chore(deps): update dependency node to v20

[tradeshift-renovate]

This PR contains the following updates:

Package	Update	Change
node (source)	major	18 -> 20

---

Release Notes

nodejs/node (node)

v20.11.1: 2024-02-14, Version 20.11.1 'Iron' (LTS), @​RafaelGSS prepared by @​marco-ippolito

Compare Source

Notable changes

This is a security release.

Notable changes

• CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
• CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
• CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High)
• CVE-2024-22017 - setuid() does not drop all privileges due to io_uring - (High)
• CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
• CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
• CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
• CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
• undici version 5.28.3
• libuv version 1.48.0
• OpenSSL version 3.0.13+quic1

Commits

• [7079c062bb] - crypto: disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525
• [186a6e1ffb] - deps: fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) #​51737
• [686da19abb] - deps: disable io_uring support in libuv by default (Tobias Nießen) nodejs-private/node-private#529
• [f7b44bfbce] - deps: update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) #​51614
• [7a30fecea2] - deps: upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) #​51614
• [480fc169a8] - fs: protect against modified Buffer internals in possiblyTransformPath (Tobias Nießen) nodejs-private/node-private#497
• [77ac7c3153] - http: add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#519
• [ed7d149675] - lib: use cache fs internals against path traversal (RafaelGSS) nodejs-private/node-private#516
• [89bd5fc38f] - lib: update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#539
• [d01dd4291d] - permission: fix wildcard when children > 1 (Rafael Gonzaga) #​51209
• [40ff37dfcc] - src: fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505
• [3f6addd590] - src,deps: disable setuid() etc if io_uring enabled (Tobias Nießen) nodejs-private/node-private#529
• [d6da413aa4] - test,doc: clarify wildcard usage (RafaelGSS) nodejs-private/node-private#517
• [c213910aea] - zlib: pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#541

v20.11.0: 2024-01-09, Version 20.11.0 'Iron' (LTS), @​UlisesGascon

Compare Source

Notable Changes

• [833190fe7c] - crypto: update root certificates to NSS 3.95 (Node.js GitHub Bot) #​50805
• [a541b78bdb] - doc: add MrJithil to collaborators (Jithil P Ponnan) #​50666
• [d4be8fad83] - doc: add Ethan-Arrowood as a collaborator (Ethan Arrowood) #​50393
• [c1a196c897] - (SEMVER-MINOR) esm: add import.meta.dirname and import.meta.filename (James Sumners) #​48740
• [aa3209b880] - fs: add c++ fast path for writeFileSync utf8 (CanadaHonk) #​49884
• [8e886a2fff] - (SEMVER-MINOR) module: remove useCustomLoadersIfPresent flag (Chengzhong Wu) #​48655
• [21ab3c0f0b] - (SEMVER-MINOR) module: bootstrap module loaders in shadow realm (Chengzhong Wu) #​48655
• [29d91b13e3] - (SEMVER-MINOR) src: add --disable-warning option (Ethan Arrowood) #​50661
• [11b3e470db] - (SEMVER-MINOR) src: create per isolate proxy env template (Chengzhong Wu) #​48655
• [621c4d66c2] - (SEMVER-MINOR) src: make process binding data weak (Chengzhong Wu) #​48655
• [139d6c8d3b] - stream: use Array for Readable buffer (Robert Nagy) #​50341
• [6206957e8d] - stream: optimize creation (Robert Nagy) #​50337
• [e64378643d] - (SEMVER-MINOR) test_runner: adds built in lcov reporter (Phil Nash) #​50018
• [4a830c2d9d] - (SEMVER-MINOR) test_runner: add Date to the supported mock APIs (Lucas Santos) #​48638
• [842dc01def] - (SEMVER-MINOR) test_runner, cli: add --test-timeout flag (Shubham Pandey) #​50443

Commits

• [e40a559ab1] - benchmark: update iterations in benchmark/util/splice-one.js (Liu Jia) #​50698
• [00f7a5d26f] - benchmark: increase the iteration number to an appropriate value (Lei Shi) #​50766
• [be6ad3f375] - benchmark: rewrite import.meta benchmark (Joyee Cheung) #​50683
• [9857364129] - benchmark: add misc/startup-cli-version benchmark (Joyee Cheung) #​50684
• [22d729e7f5] - benchmark: remove punycode from require-builtins fixture (Joyee Cheung) #​50689
• [4cf10a149a] - benchmark: change iterations in benchmark/es/string-concatenations.js (Liu Jia) #​50585
• [15c2ed93a8] - benchmark: add benchmarks for encodings (Aras Abbasi) #​50348
• [8a896428ca] - benchmark: add more cases to Readable.from (Raz Luvaton) #​50351
• [dbe6c5f354] - benchmark: skip test-benchmark-os on IBMi (Michael Dawson) #​50286
• [179b4b6e62] - benchmark: move permission-fs-read to permission-processhas-fs-read (Aki Hasegawa-Johnson) #​49770
• [32d65c001d] - buffer: improve Buffer.equals performance (kylo5aby) #​50621
• [80ea83757e] - build: add GN configurations for simdjson (Cheng Zhao) #​50831
• [904e645bcd] - build: add configuration flag to enable Maglev (Keyhan Vakil) #​50692
• [019efa8a5a] - build: fix GN configuration for deps/base64 (Cheng Zhao) #​50696
• [a645d5ac54] - build: disable flag v8_scriptormodule_legacy_lifetime (Chengzhong Wu) #​50616
• [8705058b09] - build: add GN build files (Cheng Zhao) #​47637
• [0a5e9c12cf] - build: fix build with Python 3.12 (Luigi Pinca) #​50582
• [ff5713dd43] - build: support Python 3.12 (Shi Pujin) #​50209
• [cfd50f229a] - build: fix building when there is only python3 (Cheng Zhao) #​48462
• [833190fe7c] - crypto: update root certificates to NSS 3.95 (Node.js GitHub Bot) #​50805
• [54c46dae9e] - deps: update zlib to 1.2.13.1-motley-5daffc7 (Node.js GitHub Bot) #​50803
• [0be84e5a28] - deps: update undici to 5.27.2 (Node.js GitHub Bot) #​50813
• [ec67890824] - deps: V8: cherry-pick 0f9ebbc (Chengzhong Wu) #​50867
• [bc2ebb972b] - deps: V8: cherry-pick 13192d6 (Levi Zim) #​50552
• [656135d70a] - deps: update zlib to 1.2.13.1-motley-dfc48fc (Node.js GitHub Bot) #​50456
• [41ee4bcc5d] - deps: update ada to 2.7.4 (Node.js GitHub Bot) #​50815
• [a40948b5c5] - deps: update minimatch to 9.0.3 (Node.js GitHub Bot) #​50806
• [7be1222c4a] - deps: update simdutf to 4.0.4 (Node.js GitHub Bot) #​50772
• [68e7d49db6] - deps: upgrade npm to 10.2.4 (npm team) #​50751
• [3d82d38336] - deps: escape Python strings correctly (Michaël Zasso) #​50695
• [d3870ac957] - deps: update base64 to 0.5.1 (Node.js GitHub Bot) #​50629
• [4b219b6ece] - deps: update corepack to 0.23.0 (Node.js GitHub Bot) #​50563
• [6c41b50922] - deps: update nghttp2 to 1.58.0 (Node.js GitHub Bot) #​50441
• [3beee0ae8f] - deps: update acorn to 8.11.2 (Node.js GitHub Bot) #​50460
• [220916fa93] - deps: update undici to 5.27.0 (Node.js GitHub Bot) #​50463
• [f9960b3545] - deps: update googletest to 116b7e5 (Node.js GitHub Bot) #​50324
• [d5c16f897a] - dns: call handle.setServers() with a valid array (Luigi Pinca) #​50811
• [1bd6537c97] - doc: recommend supported Python versions (Luigi Pinca) #​50407
• [402e257520] - doc: update notable changes in v21.1.0 (Joyee Cheung) #​50388
• [032535e270] - doc: make theme consistent across api and other docs (Dima Demakov) #​50877
• [d53842683f] - doc: add a section regarding instanceof in primordials.md (Antoine du Hamel) #​50874
• [fe315055a7] - doc: update email to reflect affiliation (Yagiz Nizipli) #​50856
• [e14f661950] - doc: shard not supported with watch mode (Pulkit Gupta) #​50640
• [b3d015de71] - doc: get rid of unnecessary eslint-skip comments (Antoine du Hamel) #​50829
• [168cbf9cb9] - doc: create deprecation code for isWebAssemblyCompiledModule (Marco Ippolito) #​50486
• [30baacba41] - doc: add CanadaHonk to triagers (CanadaHonk) #​50848
• [e6e7cbceac] - doc: fix typos in --allow-fs-* (Tobias Nießen) #​50845
• [e22ce9586f] - doc: update Crypto API doc for x509.keyUsage (Daniel Meechan) #​50603
• [549d4422b7] - doc: fix fs.writeFileSync return value documentation (Ryan Zimmerman) #​50760
• [3c79e3cdba] - doc: update print results(detail) in PerformanceEntry (Jungku Lee) #​50723
• [aeaf96d06e] - doc: fix Buffer.allocUnsafe documentation (Mert Can Altın) #​50686
• [347e1dd06a] - doc: run license-builder (github-actions[bot]) #​50691
• [a541b78bdb] - doc: add MrJithil to collaborators (Jithil P Ponnan) #​50666
• [90f415dd61] - doc: fix typo in fs.md (fwio) #​50570
• [e2388151ba] - doc: add missing description of argument in subtle.encrypt (Deokjin Kim) #​50578
• [39cc013465] - doc: update pm documentation to include resource (Ranieri Innocenti Spada) #​50601
• [ba6d427c23] - doc: correct attribution in v20.6.0 changelog (Jacob Smith) #​50564
• [1b2dab8254] - doc: update to align console.table row to the left (Jungku Lee) #​50553
• [5d48ef7778] - doc: underline links (Rich Trott) #​50481
• [5e6057c9d2] - doc: remove duplicate word (Gerhard Stöbich) #​50475
• [64bf2fd4ee] - doc: fix typo in webstreams.md (André Santos) #​50426
• [cca55b8414] - doc: add information about Node-API versions >=9 (Michael Dawson) #​50168
• [d4be8fad83] - doc: add Ethan-Arrowood as a collaborator (Ethan Arrowood) #​50393
• [0b311838f6] - doc: fix TOC in releases.md (Bryce Seefieldt) #​50372
• [843d5f84ca] - esm: fallback to getSource when load returns nullish source (Antoine du Hamel) #​50825
• [8d5469c84b] - esm: do not call getSource when format is commonjs (Francesco Trotta) #​50465
• [b48cf314d3] - esm: bypass CJS loader in default load under --default-type=module (Antoine du Hamel) #​50004
• [c1a196c897] - (SEMVER-MINOR) esm: add import.meta.dirname and import.meta.filename (James Sumners) #​48740
• [435f9c9276] - fs: use default w flag for writeFileSync with utf8 encoding (Murilo Kakazu) #​50990
• [aa3209b880] - fs: add c++ fast path for writeFileSync utf8 (CanadaHonk) #​49884
• [05e25e0230] - fs: improve error perf of sync lstat+fstat (CanadaHonk) #​49868
• [f94a24cb4b] - fs: improve error performance for rmdirSync (CanadaHonk) #​49846
• [cada22e2a4] - fs: fix to not return for void function (Jungku Lee) #​50769
• [ba40b2e33e] - fs: replace deprecated path._makeLong in copyFile (CanadaHonk) #​50844
• [d1b6bd660a] - fs: update param in jsdoc for readdir (Jungku Lee) #​50448
• [11412e863a] - fs: do not throw error on cpSync internals (Yagiz Nizipli) #​50185
• [868a464c15] - fs,url: move FromNamespacedPath to node_url (Yagiz Nizipli) #​50090
• [de7fe08c7b] - fs,url: refactor FileURLToPath method (Yagiz Nizipli) #​50090
• [186e6e0395] - fs,url: move FileURLToPath to node_url (Yagiz Nizipli) #​50090
• [aea7fe54af] - inspector: use private fields instead of symbols (Yagiz Nizipli) #​50776
• [48dbde71d8] - lib: use primordials for navigator.userAgent (Aras Abbasi) #​50467
• [fa220cac87] - lib: remove deprecated string methods (Jithil P Ponnan) #​50592
• [f1cf1c385f] - lib: fix assert shows diff messages in ESM and CJS (Jithil P Ponnan) #​50634
• [3844af288f] - lib: make event static properties non writable and configurable (Muthukumar) #​50425
• [0a0b416d6c] - lib: avoid memory allocation on nodeprecation flag (Vinicius Lourenço) #​50231
• [e7551d5770] - lib: align console.table row to the left (Jithil P Ponnan) #​50135
• [0c85cebdf2] - meta: clarify nomination process according to Node.js charter (Matteo Collina) #​50834
• [f4070dd8d4] - meta: clarify recommendation for bug reproductions (Antoine du Hamel) #​50882
• [2ddeead436] - meta: move cjihrig to TSC regular member (Colin Ihrig) #​50816
• [34a789d9be] - meta: add web-standards as WPTs owner (Filip Skokan) #​50636
• [40bbffa266] - meta: bump github/codeql-action from 2.21.9 to 2.22.5 (dependabot[bot]) #​50513
• [c49553631d] - meta: bump step-security/harden-runner from 2.5.1 to 2.6.0 (dependabot[bot]) #​50512
• [99df0138b0] - meta: bump ossf/scorecard-action from 2.2.0 to 2.3.1 (dependabot[bot]) #​50509
• [9db6227ac6] - meta: fix spacing in collaborator list (Antoine du Hamel) #​50641
• [2589a5a566] - meta: bump actions/setup-python from 4.7.0 to 4.7.1 (dependabot[bot]) #​50510
• [5a86661a95] - meta: add crypto as crypto and webcrypto docs owner (Filip Skokan) #​50579
• [ac8d2b9cc2] - meta: bump actions/setup-node from 3.8.1 to 4.0.0 (dependabot[bot]) #​50514
• [bee2c0cf11] - meta: bump actions/checkout from 4.1.0 to 4.1.1 (dependabot[bot]) #​50511
• [91a0944e5f] - meta: add ethan.arrowood@vercel.com to mailmap (Ethan Arrowood) #​50491
• [8d3cf8c4ee] - meta: add web-standards as web api visibility owner (Chengzhong Wu) #​50418
• [807c12de36] - meta: mention other notable changes section (Rafael Gonzaga) #​50309
• [21ab3c0f0b] - (SEMVER-MINOR) module: bootstrap module loaders in shadow realm (Chengzhong Wu) #​48655
• [8e886a2fff] - (SEMVER-MINOR) module: remove useCustomLoadersIfPresent flag (Chengzhong Wu) #​48655
• [77e8361213] - module: execute --import sequentially (Antoine du Hamel) #​50474
• [fffc4951ac] - module: add application/json in accept header when fetching json module (Marco Ippolito) #​50119
• [f808e7a650] - net: check pipe mode and path (theanarkh) #​50770
• [cf3a4c5b84] - node-api: factor out common code into macros (Gabriel Schulhof) #​50664
• [a7d8f6b529] - perf_hooks: implement performance.now() with fast API calls (Joyee Cheung) #​50492
• [076dc7540b] - permission: do not create symlinks if target is relative (Tobias Nießen) #​49156
• [43160dcd2d] - permission: mark const functions as such (Tobias Nießen) #​50705
• [7a661d7ad9] - permission: address coverity warning (Michael Dawson) #​50215
• [b2b4132c3e] - src: iterate on import attributes array correctly (Michaël Zasso) #​50703
• [11b3e470db] - (SEMVER-MINOR) src: create per isolate proxy env template (Chengzhong Wu) #​48655
• [d00412a083] - (SEMVER-MINOR) src: create fs_dir per isolate properties (Chengzhong Wu) #​48655
• [14cc3b9b90] - (SEMVER-MINOR) src: create worker per isolate properties (Chengzhong Wu) #​48655
• [621c4d66c2] - (SEMVER-MINOR) src: make process binding data weak (Chengzhong Wu) #​48655
• [07a4e94e84] - src: assert return value of BN_bn2binpad (Tobias Nießen) #​50860
• [158db2d61e] - src: fix coverity warning (Michael Dawson) #​50846
• [94363bb3fd] - src: fix compatility with upcoming V8 12.1 APIs (Cheng Zhao) #​50709
• [29d91b13e3] - (SEMVER-MINOR) src: add --disable-warning option (Ethan Arrowood) #​50661
• [f054c337f8] - src: add IsolateScopes before using isolates (Keyhan Vakil) #​50680
• [d08eb382cd] - src: avoid copying strings in FSPermission::Apply (Tobias Nießen) #​50662
• [6620df1c05] - src: remove erroneous default argument in RadixTree (Tobias Nießen) #​50736
• [436c3aef15] - src: fix JSONParser leaking internal V8 scopes (Keyhan Vakil) #​50688
• [6f46d31018] - src: return error --env-file if file is not found (Ardi Nugraha) #​50588
• [3d43fd359c] - src: avoid silent coercion to signed/unsigned int (Tobias Nießen) #​50663
• [c253e39b56] - src: handle errors from uv_pipe_connect2() (Deokjin Kim) #​50657
• [3a9713bb5a] - src: use v8::Isolate::TryGetCurrent() in DumpJavaScriptBacktrace() (Joyee Cheung) #​50518
• [94f8a925a8] - src: print more information in C++ assertions (Joyee Cheung) #​50242
• [23f830616b] - src: hide node::credentials::HasOnly outside unit (Tobias Nießen) #​50450
• [b7ecb0a390] - src: readiterable entries may be empty (Matthew Aitken) #​50398
• [4ef1d68715] - src: implement structuredClone in native (Joyee Cheung) #​50330
• [9346f15138] - src: use find instead of char-by-char in FromFilePath() (Daniel Lemire) #​50288
• [8414fb4d2a] - src: add commit hash shorthand in zlib version (Jithil P Ponnan) #​50158
• [a878e3abb0] - stream: fix enumerability of ReadableStream.from (Mattias Buelens) #​50779
• [95ed4ffc1e] - stream: fix enumerability of ReadableStream.prototype.values (Mattias Buelens) #​50779
• [4cf155ca0c] - stream: add Symbol.toStringTag to Compression Streams (Filip Skokan) #​50712
• [6012e3e781] - stream: fix Writable.destroy performance regression (Robert Nagy) #​50478
• [dd5206820c] - stream: pre-allocate _events (Robert Nagy) #​50428
• [829b82ed0f] - stream: remove no longer relevant comment (Robert Nagy) #​50446
• [98ae1b4132] - stream: use bit fields for construct/destroy (Robert Nagy) #​50408
• [08a0c6c56c] - stream: improve from perf (Raz Luvaton) #​50359
• [59f7316b8f] - stream: avoid calls to listenerCount (Robert Nagy) #​50357
• [9d52430eb9] - stream: readable use bitmap accessors (Robert Nagy) #​50350
• [139d6c8d3b] - stream: use Array for Readable buffer (Robert Nagy) #​50341
• [6206957e8d] - stream: optimize creation (Robert Nagy) #​50337
• [f87921de3b] - stream: refactor writable _write (Robert Nagy) #​50198
• [b338f3d3c2] - stream: avoid getter for defaultEncoding (Robert Nagy) #​50203
• [1862235a26] - test: fix message v8 not normalising alphanumeric paths (Jithil P Ponnan) #​50730
• [7c28a4ca8f] - test: fix dns test case failures after c-ares update to 1.21.0+ (Brad House) #​50743
• [4544593d31] - test: replace forEach with for of (Conor Watson) #​50594
• [96143a3293] - test: replace forEach to for at test-webcrypto-sign-verify-ecdsa.js (Alessandro Di Nisio) #​50795
• [107b5e63c5] - test: replace foreach with for in test-https-simple.js (Shikha Mehta) #​49793
• [9b2e5e9db4] - test: add note about unresolved spec issue (Mattias Buelens) #​50779
• [edce637c1a] - test: add note about readable streams with type owning (Mattias Buelens) #​50779
• [641044670b] - test: replace forEach with for-of in test-url-relative (vitosorriso) #​50788
• [75ee78438c] - test: replace forEach() with for ... of in test-tls-getprotocol.js (Steve Goode) #​50600
• [24f9d3fbeb] - test: enable idlharness tests for encoding (Mattias Buelens) #​50778
• [a9d290956e] - test: replace forEach in whatwg-encoding-custom-interop (Honza Machala) #​50607
• [6584dd80f7] - test: replace forEach() with for-loop (Jan) #​50596
• [be54a22869] - test: improve test-bootstrap-modules.js (Joyee Cheung) #​50708
• [660e70e73b] - test: skip parallel/test-macos-app-sandbox if disk space < 120MB (Joyee Cheung) #​50764
• [5712c41122] - test: replace foreach with for (Markus Muschol) #​50599
• [49e5f47b1c] - test: test streambase has already has a consumer (Jithil P Ponnan) #​48059
• [bb7d764c8e] - test: change forEach to for...of in path extname (Kyriakos Markakis) #​50667
• [4d28ced079] - test: replace forEach with for...of (Ryan Williams) #​50611
• [92a153ecde] - test: migrate message v8 tests from Python to JS (Joshua LeMay) #​50421
• [a376284d8a] - test: use destructuring for accessing setting values (Honza Jedlička) #​50609
• [7b9b1fba27] - test: replace forEach() with for .. of (Evgenia Blajer) #​50605
• [9397b2da7e] - test: replace forEach() with for ... of in test-readline-keys.js (William Liang) #​50604
• [9043ba4cfb] - test: replace forEach() with for ... of in test-http2-single-headers.js (spiritualized) #​50606
• [9f911d31f6] - test: replace forEach with for of (john-mcinall) #​50602
• [8a5f36fe74] - test: remove unused file (James Sumners) #​50528
• [9950203340] - test: replace forEach with for of (Kevin Kühnemund) #​50597
• [03ba28f102] - test: replace forEach with for of (CorrWu) #​49785
• [ea61261b54] - test: replace forEach with for [...] of (Gabriel Bota) #​50615
• [4349790913] - test: add WPT report test duration (Filip Skokan) #​50574
• [7cacddfcc1] - test: replace forEach() with for ... of loop in test-global.js (Kajol) #​49772
• [889f58d07f] - test: skip test-diagnostics-channel-memory-leak.js (Joyee Cheung) #​50327
• [41644ee071] - test: improve UV_THREADPOOL_SIZE tests on .env (Yagiz Nizipli) #​49213
• [1db44b9a53] - test: recognize wpt completion error (Chengzhong Wu) #​50429
• [ecfc951ddc] - test: report error wpt test results (Chengzhong Wu) #​50429
• [deb0351d95] - test: replace forEach() with for...of (Ram) #​49794
• [f885dfe5e3] - test: replace forEach() with for...of in test-trace-events-http (Chand) #​49795
• [9dc63c56db] - test: replace forEach with for...of in test-fs-realpath-buffer-encoding (Niya Shiyas) #​49804
• [600d1260da] - test: fix timeout of test-cpu-prof-dir-worker.js in LoongArch devices (Shi Pujin) #​50363
• [099f5cfa0a] - test: fix vm assertion actual and expected order (Chengzhong Wu) #​50371
• [a31f9bfe01] - test: v8: Add test-linux-perf-logger test suite (Luke Albao) #​50352
• [6c59114947] - test: ensure never settling promises are detected (Antoine du Hamel) #​50318
• [9830ae4bf7] - test_runner: add tests for various mock timer issues (Mika Fischer) #​50384
• [2c72ed85fb] - test_runner: pass abortSignal to test files (Moshe Atlow) #​50630
• [c33a84af11] - test_runner: replace forEach with for of (Tom Haddad) #​50595
• [29c68a22bb] - test_runner: output errors of suites (Moshe Atlow) #​50361
• [e64378643d] - (SEMVER-MINOR) test_runner: adds built in lcov reporter (Phil Nash) #​50018
• [4aaaff413b] - test_runner: test return value of mocked promisified timers (Mika Fischer) #​50331
• [4a830c2d9d] - (SEMVER-MINOR) test_runner: add Date to the supported mock APIs (Lucas Santos) #​48638
• [842dc01def] - (SEMVER-MINOR) test_runner, cli: add --test-timeout flag (Shubham Pandey) #​50443
• [613a9072b7] - tls: fix order of setting cipher before setting cert and key (Kumar Rishav) #​50186
• [d905c61e16] - tls: use validateFunction for options.SNICallback (Deokjin Kim) #​50530
• [c8d6dd58e7] - tools: add macOS notarization verification step (Ulises Gascón) #​50833
• [c9bd0b0c0f] - tools: use macOS keychain to notarize the releases (Ulises Gascón) #​50715
• [932a5d7b2c] - tools: update eslint to 8.54.0 (Node.js GitHub Bot) #​50809
• [d7114d97be] - tools: update lint-md-dependencies to rollup@4.5.0 (Node.js GitHub Bot) #​50807
• [93085cf844] - tools: add workflow to update release links (Michaël Zasso) #​50710
• [66764c5d04] - tools: recognize GN files in dep_updaters (Cheng Zhao) #​50693
• [2a451e176a] - tools: remove unused file (Ulises Gascon) #​50622
• [8ce6403230] - tools: change minimatch install strategy (Marco Ippolito) #​50476
• [97778e2e77] - tools: update lint-md-dependencies to rollup@4.3.1 (Node.js GitHub Bot) #​50675
• [797f6a9ba8] - tools: add macOS notarization stapler (Ulises Gascón) #​50625
• [8fa1319352] - tools: update eslint to 8.53.0 (Node.js GitHub Bot) #​50559
• [592f57970f] - tools: update lint-md-dependencies to rollup@4.3.0 (Node.js GitHub Bot) #​50556
• [2fd78fc39e] - tools: compare ICU checksums before file changes (Michaël Zasso) #​50522
• [631d710fc4] - tools: improve update acorn-walk script (Marco Ippolito) #​50473
• [33fd2af2ab] - tools: update lint-md-dependencies to rollup@4.2.0 (Node.js GitHub Bot) #​50496
• [22b7a74838] - tools: update gyp-next to v0.16.1 (Michaël Zasso) #​50380
• [f5ccab5005] - tools: skip ruff on tools/gyp (Michaël Zasso) #​50380
• [408fd90508] - tools: update lint-md-dependencies to rollup@4.1.5 unified@11.0.4 (Node.js GitHub Bot) #​50461
• [685f936ccd] - tools: avoid npm install in deps installation (Marco Ippolito) #​50413
• [7d43c5a094] - Revert "tools: update doc dependencies" (Richard Lau) #​50414
• [8fd67c2e3e] - tools: update doc dependencies (Node.js GitHub Bot) #​49988
• [586becb507] - tools: run coverage CI only on relevant files (Antoine du Hamel) #​50349
• [2d06eea6c5] - tools: update eslint to 8.52.0 (Node.js GitHub Bot) #​50326
• [6a897baf16] - tools: update lint-md-dependencies (Node.js GitHub Bot) #​50190
• [e6e7f39b9e] - util: improve performance of normalizeEncoding (kylo5aby) #​50721
• [3b6b1afa47] - v8,tools: expose necessary V8 defines (Cheng Zhao) #​50820
• [2664012617] - vm: allow dynamic import with a referrer realm (Chengzhong Wu) #​50360
• [c6c0a74b54] - wasi: document security sandboxing status (Guy Bedford) #​50396
• [989814093e] - win,tools: upgrade Windows signing to smctl (Stefan Stojanovic) #​50956

v20.10.0: 2023-11-22, Version 20.10.0 'Iron' (LTS), @​targos

Compare Source

Notable Changes

--experimental-default-type flag to flip module defaults

The new flag --experimental-default-type can be used to flip the default
module system used by Node.js. Input that is already explicitly defined as ES
modules or CommonJS, such as by a package.json "type" field or .mjs/.cjs
file extension or the --input-type flag, is unaffected. What is currently
implicitly CommonJS would instead be interpreted as ES modules under
--experimental-default-type=module:

• String input provided via --eval or STDIN, if --input-type is unspecified.

• Files ending in .js or with no extension, if there is no package.json file
  present in the same folder or any parent folder.

• Files ending in .js or with no extension, if the nearest parent
  package.json field lacks a type field; unless the folder is inside a
  node_modules folder.

In addition, extensionless files are interpreted as Wasm if
--experimental-wasm-modules is passed and the file contains the "magic bytes"
Wasm header.

Contributed by Geoffrey Booth in #​49869.

Detect ESM syntax in ambiguous JavaScript

The new flag --experimental-detect-module can be used to automatically run ES
modules when their syntax can be detected. For “ambiguous” files, which are
.js or extensionless files with no package.json with a type field, Node.js
will parse the file to detect ES module syntax; if found, it will run the file
as an ES module, otherwise it will run the file as a CommonJS module. The same
applies to string input via --eval or STDIN.

We hope to make detection enabled by default in a future version of Node.js.
Detection increases startup time, so we encourage everyone—especially package
authors—to add a type field to package.json, even for the default
"type": "commonjs". The presence of a type field, or explicit extensions
such as .mjs or .cjs, will opt out of detection.

Contributed by Geoffrey Booth in #​50096.

New flush option in file system functions

When writing to files, it is possible that data is not immediately flushed to
permanent storage. This allows subsequent read operations to see stale data.
This PR adds a 'flush' option to the fs.writeFile family of functions which
forces the data to be flushed at the end of a successful write operation.

Contributed by Colin Ihrig in #​50009 and #​50095.

Experimental WebSocket client

Adds a --experimental-websocket flag that adds a WebSocket
global, as standardized by WHATWG.

Contributed by Matthew Aitken in #​49830.

vm: fix V8 compilation cache support for vm.Script

Previously repeated compilation of the same source code using vm.Script
stopped hitting the V8 compilation cache after v16.x when support for
importModuleDynamically was added to vm.Script, resulting in a performance
regression that blocked users (in particular Jest users) from upgrading from
v16.x.

The recent fixes allow the compilation cache to be hit again
for vm.Script when --experimental-vm-modules is not used even in the
presence of the importModuleDynamically option, so that users affected by the
performance regression can now upgrade. Ongoing work is also being done to
enable compilation cache support for vm.CompileFunction.

Contributed by Joyee Cheung in #​49950
and #​50137.

Other notable changes

• [21453ae555] - (SEMVER-MINOR) deps: update uvwasi to 0.0.19 (Node.js GitHub Bot) #​49908
• [ee65e44c31] - esm: use import attributes instead of import assertions (Antoine du Hame

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[wiz-inc-48d099cbad]

Wiz Scan Summary

IaC Misconfigurations
Vulnerabilities
Total
Secrets