Package Release Info

nodejs24-24.18.0-160000.1.1

Update Info: Base Release
Available in Package Hub : 16.0

platforms

AArch64
ppc64le
s390x
x86-64

subpackages

corepack24

Change Logs

* Tue Jun 30 2026 amajer@suse.com
- Update to 24.18.0 (bsc#1269825)
  * doc: update blockList stability status to release candidate
  * fs: support caller-supplied readFile() buffers
  * http: close pre-request sockets in closeIdleConnections
  * loader: implement package maps
  * net: support TCP_KEEPINTVL and TCP_KEEPCNT in setKeepAlive
  * tls: add certificateCompression option
  * vfs: dispatch node:fs/promises to mounted VFS instances
  * vfs: add minimal node:vfs subsystem
- fix_ci_tests.patch: refreshed
- ip-address-bsc1268097.patch: dropped upstreamed
* Tue Jun 23 2026 adam.majer@suse.de
- Update to 24.17.0
  (CVE-2026-48618, bsc#1268593) tls: normalize hostname for server identity checks
  (CVE-2026-48933, bsc#1268592) crypto: guard WebCrypto cipher output length
  (CVE-2026-48615, bsc#1268598) lib,test: redact proxy credentials in tunnel errors
  (CVE-2026-48619, bsc#1268618) http2: cap originSet size to prevent unbounded memory growth
  (CVE-2026-48928, bsc#1268605) tls: fix case-sensitive SNI context matching
  (CVE-2026-48930, bsc#1268606) dns,net: reject hostnames with embedded NUL bytes
  (CVE-2026-48934, bsc#1268608) tls: bind reusable sessions to authenticated host
  (CVE-2026-48617, bsc#1268554) permission: handle process.chdir on writereport
  (CVE-2026-48931, bsc#1268611) http: fix response queue poisoning in http.Agent
  (CVE-2026-48935, bsc#1268609) permission: disable FileHandle utimes with permission model
  (CVE-2026-48937, bsc#1268555) http2: servers keep accepting data even after sending a `GOAWAY` frame
  (CVE-2026-12151, bsc#1268482) undici: Denial of Service due to unbounded memory growth via WebSocket frames
  (CVE-2026-6733,  bsc#1268479) undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery
  (CVE-2026-9679,  bsc#1268477) undici: vulnerable to HTTP header injection via Set-Cookie percent-decoding
  (CVE-2026-11525, bsc#1268481) undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
  (CVE-2026-2581,  bsc#1268480) undici: Denial of Service due to uncontrolled resource consumption
  (CVE-2026-9678,  bsc#1268478) undici: Information disclosure due to improper cache-control header parsing
  (CVE-2026-27135, bsc#1259853) nghttp2: assertion failure due to missing state validation can lead to DoS
- ngtcp2_bsc1262274.patch: (CVE-2026-40170, bsc#1262274) - ngtcp2: qlog parameters_set stack buffer overflow.
- pacote-bsc1266318.patch: (CVE-2026-9496,  bsc#1266318) - pacote: excessive CPU consumption in `addGitSha` when processing a specially crafted `spec.rawSpec` value can lead to DoS
- ip-address-bsc1268097.patch: (CVE-2026-42338, bsc#1268097) - ip-address: Cross-site scripting via improper HTML escaping of untrusted input
- fix_ci_tests.patch: rebased
- For changes in older versions, see
  https://github.com/nodejs/node/releases
* Tue Apr 21 2026 adam.majer@suse.de
- Remove update-alternatives from scriptlets if not available.
  This code is only there to remove update-alternatives
* Wed Apr 15 2026 dimstar@opensuse.org
- Explicitly BuildRequire update-alternatives and mark it as being
  used in post/postun: this was nicely masked by the fact that
  binutils, installed on every system, already dragged u-a in,
  which is no longer the case.
* Wed Apr 15 2026 rguenther@suse.com
- Add -fno-lifetime-dse to CXXFLAGS to avoid
  parallel/test-snapshot-reproducible testsuite failure with GCC 16
Version: 24.14.1-160000.1.1
* Mon Mar 30 2026 adam.majer@suse.de
- Update to 24.14.1:
  * use null prototype for headersDistinct/trailersDistinct (CVE-2026-21710, bsc#1260455)
  * wrap SNICallback invocation in try/catch (CVE-2026-21637, bsc#1256576)
  * test array index hash collision (CVE-2026-21717, bsc#1260494)
  * use timing-safe comparison in Web Cryptography HMAC and KMAC (CVE-2026-21713, bsc#1260463)
  * handle NGHTTP2_ERR_FLOW_CONTROL error code (CVE-2026-21714, bsc#1260480)
  * handle url crash on different url formats (CVE-2026-21712, bsc#1260460)
  * include permission check on lib/fs/promises (CVE-2026-21716, bsc#1260462)
  * add permission check to realpath.native (CVE-2026-21715, bsc#1260482)
- Changes in versino 24.14.0:
  * async_hooks: add trackPromises option to createHook()
  * build,deps: replace cjs-module-lexer with merve
  * deps: add LIEF as a dependency
  * events: repurpose events.listenerCount() to accept EventTargets
  * fs: add ignore option to fs.watch
  * http: add http.setGlobalProxyFromEnv()
  * module: allow subpath imports that start with #/
  * process: preserve AsyncLocalStorage in queueMicrotask only when needed
  * sea: split sea binary manipulation code
  * sqlite: enable defensive mode by default
  * sqlite: add sqlite prepare options args
  * src: add initial support for ESM in embedder API
  * stream: add bytes() method to node:stream/consumers
  * stream: do not pass readable.compose() output via Readable.from()
  * test: use fixture directories for sea tests
  * test_runner: add env option to run function
  * test_runner: support expecting a test-case to fail
  * util: add convertProcessSignalToExitCode utility
  for details, see https://nodejs.org/en/blog/release/v24.14.0
- npm-path-normalization.patch: upstreamed, dropped
- 61008.patch: upstreamed, dropped
Version: 24.13.0-160000.1.1
* Thu Jan 22 2026 adam.majer@suse.de
- 61008.patch: fix ppc64le build
- node-gyp-addon-gypi.patch: fix build of binary modules
* Thu Jan 15 2026 adam.majer@suse.de
- Update to 24.13.0:
  * deps: updated undici to 7.18.2 (bsc#1256848, CVE-2026-22036)
  * deps: updated bundled c-ares to 1.34.6 (if used)
  * add TLSSocket default error handler (bsc#1256573, CVE-2025-59465)
  * disable futimes when permission model is enabled (bsc#1256571, CVE-2025-55132)
  * require full read and write to symlink APIs (bsc#1256569, CVE-2025-55130)
  * rethrow stack overflow exceptions in async_hooks (bsc#1256574, CVE-2025-59466)
  * refactor unsafe buffer creation to remove zero-fill toggle (bsc#1256570, CVE-2025-55131)
  * route callback exceptions through error handlers (bsc#1256576, CVE-2026-21637)
* Mon Dec 15 2025 adam.majer@suse.de
- npm-path-normalization.patch: patch npm bug that causes build
  failure wit localhost-npm-registry
* Thu Dec 11 2025 adam.majer@suse.de
- Update to 24.12.0 (bsc#1256572, CVE-2025-59464):
  * http: add optimizeEmptyRequests server option
  * lib: add options to util.deprecate
  * module: mark type stripping as stable
  * node-api: add napi_create_object_with_properties
  * sqlite: allow setting defensive flag
  * src: add watch config namespace
  * src: add an option to make compile cache portable
  * src,permission: add --allow-inspector ability
  * v8: add cpu profile
  for details, see https://nodejs.org/en/blog/release/v24.12.0
- nodejs-libpath.patch: refreshed
- fix_ci_tests.patch: add fix on 32bit platforms
* Mon Dec 08 2025 adam.majer@suse.de
- Add support for ICU 77.1
* Tue Dec 02 2025 adam.majer@suse.de
- icu_781.patch: Add support for ICU 78.1
- bundle nghttp2 for TW, as upstream is carrying a patch on-top
  due to changes in nghttp2. See:
  https://github.com/nodejs/node/issues/60661
* Tue Dec 02 2025 adam.majer@suse.de
- v8_nameclash.patch: Backport fix
* Mon Nov 24 2025 adam.majer@suse.de
- Initial package for nodejs 24.11.1
  For changes since 22.x, please see https://nodejs.org/en/blog
  or documentation https://nodejs.org/docs/latest-v24.x/api/documentation.html
- Inherit patches form 22.21.1
  * fix_ci_tests.patch, flaky_test_rerun.patch, node-gyp-addon-gypi.patch,
    nodejs-libpath.patch, npm_search_paths.patch, versioned.patch
* Mon Nov 24 2025 adam.majer@suse.de
- Update to 22.21.1:
  * src: avoid unnecessary string -> char* -> string round trips
  * src: remove unnecessary shadowed functions on Utf8Value & BufferValue
  * process: fix hrtime fast call signatures
  * http: improve writeEarlyHints by avoiding for-of loop
- Update to 22.21.0:
  * cli: add --use-env-proxy
  * http: support http proxy for fetch under NODE_USE_ENV_PROXY
  * http: add shouldUpgradeCallback to let servers control HTTP upgrades
  * http,https: add built-in proxy support in http/https.request and Agent
  * src: add percentage support to --max-old-space-size
- fix_ci_tests.patch: disable geopoly and fts3 sqlite tests as our
  sqlite does not support these optional features. Use fts4 instead.
* Tue Oct 14 2025 adam.majer@suse.de
- Update to 22.20.0
  * doc: stabilize --disable-sigusr1
  * doc: mark path.matchesGlob as stable
  * http: add Agent.agentKeepAliveTimeoutBuffer option
  * http2: add support for raw header arrays in h2Stream.respond()
  * inspector: add http2 tracking support
  * sea: implement execArgvExtension
  * sea: support execArgv in sea config
  * stream: add brotli support to CompressionStream and DecompressionStream
  * test_runner: support object property mocking
  * worker: add cpu profile APIs for worker
- Update to 22.19.0
  * cli: add NODE_USE_SYSTEM_CA=1
  * cli: support ${pid} placeholder in --cpu-prof-name
  * crypto: add tls.setDefaultCACertificates()
  * dns: support max timeout
  * doc: update the instruction on how to verify releases
  * esm: unflag --experimental-wasm-modules
  * http: add server.keepAliveTimeoutBuffer option
  * lib: docs deprecate _http_*
  * net: update net.blocklist to allow file save and file management
  * process: add threadCpuUsage
  * zlib: add dictionary support to zstdCompress and zstdDecompress
- Update to 22.18.0:
  * deps: update amaro to 1.1.0
  * doc: add all watch-mode related flags to node.1
  * doc: add islandryu to collaborators
  * esm: implement import.meta.main
  * fs: allow correct handling of burst in fs-events with AsyncIterator
  * permission: propagate permission model flags on spawn
  * sqlite: add support for readBigInts option in db connection level
  * src,permission: add support to permission.has(addon)
  * url: add fileURLToPathBuffer API
  * watch: add --watch-kill-signal flag
  * worker: make Worker async disposable
- for older changes, please see https://nodejs.org/en/blog