News from 2020

• 02 Jun Node v10.21.0 (LTS)

  This is a security release.

  Vulnerabilities fixed:

  • CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
  • CVE-2020-10531: ICU-20958 Prevent SEGV_MAPERR in append (High).
  • CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).

  Read more...

• 02 Jun Node v12.18.0 (LTS)

  This is a security release.

  Vulnerabilities fixed:

  • CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
  • CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
  • CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).

  Read more...

• 02 Jun Node v14.4.0 (Current)

  This is a security release.

  Vulnerabilities fixed:

  • CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
  • CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
  • CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).

  Read more...

• 02 Jun June 2020 Security Releases

  Updates are now available for all supported Node.js release lines for the following issues.

  The 'session' event could be emitted before the 'secureConnect' event. It should not be, because the connection may fail to be authorized. If it was saved an authorized connection could be established later with the session ticket. Note that the https agent caches sessions, so is vulnerable to this.

  Read more...

• 26 May Node v12.17.0 (LTS)

  ECMAScript Modules - --experimental-modules flag removal

  Read more...

• 19 May Node v14.3.0 (Current)

  REPL previews improvements with autocompletion

  Read more...

• 05 May Node v14.2.0 (Current)

  Track function calls with assert.CallTracker (experimental)

  Read more...

• 30 Apr Node v13.14.0 (Current)
  • async_hooks:
    • Merge run and exit methods (Andrey Pechkurov) #31950
    • Prevent sync methods of async storage exiting outer context (Stephen Belanger) #31950
  • vm:
    • Add importModuleDynamically option to compileFunction (Gus Caplan) #32985

  Read more...

• 29 Apr Node v14.1.0 (Current)
  • deps: upgrade openssl sources to 1.1.1g (Hassaan Pasha) #32971
  • doc: add juanarbol as collaborator (Juan José Arboleda) #32906
  • http: doc deprecate abort and improve docs (Robert Nagy) #32807
  • module: do not warn when accessing __esModule of unfinished exports (Anna Henningsen) #33048
  • n-api: detect deadlocks in thread-safe function (Gabriel Schulhof) #32860
  • src: deprecate embedder APIs with replacements (Anna Henningsen) #32858
  • stream:
    • don't emit end after close (Robert Nagy) #33076
    • don't wait for close on legacy streams (Robert Nagy) #33058
    • pipeline should only destroy un-finished streams (Robert Nagy) #32968
  • vm: add importModuleDynamically option to compileFunction (Gus Caplan) #32985

  Read more...

• 28 Apr Node v12.16.3 (LTS)
  • Dependencies:
    • Updated OpenSSL to 1.1.1g (Hassaan Pasha) #32971.
    • Updated c-ares to 1.16.0 (Anna Henningsen) #32246.
    • Updated experimental uvwasi to 0.0.6 (Colin Ihrig) #32309.
  • ESM (experimental):
    • Additional warnings are no longer printed for modules that use conditional exports or package name self resolution (Guy Bedford) #31845.

  Read more...

• 22 Apr Node v14.0.0 (Current)
• 21 Apr OpenSSL security releases do not require Node.js security releases
• 14 Apr Node v13.13.0 (Current)
• 12 Apr Node v10.20.1 (LTS)
• 08 Apr Node v12.16.2 (LTS)
• 08 Apr Node v10.20.0 (LTS)
• 03 Apr Changes to Release Schedule
• 26 Mar Node v13.12.0 (Current)
• 12 Mar Node v13.11.0 (Current)
• 05 Mar Node v13.10.1 (Current)
• 04 Mar Node v13.10.0 (Current)
• 18 Feb Node v13.9.0 (Current)
• 18 Feb Node v12.16.1 (LTS)
• 11 Feb Node v12.16.0 (LTS)
• 06 Feb February 2020 Security Releases
• 06 Feb Node v13.8.0 (Current)
• 06 Feb Node v12.15.0 (LTS)
• 06 Feb Node v10.19.0 (LTS)
• 21 Jan Node v13.7.0 (Current)
• 09 Jan Node v10.18.1 (LTS)
• 07 Jan Node v13.6.0 (Current)
• 07 Jan Node v12.14.1 (LTS)