* Tue Jun 30 2026 amajer@suse.com
- Update to 24.18.0 (bsc#1269825)
* doc: update blockList stability status to release candidate
* fs: support caller-supplied readFile() buffers
* http: close pre-request sockets in closeIdleConnections
* loader: implement package maps
* net: support TCP_KEEPINTVL and TCP_KEEPCNT in setKeepAlive
* tls: add certificateCompression option
* vfs: dispatch node:fs/promises to mounted VFS instances
* vfs: add minimal node:vfs subsystem
- fix_ci_tests.patch: refreshed
- ip-address-bsc1268097.patch: dropped upstreamed
* Tue Jun 23 2026 adam.majer@suse.de
- Update to 24.17.0
(CVE-2026-48618, bsc#1268593) tls: normalize hostname for server identity checks
(CVE-2026-48933, bsc#1268592) crypto: guard WebCrypto cipher output length
(CVE-2026-48615, bsc#1268598) lib,test: redact proxy credentials in tunnel errors
(CVE-2026-48619, bsc#1268618) http2: cap originSet size to prevent unbounded memory growth
(CVE-2026-48928, bsc#1268605) tls: fix case-sensitive SNI context matching
(CVE-2026-48930, bsc#1268606) dns,net: reject hostnames with embedded NUL bytes
(CVE-2026-48934, bsc#1268608) tls: bind reusable sessions to authenticated host
(CVE-2026-48617, bsc#1268554) permission: handle process.chdir on writereport
(CVE-2026-48931, bsc#1268611) http: fix response queue poisoning in http.Agent
(CVE-2026-48935, bsc#1268609) permission: disable FileHandle utimes with permission model
(CVE-2026-48937, bsc#1268555) http2: servers keep accepting data even after sending a `GOAWAY` frame
(CVE-2026-12151, bsc#1268482) undici: Denial of Service due to unbounded memory growth via WebSocket frames
(CVE-2026-6733, bsc#1268479) undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery
(CVE-2026-9679, bsc#1268477) undici: vulnerable to HTTP header injection via Set-Cookie percent-decoding
(CVE-2026-11525, bsc#1268481) undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
(CVE-2026-2581, bsc#1268480) undici: Denial of Service due to uncontrolled resource consumption
(CVE-2026-9678, bsc#1268478) undici: Information disclosure due to improper cache-control header parsing
(CVE-2026-27135, bsc#1259853) nghttp2: assertion failure due to missing state validation can lead to DoS
- ngtcp2_bsc1262274.patch: (CVE-2026-40170, bsc#1262274) - ngtcp2: qlog parameters_set stack buffer overflow.
- pacote-bsc1266318.patch: (CVE-2026-9496, bsc#1266318) - pacote: excessive CPU consumption in `addGitSha` when processing a specially crafted `spec.rawSpec` value can lead to DoS
- ip-address-bsc1268097.patch: (CVE-2026-42338, bsc#1268097) - ip-address: Cross-site scripting via improper HTML escaping of untrusted input
- fix_ci_tests.patch: rebased
- For changes in older versions, see
https://github.com/nodejs/node/releases
* Tue Apr 21 2026 adam.majer@suse.de
- Remove update-alternatives from scriptlets if not available.
This code is only there to remove update-alternatives
* Wed Apr 15 2026 dimstar@opensuse.org
- Explicitly BuildRequire update-alternatives and mark it as being
used in post/postun: this was nicely masked by the fact that
binutils, installed on every system, already dragged u-a in,
which is no longer the case.
* Wed Apr 15 2026 rguenther@suse.com
- Add -fno-lifetime-dse to CXXFLAGS to avoid
parallel/test-snapshot-reproducible testsuite failure with GCC 16
Version: 24.14.1-160000.1.1
* Mon Mar 30 2026 adam.majer@suse.de
- Update to 24.14.1:
* use null prototype for headersDistinct/trailersDistinct (CVE-2026-21710, bsc#1260455)
* wrap SNICallback invocation in try/catch (CVE-2026-21637, bsc#1256576)
* test array index hash collision (CVE-2026-21717, bsc#1260494)
* use timing-safe comparison in Web Cryptography HMAC and KMAC (CVE-2026-21713, bsc#1260463)
* handle NGHTTP2_ERR_FLOW_CONTROL error code (CVE-2026-21714, bsc#1260480)
* handle url crash on different url formats (CVE-2026-21712, bsc#1260460)
* include permission check on lib/fs/promises (CVE-2026-21716, bsc#1260462)
* add permission check to realpath.native (CVE-2026-21715, bsc#1260482)
- Changes in versino 24.14.0:
* async_hooks: add trackPromises option to createHook()
* build,deps: replace cjs-module-lexer with merve
* deps: add LIEF as a dependency
* events: repurpose events.listenerCount() to accept EventTargets
* fs: add ignore option to fs.watch
* http: add http.setGlobalProxyFromEnv()
* module: allow subpath imports that start with #/
* process: preserve AsyncLocalStorage in queueMicrotask only when needed
* sea: split sea binary manipulation code
* sqlite: enable defensive mode by default
* sqlite: add sqlite prepare options args
* src: add initial support for ESM in embedder API
* stream: add bytes() method to node:stream/consumers
* stream: do not pass readable.compose() output via Readable.from()
* test: use fixture directories for sea tests
* test_runner: add env option to run function
* test_runner: support expecting a test-case to fail
* util: add convertProcessSignalToExitCode utility
for details, see https://nodejs.org/en/blog/release/v24.14.0
- npm-path-normalization.patch: upstreamed, dropped
- 61008.patch: upstreamed, dropped
Version: 24.13.0-160000.1.1
* Thu Jan 22 2026 adam.majer@suse.de
- 61008.patch: fix ppc64le build
- node-gyp-addon-gypi.patch: fix build of binary modules
* Thu Jan 15 2026 adam.majer@suse.de
- Update to 24.13.0:
* deps: updated undici to 7.18.2 (bsc#1256848, CVE-2026-22036)
* deps: updated bundled c-ares to 1.34.6 (if used)
* add TLSSocket default error handler (bsc#1256573, CVE-2025-59465)
* disable futimes when permission model is enabled (bsc#1256571, CVE-2025-55132)
* require full read and write to symlink APIs (bsc#1256569, CVE-2025-55130)
* rethrow stack overflow exceptions in async_hooks (bsc#1256574, CVE-2025-59466)
* refactor unsafe buffer creation to remove zero-fill toggle (bsc#1256570, CVE-2025-55131)
* route callback exceptions through error handlers (bsc#1256576, CVE-2026-21637)
* Mon Dec 15 2025 adam.majer@suse.de
- npm-path-normalization.patch: patch npm bug that causes build
failure wit localhost-npm-registry
* Thu Dec 11 2025 adam.majer@suse.de
- Update to 24.12.0 (bsc#1256572, CVE-2025-59464):
* http: add optimizeEmptyRequests server option
* lib: add options to util.deprecate
* module: mark type stripping as stable
* node-api: add napi_create_object_with_properties
* sqlite: allow setting defensive flag
* src: add watch config namespace
* src: add an option to make compile cache portable
* src,permission: add --allow-inspector ability
* v8: add cpu profile
for details, see https://nodejs.org/en/blog/release/v24.12.0
- nodejs-libpath.patch: refreshed
- fix_ci_tests.patch: add fix on 32bit platforms
* Mon Dec 08 2025 adam.majer@suse.de
- Add support for ICU 77.1
* Tue Dec 02 2025 adam.majer@suse.de
- icu_781.patch: Add support for ICU 78.1
- bundle nghttp2 for TW, as upstream is carrying a patch on-top
due to changes in nghttp2. See:
https://github.com/nodejs/node/issues/60661
* Tue Dec 02 2025 adam.majer@suse.de
- v8_nameclash.patch: Backport fix
* Mon Nov 24 2025 adam.majer@suse.de
- Initial package for nodejs 24.11.1
For changes since 22.x, please see https://nodejs.org/en/blog
or documentation https://nodejs.org/docs/latest-v24.x/api/documentation.html
- Inherit patches form 22.21.1
* fix_ci_tests.patch, flaky_test_rerun.patch, node-gyp-addon-gypi.patch,
nodejs-libpath.patch, npm_search_paths.patch, versioned.patch
* Mon Nov 24 2025 adam.majer@suse.de
- Update to 22.21.1:
* src: avoid unnecessary string -> char* -> string round trips
* src: remove unnecessary shadowed functions on Utf8Value & BufferValue
* process: fix hrtime fast call signatures
* http: improve writeEarlyHints by avoiding for-of loop
- Update to 22.21.0:
* cli: add --use-env-proxy
* http: support http proxy for fetch under NODE_USE_ENV_PROXY
* http: add shouldUpgradeCallback to let servers control HTTP upgrades
* http,https: add built-in proxy support in http/https.request and Agent
* src: add percentage support to --max-old-space-size
- fix_ci_tests.patch: disable geopoly and fts3 sqlite tests as our
sqlite does not support these optional features. Use fts4 instead.
* Tue Oct 14 2025 adam.majer@suse.de
- Update to 22.20.0
* doc: stabilize --disable-sigusr1
* doc: mark path.matchesGlob as stable
* http: add Agent.agentKeepAliveTimeoutBuffer option
* http2: add support for raw header arrays in h2Stream.respond()
* inspector: add http2 tracking support
* sea: implement execArgvExtension
* sea: support execArgv in sea config
* stream: add brotli support to CompressionStream and DecompressionStream
* test_runner: support object property mocking
* worker: add cpu profile APIs for worker
- Update to 22.19.0
* cli: add NODE_USE_SYSTEM_CA=1
* cli: support ${pid} placeholder in --cpu-prof-name
* crypto: add tls.setDefaultCACertificates()
* dns: support max timeout
* doc: update the instruction on how to verify releases
* esm: unflag --experimental-wasm-modules
* http: add server.keepAliveTimeoutBuffer option
* lib: docs deprecate _http_*
* net: update net.blocklist to allow file save and file management
* process: add threadCpuUsage
* zlib: add dictionary support to zstdCompress and zstdDecompress
- Update to 22.18.0:
* deps: update amaro to 1.1.0
* doc: add all watch-mode related flags to node.1
* doc: add islandryu to collaborators
* esm: implement import.meta.main
* fs: allow correct handling of burst in fs-events with AsyncIterator
* permission: propagate permission model flags on spawn
* sqlite: add support for readBigInts option in db connection level
* src,permission: add support to permission.has(addon)
* url: add fileURLToPathBuffer API
* watch: add --watch-kill-signal flag
* worker: make Worker async disposable
- for older changes, please see https://nodejs.org/en/blog