Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Node.js to v12.21.0 #236

Merged
merged 1 commit into from
Feb 25, 2021
Merged

Update Node.js to v12.21.0 #236

merged 1 commit into from
Feb 25, 2021

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Feb 11, 2021
edited
Loading

WhiteSource Renovate

This PR contains the following updates:

Package Type Update Change
node volta minor 12.20.1 -> 12.21.0

Release Notes

nodejs/node

v12.21.0

Compare Source

This is a security release.

Notable changes

Vulnerabilities fixed:

  • CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
    • Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
  • CVE-2021-22884: DNS rebinding in --inspect
    • Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
  • CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
Commits

v12.20.2

Compare Source

Notable changes
  • deps:
    • upgrade npm to 6.14.11 (Ruy Adorno) #​37173
Commits

Renovate configuration

📅 Schedule: "after 10pm every weekday,before 5am every weekday,every weekend" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/node-12.x branch from 80a1eac to 4ef1714 Compare February 23, 2021 13:38
@renovate renovate bot changed the title Update Node.js to v12.20.2 Update Node.js to v12.21.0 Feb 23, 2021
@renovate renovate bot force-pushed the renovate/node-12.x branch from 4ef1714 to 75b247c Compare February 25, 2021 00:25
@drewlee drewlee merged commit 50e5b51 into master Feb 25, 2021
@renovate renovate bot deleted the renovate/node-12.x branch February 25, 2021 00:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
internal
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@drewlee @renovate-bot