Skip to content

chore(deps): update node.js

Renovate-Bot requested to merge renovate/node-18.x into dev

This MR contains the following updates:

Package Type Update Change
node minor 18.17 -> 18.20
node image minor 18.17-alpine -> 18.20-alpine

Release Notes



Compare Source

This is a security release.

Notable Changes
  • CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows


Compare Source

This is a security release.

Notable Changes
  • CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
  • CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
  • llhttp version 9.2.1
  • undici version 5.28.4


Compare Source

Notable Changes
Added support for import attributes

Support has been added for import attributes, to replace the old import assertions syntax. This will aid migration by making the new syntax available across all currently supported Node.js release lines.

This adds the with keyword which should be used in place of the previous assert keyword, which will be removed in a future semver-major Node.js release.

For example,

import "foo" assert { ... }

should be replaced with

import "foo" with { ... }

For more details, see

Contributed by Nicolò Ribaudo in #​51136 and Antoine du Hamel in #​50140.

Doc deprecation for dirent.path

Please use newly added dirent.parentPath instead.

Contributed by Antoine du Hamel in #​50976 and #​51020.

Experimental node-api feature flags

Introduces an experimental feature to segregate finalizers that affect GC state. A new type called node_api_nogc_env has been introduced as the const version of napi_env and node_api_nogc_finalize as a variant of napi_finalize that accepts a node_api_nogc_env as its first argument.

This feature can be turned off by defining NODE_API_EXPERIMENTAL_NOGC_ENV_OPT_OUT.

Contributed by Gabriel Schulhof in #​50060.

Root certificates updated to NSS 3.98

Certificates added:

  • Telekom Security TLS ECC Root 2020
  • Telekom Security TLS RSA Root 2023

Certificates removed:

  • Security Communication Root CA
Updated dependencies
  • ada updated to 2.7.6.
  • base64 updated to 0.5.2.
  • c-ares updated to 1.27.0.
  • corepack updated to 0.25.2.
  • ICU updated to 74.2. Includes CLDR 44.1 and Unicode 15.1.
  • npm updated to 10.5.0. Fixes a regression in signals not being passed onto child processes.
  • simdutf8 updated to 4.0.8.
  • Timezone updated to 2024a.
  • zlib updated to
vm: fix V8 compilation cache support for vm.Script

Previously repeated compilation of the same source code using vm.Script stopped hitting the V8 compilation cache after v16.x when support for importModuleDynamically was added to vm.Script, resulting in a performance regression that blocked users (in particular Jest users) from upgrading from v16.x.

The recent fixes allow the compilation cache to be hit again for vm.Script when --experimental-vm-modules is not used even in the presence of the importModuleDynamically option, so that users affected by the performance regression can now upgrade. Ongoing work is also being done to enable compilation cache support for vm.CompileFunction.

Contributed by Joyee Cheung in #​49950 and #​50137.



Compare Source

Notable changes

This is a security release.

Notable changes
  • CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
  • CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
  • CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#​1 v1.5 padding) - (Medium)
  • CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
  • undici version 5.28.3
  • npm version 10.2.4


Compare Source

Notable Changes
npm updated to v10

After two months of baking time in Node.js 20, npm 10 is backported, so that all release lines include a supported version of npm. This release includes npm v10.2.3.

Refer to nodejs/Release#​884 for the plan to land npm 10.

ESM and customization hook changes
Leverage loaders when resolving subsequent loaders

Loaders now apply to subsequent loaders, for example: --experimental-loader ts-node --experimental-loader loader-written-in-typescript.

Contributed by Maël Nison in #​43772.

New node:module API register for module customization hooks; new initialize hook

There is a new API register available on node:module to specify a file that exports module customization hooks, and pass data to the hooks, and establish communication channels with them. The “define the file with the hooks” part was previously handled by a flag --experimental-loader, but when the hooks moved into a dedicated thread in 20.0.0 there was a need to provide a way to communicate between the main (application) thread and the hooks thread. This can now be done by calling register from the main thread and passing data, including MessageChannel instances.

We encourage users to migrate to an approach that uses --import with register, such as:

node --import ./file-that-calls-register.js ./app.js

Using --import ensures that the customization hooks are registered before any application code runs, even the entry point.

Contributed by João Lenon and Jacob Smith in #​46826, Izaak Schroeder and Jacob Smith in #​48842 and #​48559.

import.meta.resolve unflagged

In ES modules, import.meta.resolve(specifier) can be used to get an absolute URL string to which specifier resolves, similar to require.resolve in CommonJS. This aligns Node.js with browsers and other server-side runtimes.

Contributed by Guy Bedford in #​49028.

--experimental-default-type flag to flip module defaults

The new flag --experimental-default-type can be used to flip the default module system used by Node.js. Input that is already explicitly defined as ES modules or CommonJS, such as by a package.json "type" field or .mjs/.cjs file extension or the --input-type flag, is unaffected. What is currently implicitly CommonJS would instead be interpreted as ES modules under --experimental-default-type=module:

  • String input provided via --eval or STDIN, if --input-type is unspecified.

  • Files ending in .js or with no extension, if there is no package.json file present in the same folder or any parent folder.

  • Files ending in .js or with no extension, if the nearest parent package.json field lacks a type field; unless the folder is inside a node_modules folder.

In addition, extensionless files are interpreted as Wasm if --experimental-wasm-modules is passed and the file contains the "magic bytes" Wasm header.

Contributed by Geoffrey Booth in #​49869.

Other ESM-related changes
  • [ed2d46f4cc] - doc: move and rename loaders section (Geoffrey Booth) #​49261
  • [92734d4480] - esm: use import attributes instead of import assertions (Antoine du Hamel) #​50140
  • [e96f7ef881] - (SEMVER-MINOR) vm: use import attributes instead of import assertions (Antoine du Hamel) #​50141
Test runner changes

Many changes to the built-in test runner have been backported. This includes the following additions:

Other notable changes
  • [0c4a84e8e9] - (SEMVER-MINOR) deps: update uvwasi to 0.0.19 (Node.js GitHub Bot) #​49908
  • [fae60c5841] - stream: use bitmap in readable state (Benjamin Gruenbaum) #​49745
  • [17246be158] - (SEMVER-MINOR) lib: add api to detect whether source-maps are enabled (翠 / green) #​46391
  • [2e9f7284a1] - (SEMVER-MINOR) lib: add tracing channel to diagnostics_channel (Stephen Belanger) #​44943
  • [cc7bf1f641] - (SEMVER-MINOR) src: add cjs_module_lexer_version base64_version (Jithil P Ponnan) #​45629
  • [b5d16cd8f0] - (SEMVER-MINOR) tls: add ALPNCallback server option for dynamic ALPN negotiation (Tim Perry) #​45190


Compare Source

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

More detailed information on each of the vulnerabilities can be found in October 2023 Security Releases blog post.



Compare Source

Notable Changes

This release addresses some regressions that appeared in Node.js 18.18.0:

  • (Windows) FS can not handle certain characters in file name #​48673
  • 18 and 20 node images give error - Text file busy (after re-build images) nodejs/docker-node#​1968
  • libuv update in 18.18.0 breaks webpack's thread-loader #​49911

The libuv 1.45.0 and 1.46.0 updates that were released in Node.js 18.18.0 have been temporarily reverted.



Compare Source

Notable Changes


📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This MR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this MR, click this checkbox.

This MR has been generated by Renovate Bot.

Edited by Renovate-Bot

Merge request reports