vikunja
/
vikunja
6
43
Fork 71
Code Issues 150 Pull Requests 15 Packages Releases 32 Activity

chore(deps): update dependency node to v20.11.1 #2115

Merged
konrad merged 2 commits from renovate/node-20.x into main 2024-03-10 12:24:08 +00:00
Conversation 1 Commits 2 Files Changed 3 +12 -12
renovate commented 2024-02-14 18:05:22 +00:00
Member
Copy Link

This PR contains the following updates:

Package Type Update Change
node (source) patch 20.11.0 -> 20.11.1
node docker patch 20.11.0-alpine -> 20.11.1-alpine
node stage patch 20.11.0-alpine -> 20.11.1-alpine

Release Notes

nodejs/node (node)

v20.11.1: 2024-02-14, Version 20.11.1 'Iron' (LTS), @​RafaelGSS prepared by @​marco-ippolito

Compare Source

Notable changes

This is a security release.

Notable changes
  • CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
  • CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
  • CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High)
  • CVE-2024-22017 - setuid() does not drop all privileges due to io_uring - (High)
  • CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
  • CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
  • CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
  • CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
  • undici version 5.28.3
  • libuv version 1.48.0
  • OpenSSL version 3.0.13+quic1
Commits
  • [`7079c062bb`](https://github.com/nodejs/node/commit/7079c062bb)] - **crypto**: disable [PKCS#1](https://github.com/PKCS/node/issues/1) padding for privateDecrypt (Michael Dawson) [nodejs-private/node-private#525](https://github.com/nodejs-private/node-private/pull/525)

  • [`186a6e1ffb`](https://github.com/nodejs/node/commit/186a6e1ffb)] - **deps**: fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) [#​51737](https://github.com/nodejs/node/pull/51737)

  • [`686da19abb`](https://github.com/nodejs/node/commit/686da19abb)] - **deps**: disable io_uring support in libuv by default (Tobias Nießen) [nodejs-private/node-private#529](https://github.com/nodejs-private/node-private/pull/529)

  • [`f7b44bfbce`](https://github.com/nodejs/node/commit/f7b44bfbce)] - **deps**: update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) [#​51614](https://github.com/nodejs/node/pull/51614)

  • [`7a30fecea2`](https://github.com/nodejs/node/commit/7a30fecea2)] - **deps**: upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) [#​51614](https://github.com/nodejs/node/pull/51614)

  • [`480fc169a8`](https://github.com/nodejs/node/commit/480fc169a8)] - **fs**: protect against modified Buffer internals in possiblyTransformPath (Tobias Nießen) [nodejs-private/node-private#497](https://github.com/nodejs-private/node-private/pull/497)

  • [`77ac7c3153`](https://github.com/nodejs/node/commit/77ac7c3153)] - **http**: add maximum chunk extension size (Paolo Insogna) [nodejs-private/node-private#519](https://github.com/nodejs-private/node-private/pull/519)

  • [`ed7d149675`](https://github.com/nodejs/node/commit/ed7d149675)] - **lib**: use cache fs internals against path traversal (RafaelGSS) [nodejs-private/node-private#516](https://github.com/nodejs-private/node-private/pull/516)

  • [`89bd5fc38f`](https://github.com/nodejs/node/commit/89bd5fc38f)] - **lib**: update undici to v5.28.3 (Matteo Collina) [nodejs-private/node-private#539](https://github.com/nodejs-private/node-private/pull/539)

  • [`d01dd4291d`](https://github.com/nodejs/node/commit/d01dd4291d)] - **permission**: fix wildcard when children > 1 (Rafael Gonzaga) [#​51209](https://github.com/nodejs/node/pull/51209)

  • [`40ff37dfcc`](https://github.com/nodejs/node/commit/40ff37dfcc)] - **src**: fix HasOnly(capability) in node::credentials (Tobias Nießen) [nodejs-private/node-private#505](https://github.com/nodejs-private/node-private/pull/505)

  • [`3f6addd590`](https://github.com/nodejs/node/commit/3f6addd590)] - **src,deps**: disable setuid() etc if io_uring enabled (Tobias Nießen) [nodejs-private/node-private#529](https://github.com/nodejs-private/node-private/pull/529)

  • [`d6da413aa4`](https://github.com/nodejs/node/commit/d6da413aa4)] - **test,doc**: clarify wildcard usage (RafaelGSS) [nodejs-private/node-private#517](https://github.com/nodejs-private/node-private/pull/517)

  • [`c213910aea`](https://github.com/nodejs/node/commit/c213910aea)] - **zlib**: pause stream if outgoing buffer is full (Matteo Collina) [nodejs-private/node-private#541](https://github.com/nodejs-private/node-private/pull/541)

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [node](https://nodejs.org) ([source](https://github.com/nodejs/node)) | | patch | `20.11.0` -> `20.11.1` | | [node](https://github.com/nodejs/node) | docker | patch | `20.11.0-alpine` -> `20.11.1-alpine` | | [node](https://github.com/nodejs/node) | stage | patch | `20.11.0-alpine` -> `20.11.1-alpine` | --- ### Release Notes <details> <summary>nodejs/node (node)</summary> ### [`v20.11.1`](https://github.com/nodejs/node/releases/tag/v20.11.1): 2024-02-14, Version 20.11.1 &#x27;Iron&#x27; (LTS), @&#8203;RafaelGSS prepared by @&#8203;marco-ippolito [Compare Source](https://github.com/nodejs/node/compare/v20.11.0...v20.11.1) ##### Notable changes This is a security release. ##### Notable changes - CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High) - CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High) - CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High) - CVE-2024-22017 - setuid() does not drop all privileges due to io_uring - (High) - CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against [PKCS#1](https://github.com/PKCS/node/issues/1) v1.5 padding) - (Medium) - CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium) - CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium) - CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium) - undici version 5.28.3 - libuv version 1.48.0 - OpenSSL version 3.0.13+quic1 ##### Commits - \[[`7079c062bb`](https://github.com/nodejs/node/commit/7079c062bb)] - **crypto**: disable [PKCS#1](https://github.com/PKCS/node/issues/1) padding for privateDecrypt (Michael Dawson) [nodejs-private/node-private#525](https://github.com/nodejs-private/node-private/pull/525) - \[[`186a6e1ffb`](https://github.com/nodejs/node/commit/186a6e1ffb)] - **deps**: fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) [#&#8203;51737](https://github.com/nodejs/node/pull/51737) - \[[`686da19abb`](https://github.com/nodejs/node/commit/686da19abb)] - **deps**: disable io_uring support in libuv by default (Tobias Nießen) [nodejs-private/node-private#529](https://github.com/nodejs-private/node-private/pull/529) - \[[`f7b44bfbce`](https://github.com/nodejs/node/commit/f7b44bfbce)] - **deps**: update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) [#&#8203;51614](https://github.com/nodejs/node/pull/51614) - \[[`7a30fecea2`](https://github.com/nodejs/node/commit/7a30fecea2)] - **deps**: upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) [#&#8203;51614](https://github.com/nodejs/node/pull/51614) - \[[`480fc169a8`](https://github.com/nodejs/node/commit/480fc169a8)] - **fs**: protect against modified Buffer internals in possiblyTransformPath (Tobias Nießen) [nodejs-private/node-private#497](https://github.com/nodejs-private/node-private/pull/497) - \[[`77ac7c3153`](https://github.com/nodejs/node/commit/77ac7c3153)] - **http**: add maximum chunk extension size (Paolo Insogna) [nodejs-private/node-private#519](https://github.com/nodejs-private/node-private/pull/519) - \[[`ed7d149675`](https://github.com/nodejs/node/commit/ed7d149675)] - **lib**: use cache fs internals against path traversal (RafaelGSS) [nodejs-private/node-private#516](https://github.com/nodejs-private/node-private/pull/516) - \[[`89bd5fc38f`](https://github.com/nodejs/node/commit/89bd5fc38f)] - **lib**: update undici to v5.28.3 (Matteo Collina) [nodejs-private/node-private#539](https://github.com/nodejs-private/node-private/pull/539) - \[[`d01dd4291d`](https://github.com/nodejs/node/commit/d01dd4291d)] - **permission**: fix wildcard when children > 1 (Rafael Gonzaga) [#&#8203;51209](https://github.com/nodejs/node/pull/51209) - \[[`40ff37dfcc`](https://github.com/nodejs/node/commit/40ff37dfcc)] - **src**: fix HasOnly(capability) in node::credentials (Tobias Nießen) [nodejs-private/node-private#505](https://github.com/nodejs-private/node-private/pull/505) - \[[`3f6addd590`](https://github.com/nodejs/node/commit/3f6addd590)] - **src,deps**: disable setuid() etc if io_uring enabled (Tobias Nießen) [nodejs-private/node-private#529](https://github.com/nodejs-private/node-private/pull/529) - \[[`d6da413aa4`](https://github.com/nodejs/node/commit/d6da413aa4)] - **test,doc**: clarify wildcard usage (RafaelGSS) [nodejs-private/node-private#517](https://github.com/nodejs-private/node-private/pull/517) - \[[`c213910aea`](https://github.com/nodejs/node/commit/c213910aea)] - **zlib**: pause stream if outgoing buffer is full (Matteo Collina) [nodejs-private/node-private#541](https://github.com/nodejs-private/node-private/pull/541) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzUuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE3NS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
renovate added the
dependencies
 label 2024-02-14 18:05:22 +00:00
renovate added 1 commit 2024-02-14 18:05:24 +00:00
continuous-integration/drone/pr Build is failing Details
c52672249a chore(deps): update dependency node to v20.11.1
frederick commented 2024-02-14 18:12:24 +00:00
Member
Copy Link

Hi renovate!

Thank you for creating a PR!

I've deployed the changes of this PR on a preview environment under this URL: https://2115-renovate-node-20-x--vikunja-frontend-preview.netlify.app

You can use this url to view the changes live and test them out.
You will need to manually connect this to an api running somehwere. The easiest to use is https://try.vikunja.io/.

Have a nice day!

Beep boop, I'm a bot.

Hi renovate! Thank you for creating a PR! I've deployed the changes of this PR on a preview environment under this URL: https://2115-renovate-node-20-x--vikunja-frontend-preview.netlify.app You can use this url to view the changes live and test them out. You will need to manually connect this to an api running somehwere. The easiest to use is https://try.vikunja.io/. Have a nice day! > Beep boop, I'm a bot.
renovate force-pushed renovate/node-20.x from c52672249a to 2dc9b89137 2024-02-15 23:05:28 +00:00 Compare
renovate force-pushed renovate/node-20.x from 2dc9b89137 to f416df23bc 2024-02-25 23:05:39 +00:00 Compare
renovate force-pushed renovate/node-20.x from f416df23bc to 78fcf74aca 2024-02-27 19:05:15 +00:00 Compare
renovate force-pushed renovate/node-20.x from 78fcf74aca to 555bacb718 2024-03-10 12:02:28 +00:00 Compare
konrad added 1 commit 2024-03-10 12:11:33 +00:00
continuous-integration/drone/pr Build is passing Details
25fa7d8670
chore(deps): sign drone config
konrad merged commit 25742385ba into main 2024-03-10 12:24:08 +00:00
konrad deleted branch renovate/node-20.x 2024-03-10 12:24:09 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
dependencies

   
duplicate

This issue or pull request already exists

  
help wanted

Need some help

  
invalid

Something is wrong

  
kind/bug

Something is not working

  
kind/feature

New feature

  
needs reproduction

   
question

More information is needed

  
security

   
wontfix

This won't be fixed

No Label
dependencies
duplicate
help wanted
invalid
kind/bug
kind/feature
needs reproduction
question
security
wontfix
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
3 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: vikunja/vikunja#2115
No description provided.
Delete Branch "renovate/node-20.x"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?