mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2026-06-22 10:02:15 +00:00
5bd855709b
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [node](https://nodejs.org) ([source](https://github.com/nodejs/node)) | minor | `24.16.0` → `24.17.0` | --- ### Release Notes <details> <summary>nodejs/node (node)</summary> ### [`v24.17.0`](https://github.com/nodejs/node/releases/tag/v24.17.0): 2026-06-18, Version 24.17.0 'Krypton' (LTS), @​aduh95 [Compare Source](https://github.com/nodejs/node/compare/v24.16.0...v24.17.0) This is a security release. ##### Notable Changes - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium - (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low ##### Commits - \[[`9e4dfc7bba`](9e4dfc7bba)] - **(CVE-2026-48933)** **crypto**: guard WebCrypto cipher output length (Filip Skokan) [nodejs-private/node-private#878](https://github.com/nodejs-private/node-private/pull/878) - \[[`cb2aed980c`](cb2aed980c)] - **deps**: update llhttp to 9.4.2 (Antoine du Hamel) [nodejs-private/node-private#890](https://github.com/nodejs-private/node-private/pull/890) - \[[`a8a0d12875`](a8a0d12875)] - **(CVE-2026-48937)** **deps**: fix integration issues with the latest nghttp2 (Tim Perry) [#​62891](https://github.com/nodejs/node/pull/62891) - \[[`66e6203c1c`](66e6203c1c)] - **(SEMVER-MAJOR)** **deps**: update nghttp2 to 1.69.0 (Node.js GitHub Bot) [#​62891](https://github.com/nodejs/node/pull/62891) - \[[`dd627ced27`](dd627ced27)] - **deps**: update archs files for openssl-3.5.7 (Node.js GitHub Bot) [#​63820](https://github.com/nodejs/node/pull/63820) - \[[`684bae568f`](684bae568f)] - **deps**: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) [#​63820](https://github.com/nodejs/node/pull/63820) - \[[`3a631e7f83`](3a631e7f83)] - **deps**: fix aix implicit declaration in OpenSSL (Abdirahim Musse) [#​62656](https://github.com/nodejs/node/pull/62656) - \[[`cf44df3996`](cf44df3996)] - **deps**: update undici to 7.28.0 (Node.js GitHub Bot) [#​63703](https://github.com/nodejs/node/pull/63703) - \[[`138c70294b`](138c70294b)] - **(CVE-2026-48930)** **dns,net**: reject hostnames with embedded NUL bytes (Matteo Collina) [nodejs-private/node-private#868](https://github.com/nodejs-private/node-private/pull/868) - \[[`be7e719c3f`](be7e719c3f)] - **(CVE-2026-48931)** **http**: fix response queue poisoning in http.Agent (Matteo Collina) [nodejs-private/node-private#846](https://github.com/nodejs-private/node-private/pull/846) - \[[`cc7c11b4d1`](cc7c11b4d1)] - **(CVE-2026-48619)** **http2**: cap originSet size to prevent unbounded memory growth (Matteo Collina) [nodejs-private/node-private#855](https://github.com/nodejs-private/node-private/pull/855) - \[[`9224427b92`](9224427b92)] - **(CVE-2026-48615)** **lib,test**: redact proxy credentials in tunnel errors (Matteo Collina) [nodejs-private/node-private#867](https://github.com/nodejs-private/node-private/pull/867) - \[[`cf85d54839`](cf85d54839)] - **(CVE-2026-48935)** **permission**: disable FileHandle utimes with permission model (RafaelGSS) [nodejs-private/node-private#873](https://github.com/nodejs-private/node-private/pull/873) - \[[`a1bbc24f96`](a1bbc24f96)] - **(CVE-2026-48617)** **permission**: handle process.chdir on writereport (RafaelGSS) [nodejs-private/node-private#870](https://github.com/nodejs-private/node-private/pull/870) - \[[`e3723ff2d6`](e3723ff2d6)] - **test**: add session reuse host verification regressions (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854) - \[[`a77af4867b`](a77af4867b)] - **(CVE-2026-48934)** **tls**: bind reusable sessions to authenticated host (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854) - \[[`31beb4f707`](31beb4f707)] - **(CVE-2026-48928)** **tls**: fix case-sensitive SNI context matching (Matteo Collina) [nodejs-private/node-private#857](https://github.com/nodejs-private/node-private/pull/857) - \[[`8e75c73f91`](8e75c73f91)] - **(CVE-2026-48618)** **tls**: normalize hostname for server identity checks (Matteo Collina) [nodejs-private/node-private#869](https://github.com/nodejs-private/node-private/pull/869) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`) - Automerge - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMjIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIyMi4xIiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/13144 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
1 line
No EOL
7 B
Text
1 line
No EOL
7 B
Text
24.17.0 |