Node v22.23.0 nsolid v6.3.1 release#484
Open
santigimeno wants to merge 31 commits into
Open
Conversation
Signed-off-by: Stewart X Addison <sxa@ibm.com> PR-URL: nodejs/node#62238 Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
`parallel/test-fs-utimes-y2K38` appears to be broken on 32-bit armv7 systems where the underlying filesystem supports y2k38. Signed-off-by: Richard Lau <richard.lau@ibm.com> PR-URL: nodejs/node#63836 Refs: nodejs/node#63835 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Stewart X Addison <sxa@redhat.com> Reviewed-By: LiviaMedeiros <livia@cirno.name>
PR-URL: nodejs/node#63045 Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This seems like a bug in AIX header files because the examples show including the headers but upon inspecting these files there are no declarations for sendmmsg and others: https://www.ibm.com/docs/en/aix/7.2.0?topic=s-sendmmsg-subroutine For now we can claim to not have these functions. Alternatively we can declare these ourselves if we are AIX 7.2 or newer. The actual functions look to be available in libc. GCC also has the same implicit function declaration but it happily moves forward. Clang started making this an explict error in clang 16: https://www.redhat.com/en/blog/new-warnings-and-errors-clang-16 PR-URL: nodejs/node#62656 Refs: https://www.ibm.com/docs/en/aix/7.2.0?topic=s-sendmmsg-subroutine Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Michaël Zasso <targos@protonmail.com>
PR-URL: nodejs/node#63820 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com>
PR-URL: nodejs/node#63820 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Signed-off-by: Matteo Collina <hello@matteocollina.com> Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com> Refs: https://datatracker.ietf.org/doc/html/rfc9113#section-5.3.1 PR-URL: nodejs/node#58293 Backport-PR-URL: nodejs/node#63195 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
PR-URL: nodejs/node#58669 Backport-PR-URL: nodejs/node#63195 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
PR-URL: nodejs/node#57269 Backport-PR-URL: nodejs/node#63195 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
PR-URL: nodejs/node#58786 Backport-PR-URL: nodejs/node#63195 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
PR-URL: nodejs/node#59790 Backport-PR-URL: nodejs/node#63195 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
PR-URL: nodejs/node#61136 Backport-PR-URL: nodejs/node#63195 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
PR-URL: nodejs/node#62891 Backport-PR-URL: nodejs/node#63195 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
This is a set of src & tests fixes for nghttp2 due to changes in v1.67.0+ which require a selection of changes to how we handle low-level protocol errors when using the latest versions of nghttp2, changing both some src error handling and updating some tests to match. Signed-off-by: Tim Perry <pimterry@gmail.com> PR-URL: nodejs/node#62891 Backport-PR-URL: nodejs/node#63195 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Refs: https://hackerone.com/reports/3658225 CVE-ID: CVE-2026-48937
PR-URL: nodejs/node#63711 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
PR-URL: nodejs-private/node-private#890 Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Refs: https://hackerone.com/reports/3720313 Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: nodejs-private/node-private#867 Backport-PR-URL: nodejs-private/node-private#894 Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> CVE-ID: CVE-2026-48615
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: nodejs-private/node-private#870 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48617 Refs: https://hackerone.com/reports/3625987
Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: nodejs-private/node-private#869 Backport-PR-URL: nodejs-private/node-private#893 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48618 Refs: https://hackerone.com/reports/3688064
A malicious HTTP/2 server can send repeated ORIGIN frames with unique origins, causing unbounded growth of the client-side originSet for the lifetime of the session. Cap the set at 128 entries; once full, new origins from ORIGIN frames are silently dropped. Ref: https://hackerone.com/reports/3676863 PR-URL: nodejs-private/node-private#855 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48619 Refs: https://hackerone.com/reports/3676863
The regex constructed by server.addContext() lacked the case-insensitive flag, causing uppercase or mixed-case SNI hostnames from ClientHello to miss their intended context and fall back to the default context. This violates RFC 6066 Section 3, which states that DNS hostnames are case-insensitive. In mTLS configurations with per-tenant contexts, this allowed bypassing client certificate authorization by simply uppercasing the SNI hostname. Add the 'i' flag to the RegExp in addContext() so that SNI matching is case-insensitive. PR-URL: nodejs-private/node-private#857 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48928 Refs: https://hackerone.com/reports/3656869
Ref: https://hackerone.com/reports/3656716 PR-URL: nodejs-private/node-private#868 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48930 Refs: https://hackerone.com/reports/3656716
Backport-PR-URL: nodejs-private/node-private#895 PR-URL: nodejs-private/node-private#854 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48934 Refs: https://hackerone.com/reports/3649802
Backport-PR-URL: nodejs-private/node-private#895 PR-URL: nodejs-private/node-private#854 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Refs: https://hackerone.com/reports/3649802
PR-URL: nodejs-private/node-private#873 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48935 Refs: https://hackerone.com/reports/3625987
Attach a data guard listener on idle keepAlive sockets in the freeSockets pool. If unsolicited data arrives while the socket is idle, destroy it immediately to prevent response queue poisoning. Refs: https://hackerone.com/reports/3582376 PR-URL: nodejs-private/node-private#846 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48931
Reject WebCrypto cipher operations whose computed output length would exceed INT_MAX before passing the length to OpenSSL. This avoids signed overflow in the AES and ChaCha20-Poly1305 one-shot cipher paths and turns oversized inputs into a clean operation failure. Refs: https://hackerone.com/reports/3760016 Signed-off-by: Filip Skokan <panva.ip@gmail.com> Backport-PR-URL: nodejs-private/node-private#879 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> PR-URL: nodejs-private/node-private#878 CVE-ID: CVE-2026-48933
This is a security release. Notable changes: * (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High * (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High * (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium * (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium * (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium * (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium * (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium * (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium * (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low * (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low * (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low PR-URL: nodejs-private/node-private#898
2026-06-18 Node.js v22.23.0 Jod (LTS) Release Git-EVTag-v0-SHA512: 014c6a100cdd917d58246214bf4015b0aff48c4778f6b7044a041ff2bbfa7a6d7111c287ee0236ec65c7ad1f36c88db822ae696cbadfec3efae71a017ea5ca33
Signed-off-by: Santiago Gimeno <santiago.gimeno@gmail.com>
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
RafaelGSS
approved these changes
Jun 18, 2026
EHortua
approved these changes
Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
13 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.