Update Node.js to v14.17.6

[renovate]

This PR contains the following updates:

Package	Update	Change
node	patch	14.17.3 -> 14.17.6

---

Release Notes

nodejs/node

v14.17.6: 2021-08-31, Version 14.17.6 'Fermium' (LTS), @​MylesBorins

Compare Source

This is a security release.

Notable Changes

These are vulnerabilities in the node-tar, arborist, and npm cli modules which
are related to the initial reports and subsequent remediation of node-tar
vulnerabilities CVE-2021-32803
and CVE-2021-32804.
Subsequent internal security review of node-tar and additional external bounty
reports have resulted in another 5 CVE being remediated in core npm CLI
dependencies including node-tar, and npm arborist.

You can read more about it in:

• CVE-2021-37701
• CVE-2021-37712
• CVE-2021-37713
• CVE-2021-39134
• CVE-2021-39135

Commits

• [5b3f70bfb5] - deps: update archs files for OpenSSL-1.1.1l (Richard Lau) #​39868
• [71372625ae] - deps: upgrade openssl sources to 1.1.1l (Richard Lau) #​39868
• [4276984803] - deps: upgrade npm to 6.14.15 (Darcy Clarke) #​39856

v14.17.5: 2021-08-11, Version 14.17.5 'Fermium' (LTS), @​BethGriggs

Compare Source

This is a security release.

Notable Changes

• CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
  • Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
• CVE-2021-22940: Use after free on close http2 on stream canceling (High)
  • Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as the issue was not completely resolved by the previous fix. You can read more about it at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22940.
• CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
  • If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.

Commits

• [4923b59e0b] - deps: update c-ares to 1.17.2 (Beth Griggs) #​39724
• [847a4c6a8a] - deps: reflect c-ares source tree (Beth Griggs) #​39653
• [33208e2f89] - deps: apply missed updates from c-ares 1.17.1 (Beth Griggs) #​39653
• [af5c1af9a4] - http2: add tests for cancel event while client is paused reading (Akshay K) #​39622
• [434872e838] - http2: update handling of rst_stream with error code NGHTTP2_CANCEL (Akshay K) #​39622
• [35b86110e4] - tls: validate "rejectUnauthorized: undefined" (Matteo Collina) nodejs-private/node-private#​276

v14.17.4: 2021-07-29, Version 14.17.4 'Fermium' (LTS), @​richardlau

Compare Source

This is a security release.

Notable Changes

• CVE-2021-22930: Use after free on close http2 on stream canceling (High)
  • Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930

This releases also fixes some regressions with internationalization introduced by the ICU updates in Node.js 14.17.0 and 14.17.1.

Commits

• [86477b2b53] - benchmark: output JSON-compatible numbers (Michaël Zasso) #​38778
• [f9693cf0a0] - benchmark: fix http elapsed time (Antoine du Hamel) #​38743
• [1ab4f81abc] - build: fix building with external builtins (Momtchil Momtchev) #​39091
• [a657f250f1] - build: reconfigure when gyp files change on Windows (Joyee Cheung) #​39066
• [6962c647d6] - Revert "build: work around bug in MSBuild v16.10.0" (Michaël Zasso) #​38977
• [069cf59e56] - build: make build-addons errors fail the build (Richard Lau) #​38983
• [d341561ae0] - build: fix commit-queue default branch (Mary Marchini) #​38998
• [0736dd833a] - build: don't pass python override to V8 build (Richard Lau) #​38969
• [49a000683a] - build: correct Xcode spelling in .gitignore (bl-ue) #​38895
• [1ffbe3d5da] - build: remove outdated dont-land-on-v6.x label (Michaël Zasso) #​38886
• [7f53a0b349] - build: add lto build to CI (Jiawen Geng) #​38567
• [a6f8ba8f0c] - build: allow LTO with Clang 3.9.1+ (Jesse Chan) #​38751
• [b5b1d1fb79] - build: replace non-POSIX test -a|o (Issam E. Maghni) #​38731
• [fc2b1ec308] - child_process: refactor to use validateBoolean (Qingyu Deng) #​38927
• [55ea29eedd] - child_process: retain reference to data with advanced serialization (Anna Henningsen) #​38728
• [716ee1531c] - debugger: rename internal library for clarity (Rich Trott) #​39080
• [b7ee9d8287] - debugger: use ERR_DEBUGGER_STARTUP_ERROR in _inspect.js (Rich Trott) #​39024
• [5d4d23dcf3] - debugger: use error codes in debugger REPL (Rich Trott) #​39024
• [a3991d7c18] - debugger: use ERR_DEBUGGER_ERROR in debugger client (Rich Trott) #​39024
• [052e1c5385] - debugger: removed unused function argument (Rich Trott) #​38850
• [f9a4dcb30c] - debugger: refactor inspect_repl to use primordials (Antoine du Hamel) #​38551
• [ad8056659f] - debugger: refactor to use internal modules (Antoine du Hamel) #​38550
• [b5724a1984] - debugger: disable only the lint rules required by current file state (Rich Trott) #​38529
• [34659f2b7a] - debugger: avoid non-ASCII char in code file (Rich Trott) #​38529
• [ae90756582] - debugger: wrap lines longer than 80 chars (Rich Trott) #​38529
• [b30ff35a36] - debugger: align message with Node.js standard (Rich Trott) #​38400
• [d74d67f207] - debugger: remove unnecessary boilerplate copyright comment (Rich Trott) #​38952
• [e58f938ab3] - debugger: enable linter on internal/inspector/inspect_client (Antoine du Hamel) #​38417
• [249acd5e69] - debugger: reduce scope of eslint disable comment (Rich Trott) #​38946
• [0ef5e088c0] - debugger: revise async iterator usage to comply with lint rules (Rich Trott) #​38847
• [79bfb0416b] - debugger: wait for V8 debugger to be enabled (Michaël Zasso) #​38811
• [721edeffd3] - debugger: refactor internal/inspector/_inspect to use more primordials (Antoine du Hamel) #​38406
• [21ecee1b4b] - debugger: add usage example for --port (Rafael Gonzaga) #​38400
• [cde72213d1] - Revert "debugger: rename internal library for clarity" (Antoine du Hamel) #​39446
• [4c2b813799] - debugger: rename internal library for clarity (Rich Trott) #​39080
• [61da371251] - debugger: apply automatic lint fixes for inspect_repl.js (Rich Trott) #​38411
• [8dd1f70fe3] - debugger: apply automatic lint fixes for _inspect.js (Rich Trott) #​38411
• [fb0ab4c034] - debugger: removed unused function argument (Rich Trott) #​38850
• [9e28c6c946] - debugger: fix race condition/deadlock on initialization (Rich Trott) #​38161
• [a8924fa0fb] - debugger: replace internal use of deprecated API (Rich Trott) #​38161
• [22afb7cbe6] - debugger: allow longer time to connect (Rich Trott) #​38161
• [b172e6f436] - debugger: accommodate line chunking in Windows (Rich Trott) #​38161
• [1da692185a] - debugger: fix inspect restart on Windows (Rich Trott) #​38161
• [0321c5b194] - debugger: remove unused code (Rich Trott) #​38161
• [8bd2a3926a] - debugger: move node-inspect to internal library (Rich Trott) #​38161
• [acf5279c39] - deps: upgrade npm to 6.14.14 (Darcy Clarke) #​39553
• [4efefe02a8] - deps: V8: backport ae7bfb3 (Michaël Zasso) #​39051
• [5039f21396] - deps: V8: backport 16ffec9 (Michaël Zasso) #​39051
• [9b69069f71] - deps: V8: cherry-pick b0a7f56 (Michaël Zasso) #​39051
• [4213e97d26] - deps: V8: cherry-pick 81181a8 (thomasmichaelwallace) #​39187
• [ccecea5f72] - deps: restore minimum ICU version to 65 (Richard Lau) #​39068
• [7557e74cf4] - deps: V8: update build dependencies (Michaël Zasso) #​39244
• [a60a960406] - deps: V8: cherry-pick 8959494 (Michaël Zasso) #​39244
• [7fdd6ecbb4] - deps: V8: cherry-pick 0b3a4ec (Michaël Zasso) #​39244
• [4be2e878b7] - deps: V8: cherry-pick 7c182bd (Michaël Zasso) #​39244
• [a83b01a4af] - deps: V8: cherry-pick 92e6d33 (Michaël Zasso) #​39244
• [17eb561184] - deps: V8: backport 1b1eda0 (Michaël Zasso) #​39244
• [04032fa1a3] - doc: remove references to deleted freenode channels (devsnek) #​39047
• [797bd73849] - doc: add missing parameter types (Voltrex) #​39013
• [e474e984e5] - doc: clarify that only one Python version is required to build (bl-ue) #​38894
• [cd48ee71d9] - doc: fixed typo in process.md (Derevianchenko Maksym) #​38941
• [41fcbad2b2] - doc: add missing semis after classes (Darshan Sen) #​38931
• [b40529643b] - doc: mark util.inherits as legacy (Voltrex) #​38896
• [b2d836b1ea] - doc: clarify when readable._read(...) is called (Shaun Keys) #​38726
• [e36d2a6d6a] - doc: fixed typo in n-api.md (julianjany) #​38822
• [b4f60bb523] - doc: use "Long Term Support" in collaborator guide (Rich Trott) #​38841
• [7a9850a5fb] - doc: use "Long Term Support" in technical values doc (Rich Trott) #​38841
• [dfe9698db0] - doc: use "Long Term Support" in README (Philip) #​38839
• [8699e622fc] - doc: fix grammar in fs.md (yotamselementor) #​38818
• [826ae9b2e2] - doc: fixup code sample in http.md (TodorTotev) #​38776
• [8049b69b7f] - doc: document null target pattern (Guy Bedford) #​38724
• [4d9129eb71] - doc: update code examples for node:url module (fisker Cheung) #​38645
• [2ff671e4c4] - doc,url: clarify domainTo* when built without ICU (Darshan Sen) #​38789
• [9b993edca8] - errors: add ERR_DEBUGGER_STARTUP_ERROR (Rich Trott) #​39024
• [cfccf13e84] - errors: add ERR_DEBUGGER_ERROR (Rich Trott) #​39024
• [bb9a9adc2b] - errors: don't rekey on primitive type (Benjamin Coe) #​39025
• [d48b91ea2b] - http2: on receiving rst_stream with cancel code add it to pending list (Akshay K) #​39423
• [d8cc2fffd6] - lib: add primordials.SafeArrayIterator (Antoine du Hamel) #​36532
• [e3223edb89] - lib: harden lint checks for globals (Antoine du Hamel) #​38419
• [d4f96bb926] - lib: enforce using primordials.globalThis instead of global (Antoine du Hamel) #​38230
• [ea9003a559] - lib: add globalThis to primordials (Antoine du Hamel) #​38211
• [097a7874d3] - lib: remove semicolon in preparation for babel/eslint-parser update (Rich Trott) #​39094
• [199fe32cbc] - lib: make internal/options lazy (Joyee Cheung) #​38993
• [2bc2a232af] - lib: add JSDoc typings for child_process (Voltrex) #​38222
• [b0a1984d4d] - lib: fix typos (bl-ue) #​38846
• [6c061d5f2c] - meta: update label-pr-config (Michaël Zasso) #​38950
• [afb61786b9] - module: fix legacy node specifier resolution to resolve "main" field (Antoine du Hamel) #​38979
• [cd3305a9e4] - node-api: avoid SecondPassCallback crash (Michael Dawson) #​38899
• [e7f266e93d] - src: use SPrintF in ProcessEmitWarning (Darshan Sen) #​38758
• [43fe6c1d27] - src: cleanup uv_fs_t regardless of success or not (legendecas) #​38996
• [dcfb182546] - src: refactor to use locale functions (Darshan Sen) #​39014
• [bee477b000] - src: throw error in LoadBuiltinModuleSource when reading fails (Joyee Cheung) #​38904
• [ff7cc8f9ef] - src: add not-weak DCHECK to PersistentToLocal::Strong (Anna Henningsen) #​38875
• [981217e48a] - src: replace autos in node_api.cc (Khaidi Chu) #​38852
• [73e199d963] - src: fix typos (bl-ue) #​38845
• [2d32031724] - src: use HandleScope in StreamReq::Done() (Darshan Sen) #​38720
• [2c11d3ec0a] - src: remove commented code in node_file.cc (Juan José Arboleda) #​38693
• [846a138f54] - src: write named pipe info in diagnostic report (legendecas) #​38637
• [7d82200861] - src: replace autos in node_contextify.cc (Khaidi Chu) #​38644
• [51da7d2048] - src,url: separate some tables out of node_url.cc (Khaidi Chu) #​38988
• [45c2ea3b72] - test: add NumberFormat resolvedOptions test (Richard Lau) #​39401
• [6b2fea38d1] - test: move inspector-cli tests to sequential (Rich Trott) #​39079
• [6447cab7be] - test: improve buffer coverage (Rongjian Zhang) #​38538
• [6f1862eab3] - test: fix name of variable in inspector-cli test (Tobias Nießen) #​38869
• [40093504bc] - test: fix typo (Houssem Chebab) #​39045
• [ab28f9b9a1] - test: remove obsolete TLS test (Rich Trott) #​39001
• [b3b59953fe] - test: improve coverage of lib/events.js (Rongjian Zhang) #​38582
• [c99a09f05f] - test: http outgoing _headers setter null (ycjcl868) #​38881
• [660a97b1d5] - test: suppress warning in test_environment.cc (Daniel Bevenius) #​38868
• [0cca16ac4c] - test: improve coverage of fs internal utils (Rongjian Zhang) #​38746
• [fecad40f27] - test: fix writefile with fd (Nitzan Uziely) #​38820
• [01f00faaa8] - test: simplify test-path-resolve.js (himself65) #​38671
• [504bfd7a88] - test: improve coverage for question in readline (Qingyu Deng) #​38799
• [eb91932e77] - test: os, replace custom flatten method with built-in Array.flat (Wael Almattar) #​38770
• [aeea252b96] - test: improve coverage of lib/_http_outgoing.js (Rongjian Zhang) #​38734
• [e265d8ee1b] - test: give js-native-api tests consistent names (Gabriel Schulhof) #​38692
• [99fd8bfc6a] - test: fix flaky inspector-cli tests when breakpionts are restored (Rich Trott) #​38431
• [4d3a1fad28] - test: extend timeout on debugger tests for slower machines (Rich Trott) #​38161
• [dd2642b5db] - test: fix comment typo (Rich Trott) #​38161
• [193ea8fd91] - test: fix test-inspector-cli-address (Rich Trott) #​38161
• [a62826bbe6] - test,debugger: migrate node-inspect tests to core (Rich Trott) #​38161
• [ab45ace9bd] - tools: update babel-eslint-parser to 7.14.5 (Rich Trott) #​39094
• [b8e63b3c08] - tools: update ESLint to 7.29.0 (Rich Trott) #​39083
• [54a250e79c] - tools: update doctool dependencies, migrate to ESM (Michaël Zasso) #​38966
• [443db64eed] - tools: avoid crashing CQ when git push fails (Antoine du Hamel) #​36861
• [547f88b149] - tools: fix typo in commit-queue.sh (bl-ue) #​39000
• [1023433a81] - tools: update ESLint to 7.28.0 (Luigi Pinca) #​38955
• [9b4ae8fbb0] - tools: bump remark-preset-lint-node to 2.3.0 (Rich Trott) #​38910
• [2ad0719e86] - tools: refloat 7 Node.js patches to cpplint.py (Rich Trott) #​38851
• [b7686d0c1e] - tools: bump cpplint to 1.5.5 (Rich Trott) #​38851
• [2ec7c9de57] - tools: remove exception for Node.js 8 and earlier (Rich Trott) #​38840
• [1dc71da302] - tools: update setup-node to setup-node@v2 (pengjie) #​38825
• [fc219d862c] - tools: remove node-inspect from license (Rich Trott) #​38161
• [4bb0bd0f0e] - tools,doc: forbid CJS globals in ESM code snippets (Antoine du Hamel) #​38889
• [58154ce426] - typings: add JSDoc typings for https (Voltrex) #​38589
• [6ea1368a67] - typings: add JSDoc typings for events (Voltrex) #​38712
• [b6942a6138] - url,src: simplify ipv6 logic by using uv_inet_pton (Khaidi Chu) #​38842
• [dd00547ada] - vm: use missing validator (Voltrex) #​38935
• [2c28e00685] - worker: do not look up context twice in PostMessage (Anna Henningsen) #​38784

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.