Fixes: nodejs#50741
Refs: nodejs#50444
PR-URL: nodejs#51385
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
This should get rid of the following GCC warning:
ISO C90 does not support ‘long long’ [-Wlong-long]

PR-URL: nodejs#51410
Reviewed-By: Jiawen Geng <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
PR-URL: nodejs#51582
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
PR-URL: nodejs#51846
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Mohammed Keyvanzadeh <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Original commit message:

    Fix reading integer-indexed import assertions in dynamic import

    Use GetPropertyOrElement instead of GetProperty to read import assertion
    values from the import assertions object, to support cases in which the
    key is an integer index such as `"0"`.

    The added test case, when using GetProperty, triggers the following DCHECK in
    debug builds:
    https://source.chromium.org/chromium/chromium/src/+/main:v8/src/objects/lookup-inl.h;l=108;drc=515f187ba067ee4a99fdf5198cca2c97abd342fd
    In release builds it silently fails to read the property, and thus throws about
    it not being a valid string.

    Bug: v8:14069
    Change-Id: Ifd4645b7bd9bfd07f06fa33727441d27eabc4d32
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4614489
    Reviewed-by: Victor Gomes <[email protected]>
    Commit-Queue: Marja Hölttä <[email protected]>
    Reviewed-by: Marja Hölttä <[email protected]>
    Cr-Commit-Position: refs/heads/main@{#88267}

Refs: v8/v8@d90d453
PR-URL: nodejs#50077
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Mohammed Keyvanzadeh <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
PR-URL: nodejs#52184
Refs: nodejs#51136
Refs: nodejs#52165 (comment)
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Geoffrey Booth <[email protected]>
Add a flag for each experimental feature to indicate its presence.
That way, if we compile with `NAPI_EXPERIMENTAL` turned on, we'll be
able to distinguish between what `NAPI_EXPERIMENTAL` used to mean on an
old version of the headers when compiling against such an old version,
and what it means on a new version of Node.js.

PR-URL: nodejs#50991
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Vladimir Morozov <[email protected]>
Reviewed-By: Chengzhong Wu <[email protected]>
Backport-PR-URL: nodejs#51804
(cherry picked from commit 727dd28)
    * Create macro for checking new string arguments.
    * Create macro for combining env check and inside-gc check.

PR-URL: nodejs#50664
Reviewed-By: Vladimir Morozov <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Chengzhong Wu <[email protected]>
Backport-PR-URL: nodejs#51804
(cherry picked from commit 5e250bd)
We define a new type called `node_api_nogc_env` as the `const` version
of `napi_env` and `node_api_nogc_finalize` as a variant of
`napi_finalize` that accepts a `node_api_nogc_env` as its first
argument.

We then modify those APIs which do not affect GC state as accepting a
`node_api_nogc_env`. APIs accepting finalizer callbacks are modified to
accept `node_api_nogc_finalize` callbacks. Thus, the only way to attach
a `napi_finalize` callback, wherein Node-APIs affecting GC state may be
called is to call `node_api_post_finalizer` from a
`node_api_nogc_finalize` callback.

In keeping with the process of introducing new Node-APIs, this feature
is guarded by `NAPI_EXPERIMENTAL`. Since this feature modifies APIs
already marked as stable, it is additionally guared by
`NODE_API_EXPERIMENTAL_NOGC_ENV`, so as to provide a further buffer to
adoption. Nevertheless, both guards must be removed upon releasing a
new version of Node-API.

PR-URL: nodejs#50060
Reviewed-By: Chengzhong Wu <[email protected]>
Reviewed-By: Vladimir Morozov <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
Backport-PR-URL: nodejs#51804
(cherry picked from commit 7a216d5)
PR-URL: nodejs#50209
Reviewed-By: Michaël Zasso <[email protected]>
Reviewed-By: Christian Clauss <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Richard Lau <[email protected]>
Fixes: nodejs#51993
PR-URL: nodejs#52005
Reviewed-By: Robert Nagy <[email protected]>
Reviewed-By: Michaël Zasso <[email protected]>
Notable changes:

Added support for import attributes:

Support has been added for import attributes, to replace the old import
assertions syntax. This will aid migration by making the new syntax
available across all currently supported Node.js release lines.

For more details, see

* [nodejs#50134](nodejs#50134)
* [nodejs#51622](nodejs#51622)

Doc deprecation for `dirent.path`:

Please use newly added `dirent.parentPath` instead.

Experimental node-api feature flags

Introduces an experimental feature to segregate finalizers that affect GC state.
A new type called `node_api_nogc_env` has been introduced as the const version
of `napi_env` and `node_api_nogc_finalize` as a variant of `napi_finalize` that
accepts a `node_api_nogc_env` as its first argument.

This feature can be turned off by defining
`NODE_API_EXPERIMENTAL_NOGC_ENV_OPT_OUT`.

Root certificates updated to NSS 3.98:

Certificates added:

* Telekom Security TLS ECC Root 2020
* Telekom Security TLS RSA Root 2023

Certificates removed:

* Security Communication Root CA

Updated dependencies:

* ada updated to 2.7.6.
* base64 updated to 0.5.2.
* c-ares updated to 1.27.0.
* corepack updated to 0.25.2.
* ICU updated to 74.2. Includes CLDR 44.1 and Unicode 15.1.
* npm updated to 10.5.0. Fixes a regression in signals not being passed onto child processes.
* simdutf8 updated to 4.0.8.
* Timezone updated to 2024a.
* zlib updated to 1.3.0.1-motley-40e35a7.

vm: fix V8 compilation cache support for vm.Script:

Previously repeated compilation of the same source code using `vm.Script`
stopped hitting the V8 compilation cache after v16.x when support for
`importModuleDynamically` was added to `vm.Script`, resulting in a performance
regression that blocked users (in particular Jest users) from upgrading from
v16.x.

The recent fixes allow the compilation cache to be hit again
for `vm.Script` when `--experimental-vm-modules` is not used even in the
presence of the `importModuleDynamically` option, so that users affected by the
performance regression can now upgrade. Ongoing work is also being done to
enable compilation cache support for `vm.CompileFunction`.

PR-URL: nodejs#52165
Co-Authored-By: Anna Henningsen <[email protected]>
PR-URL: nodejs-private/node-private#561
Fixes: https://hackerone.com/reports/2319584
Reviewed-By: Michael Dawson <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Benjamin Gruenbaum <[email protected]>
CVE-ID: CVE-2024-27983
Signed-off-by: Matteo Collina <[email protected]>

PR-URL: nodejs-private/node-private#577
Reviewed-By: Rafael Gonzaga <[email protected]>
This is a security release.

Notable changes:

* CVE-2024-27983 - Assertion failed in node::http2::Http2Session::\~Http2Session() leads to HTTP/2 server crash- (High)
* CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
* llhttp version 9.2.1
* undici version 5.28.4

PR-URL: nodejs-private/node-private#573
An undocumented feature of the Win32 CreateProcess API allows spawning
batch files directly but is potentially insecure because arguments are
not escaped (and sometimes cannot be unambiguously escaped), hence why
they are refused starting today.

PR-URL: nodejs-private/node-private#564
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
CVE-ID: CVE-2024-27980
This is a security release.

Notable changes:

src:
  * disallow direct .bat and .cmd file spawning (Ben Noordhuis) nodejs-private/node-private#564

PR-URL: nodejs-private/node-private#578
@spiliopoulos
Copy link

@seanwentzel @asana-kristoferbuno I believe we already use v18.20.2. Should we merge this PR to make sure that the v18 branch is up to date.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.