node-linux-arm64 25.8.1 → 25.8.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/CHANGELOG.md +35 -0
  2. package/bin/node +0 -0
  3. package/include/node/common.gypi +1 -1
  4. package/include/node/node_version.h +1 -1
  5. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -8,6 +8,7 @@
8
8
  </tr>
9
9
  <tr>
10
10
  <td>
11
+ <a href="#25.8.2">25.8.2</a><br/>
11
12
  <a href="#25.8.1">25.8.1</a><br/>
12
13
  <a href="#25.8.0">25.8.0</a><br/>
13
14
  <a href="#25.7.0">25.7.0</a><br/>
@@ -51,6 +52,40 @@
51
52
  * [io.js](CHANGELOG_IOJS.md)
52
53
  * [Archive](CHANGELOG_ARCHIVE.md)
53
54
 
55
+ <a id="25.8.2"></a>
56
+
57
+ ## 2026-03-24, Version 25.8.2 (Current), @RafaelGSS
58
+
59
+ This is a security release.
60
+
61
+ ### Notable Changes
62
+
63
+ * (CVE-2026-21637) wrap `SNICallback` invocation in `try`/`catch` (Matteo Collina) - High
64
+ * (CVE-2026-21710) use null prototype for `headersDistinct`/`trailersDistinct` (Matteo Collina) - High
65
+ * (CVE-2026-21711) include permission check to `pipe_wrap.cc` (RafaelGSS) - Medium
66
+ * (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
67
+ * (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
68
+ * (CVE-2026-21714) handle `NGHTTP2_ERR_FLOW_CONTROL` error code (RafaelGSS) - Medium
69
+ * (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
70
+ * (CVE-2026-21715) add permission check to `realpath.native` (RafaelGSS) - Low
71
+ * (CVE-2026-21716) include permission check on `lib/fs/promises` (RafaelGSS) - Low
72
+
73
+ ### Commits
74
+
75
+ * \[[`2086b7477b`](https://github.com/nodejs/node/commit/2086b7477b)] - **(CVE-2026-21717)** **build,test**: test array index hash collision (Joyee Cheung) [nodejs-private/node-private#834](https://github.com/nodejs-private/node-private/pull/834)
76
+ * \[[`0f9332a40a`](https://github.com/nodejs/node/commit/0f9332a40a)] - **(CVE-2026-21713)** **crypto**: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) [nodejs-private/node-private#822](https://github.com/nodejs-private/node-private/pull/822)
77
+ * \[[`2b6937ddb2`](https://github.com/nodejs/node/commit/2b6937ddb2)] - **deps**: update undici to 7.24.4 (Node.js GitHub Bot) [#62271](https://github.com/nodejs/node/pull/62271)
78
+ * \[[`bfb8ad5787`](https://github.com/nodejs/node/commit/bfb8ad5787)] - **deps**: update undici to 7.24.3 (Node.js GitHub Bot) [#62233](https://github.com/nodejs/node/pull/62233)
79
+ * \[[`be6384727f`](https://github.com/nodejs/node/commit/be6384727f)] - **deps**: upgrade npm to 11.11.1 (npm team) [#62216](https://github.com/nodejs/node/pull/62216)
80
+ * \[[`2feea5bb97`](https://github.com/nodejs/node/commit/2feea5bb97)] - **deps**: V8: override `depot_tools` version (Richard Lau) [#62344](https://github.com/nodejs/node/pull/62344)
81
+ * \[[`86c04784dd`](https://github.com/nodejs/node/commit/86c04784dd)] - **(CVE-2026-21710)** **http**: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://github.com/nodejs-private/node-private/pull/821)
82
+ * \[[`5197a56a34`](https://github.com/nodejs/node/commit/5197a56a34)] - **(CVE-2026-21711)** **permission**: include permission check to pipe\_wrap.cc (RafaelGSS) [nodejs-private/node-private#820](https://github.com/nodejs-private/node-private/pull/820)
83
+ * \[[`04a886c735`](https://github.com/nodejs/node/commit/04a886c735)] - **(CVE-2026-21716)** **permission**: include permission check on lib/fs/promises (RafaelGSS) [nodejs-private/node-private#795](https://github.com/nodejs-private/node-private/pull/795)
84
+ * \[[`9a7f80f2b0`](https://github.com/nodejs/node/commit/9a7f80f2b0)] - **(CVE-2026-21715)** **permission**: add permission check to realpath.native (RafaelGSS) [nodejs-private/node-private#794](https://github.com/nodejs-private/node-private/pull/794)
85
+ * \[[`d9c9b628cf`](https://github.com/nodejs/node/commit/d9c9b628cf)] - **(CVE-2026-21714)** **src**: handle NGHTTP2\_ERR\_FLOW\_CONTROL error code (RafaelGSS) [nodejs-private/node-private#832](https://github.com/nodejs-private/node-private/pull/832)
86
+ * \[[`45b55dc786`](https://github.com/nodejs/node/commit/45b55dc786)] - **(CVE-2026-21712)** **src**: handle url crash on different url formats (RafaelGSS) [nodejs-private/node-private#816](https://github.com/nodejs-private/node-private/pull/816)
87
+ * \[[`4bfda307c0`](https://github.com/nodejs/node/commit/4bfda307c0)] - **(CVE-2026-21637)** **tls**: wrap SNICallback invocation in try/catch (Matteo Collina) [nodejs-private/node-private#819](https://github.com/nodejs-private/node-private/pull/819)
88
+
54
89
  <a id="25.8.1"></a>
55
90
 
56
91
  ## 2026-03-11, Version 25.8.1 (Current), @aduh95
package/bin/node CHANGED
Binary file
package/include/node/common.gypi CHANGED
@@ -38,7 +38,7 @@
38
38
 
39
39
  # Reset this number to 0 on major V8 upgrades.
40
40
  # Increment by one for each non-official patch applied to deps/v8.
41
- 'v8_embedder_string': '-node.21',
41
+ 'v8_embedder_string': '-node.24',
42
42
 
43
43
  ##### V8 defaults for Node.js #####
44
44
 
package/include/node/node_version.h CHANGED
@@ -24,7 +24,7 @@
24
24
 
25
25
  #define NODE_MAJOR_VERSION 25
26
26
  #define NODE_MINOR_VERSION 8
27
- #define NODE_PATCH_VERSION 1
27
+ #define NODE_PATCH_VERSION 2
28
28
 
29
29
  #define NODE_VERSION_IS_LTS 0
30
30
  #define NODE_VERSION_LTS_CODENAME ""
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "node-linux-arm64",
3
- "version": "25.8.1",
3
+ "version": "25.8.2",
4
4
  "description": "node",
5
5
  "repository": {
6
6
  "url": "git+https://github.com/aredridel/node-bin-gen.git"