Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update node.js to v18.15.0 #247

Closed
wants to merge 3 commits into from
Closed

Conversation

balena-ci
Copy link
Contributor

@balena-ci balena-ci commented Feb 3, 2023

This PR contains the following updates:

Package Type Update Change
node final minor 18.12.1-bullseye-slim -> 18.15.0-bullseye-slim

Release Notes

nodejs/node

v18.15.0: 2023-03-07, Version 18.15.0 'Hydrogen' (LTS), @​BethGriggs prepared by @​juanarbol

Compare Source

Notable Changes
Commits

v18.14.2: 2023-02-21, Version 18.14.2 'Hydrogen' (LTS), @​MylesBorins

Compare Source

Notable Changes
Commits

v18.14.1: 2023-02-16, Version 18.14.1 'Hydrogen' (LTS), @​RafaelGSS prepared by @​juanarbol

Compare Source

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

  • CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High)
  • CVE-2023-23919: Node.js OpenSSL error handling issues in nodejs crypto library (Medium)
  • CVE-2023-23936: Fetch API in Node.js did not protect against CRLF injection in host headers (Medium)
  • CVE-2023-24807: Regular Expression Denial of Service in Headers in Node.js fetch API (Low)
  • CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low)

More detailed information on each of the vulnerabilities can be found in February 2023 Security Releases blog post.

This security release includes OpenSSL security updates as outlined in the recent
OpenSSL security advisory.

Commits

v18.14.0: 2023-02-02, Version 18.14.0 'Hydrogen' (LTS), @​BethGriggs prepared by @​juanarbol

Compare Source

Notable changes
Updated npm to 9.3.1

Based on the list of guidelines we've established on integrating npm and node,
here is a grouped list of the breaking changes with the reasoning as to why they
fit within the guidelines linked above. Note that all the breaking changes were
made in 9.0.0.
All subsequent minor and patch releases after npm@9.0.0 do not contain any
breaking changes.

Engines

Explanation: the node engines supported by npm@9 make it safe to allow npm@9 as the default in any LTS version of 14 or 16, as well as anything later than or including 18.0.0

  • npm is now compatible with the following semver range for node: ^14.17.0 || ^16.13.0 || >=18.0.0
Filesystem

Explanation: when run as root previous versions of npm attempted to manage file ownership automatically on the user's behalf. this behavior was problematic in many cases and has been removed in favor of allowing users to manage their own filesystem permissions

  • npm will no longer attempt to modify ownership of files it creates.
Auth

Explanation: any errors thrown from users having unsupported auth configurations will show npm config fix in the remediation instructions, which will allow the user to automatically have their auth config fixed.

  • The presence of auth related settings that are not scoped to a specific
    registry found in a config file is no longer supported and will throw errors.
Login

Explanation: the default auth-type has changed and users can opt back into the old behavior with npm config set auth-type=legacy. login and adduser have also been seperated making each command more closely match it's name instead of being aliases for each other.

  • Legacy auth types sso, saml & legacy have been consolidated into "legacy".
  • auth-type defaults to "web"
  • login and adduser are now separate commands that send different data to the registry.
  • auth-type config values web and legacy only try their respective methods,
    npm no longer tries them all and waits to see which one doesn't fail.
Tarball Packing

Explanation: previously using multiple ignore/allow lists when packing was an undefined behavior, and now the order of operations is strictly defined when packing a tarball making it easier to follow and should only affect users relying on the previously undefined behavior.

  • npm pack now follows a strict order of operations when applying ignore rules.
    If a files array is present in the package.json, then rules in .gitignore
    and .npmignore files from the root will be ignored.
Display/Debug/Timing Info

Explanation: these changes center around the display of information to the terminal including timing and debug log info. We do not anticipate these changes breaking any existing workflows.

  • Links generated from git urls will now use HEAD instead of master as the default ref.
  • timing has been removed as a value for --loglevel.
  • --timing will show timing information regardless of --loglevel, except when --silent.
  • When run with the --timing flag, npm now writes timing data to a file
    alongside the debug log data, respecting the logs-dir option and falling
    back to <CACHE>/_logs/ dir, instead of directly inside the cache directory.
  • The timing file data is no longer newline delimited JSON, and instead each run
    will create a uniquely named <ID>-timing.json file, with the <ID> portion
    being the same as the debug log.
  • npm now outputs some json errors on stdout. Previously npm would output
    all json formatted errors on stderr, making it difficult to parse as the
    stderr stream usually has logs already written to it.
Config/Command Deprecations or Removals

Explanation: install-links is the only config or command in the list that has an effect on package installs. We fixed a number of issues that came up during prereleases with this change. It will also only be applied to new package trees created without a package-lock.json file. Any install with an existing lock file will not be changed.

  • Deprecate boolean install flags in favor of --install-strategy.
  • npm config set will no longer accept deprecated or invalid config options.
  • install-links config defaults to "true".
  • node-version config has been removed.
  • npm-version config has been removed.
  • npm access subcommands have been renamed.
  • npm birthday has been removed.
  • npm set-script has been removed.
  • npm bin has been removed (use npx or npm exec to execute binaries).
Other notable changes
  • doc:
    • add parallelism note to os.cpus() (Colin Ihrig) #​45895
  • http:
    • join authorization headers (Marco Ippolito) #​45982
    • improved timeout defaults handling (Paolo Insogna) #​45778
  • stream:
    • implement finished() for ReadableStream and WritableStream (Debadree Chatterjee) #​46205
Commits

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@balena-ci balena-ci added dependencies Pull requests that update a dependency file renovate minor final labels Feb 3, 2023
@balena-ci balena-ci changed the title chore(deps): update node.js to v18.14.0 chore(deps): update node.js to v18.14.1 Feb 17, 2023
@balena-ci balena-ci changed the title chore(deps): update node.js to v18.14.1 chore(deps): update node.js to v18.14.2 Feb 22, 2023
@balena-ci balena-ci changed the title chore(deps): update node.js to v18.14.2 chore(deps): update node.js to v18.15.0 Mar 8, 2023
@balena-ci
Copy link
Contributor Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

Warning: custom changes will be lost.

@ab77
Copy link
Contributor

ab77 commented Mar 23, 2023

@klutchell klutchell closed this Sep 7, 2023
auto-merge was automatically disabled September 7, 2023 15:21

Pull request was closed

@klutchell klutchell deleted the renovate/node-18.x branch September 7, 2023 15:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file final minor renovate
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants