node-linux-s390x 24.14.0 → 24.14.1

package/CHANGELOG.md

@@ -9,6 +9,7 @@
 </tr>
 <tr>
 <td>
+<a href="#24.14.1">24.14.1</a><br/>
 <a href="#24.14.0">24.14.0</a><br/>
 <a href="#24.13.1">24.13.1</a><br/>
 <a href="#24.13.0">24.13.0</a><br/>
@@ -61,6 +62,43 @@
   * [io.js](CHANGELOG_IOJS.md)
   * [Archive](CHANGELOG_ARCHIVE.md)
 
+<a id="24.14.1"></a>
+
+## 2026-03-24, Version 24.14.1 'Krypton' (LTS), @RafaelGSS prepared by @juanarbol
+
+This is a security release.
+
+### Notable Changes
+
+* (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
+* (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
+* (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
+* (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
+* (CVE-2026-21714) handle NGHTTP2\_ERR\_FLOW\_CONTROL error code (RafaelGSS) - Medium
+* (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
+* (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low
+* (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low
+
+### Commits
+
+* \[[`6fae244080`](https://github.com/nodejs/node/commit/6fae244080)] - **(CVE-2026-21717)** **build,test**: test array index hash collision (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828)
+* \[[`cc0910c62e`](https://github.com/nodejs/node/commit/cc0910c62e)] - **(CVE-2026-21713)** **crypto**: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) [nodejs-private/node-private#822](https://github.com/nodejs-private/node-private/pull/822)
+* \[[`80cb042cf3`](https://github.com/nodejs/node/commit/80cb042cf3)] - **deps**: update undici to 7.24.4 (Node.js GitHub Bot) [#62271](https://github.com/nodejs/node/pull/62271)
+* \[[`f5b8667dc2`](https://github.com/nodejs/node/commit/f5b8667dc2)] - **deps**: update undici to 7.24.3 (Node.js GitHub Bot) [#62233](https://github.com/nodejs/node/pull/62233)
+* \[[`08852637d9`](https://github.com/nodejs/node/commit/08852637d9)] - **deps**: update undici to 7.22.0 (Node.js GitHub Bot) [#62035](https://github.com/nodejs/node/pull/62035)
+* \[[`61097db9fb`](https://github.com/nodejs/node/commit/61097db9fb)] - **deps**: upgrade npm to 11.11.0 (npm team) [#61994](https://github.com/nodejs/node/pull/61994)
+* \[[`9ac0f9f81e`](https://github.com/nodejs/node/commit/9ac0f9f81e)] - **deps**: upgrade npm to 11.10.1 (npm team) [#61892](https://github.com/nodejs/node/pull/61892)
+* \[[`3dab3c4698`](https://github.com/nodejs/node/commit/3dab3c4698)] - **deps**: V8: override `depot_tools` version (Richard Lau) [#62344](https://github.com/nodejs/node/pull/62344)
+* \[[`87521e99d1`](https://github.com/nodejs/node/commit/87521e99d1)] - **deps**: V8: backport 1361b2a49d02 (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828)
+* \[[`045013366f`](https://github.com/nodejs/node/commit/045013366f)] - **deps**: V8: backport 185f0fe09b72 (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828)
+* \[[`af22629ea8`](https://github.com/nodejs/node/commit/af22629ea8)] - **deps**: V8: backport 0a8b1cdcc8b2 (snek) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828)
+* \[[`380ea72eef`](https://github.com/nodejs/node/commit/380ea72eef)] - **(CVE-2026-21710)** **http**: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://github.com/nodejs-private/node-private/pull/821)
+* \[[`d6b6051e08`](https://github.com/nodejs/node/commit/d6b6051e08)] - **(CVE-2026-21716)** **permission**: include permission check on lib/fs/promises (RafaelGSS) [nodejs-private/node-private#795](https://github.com/nodejs-private/node-private/pull/795)
+* \[[`bfdecef9da`](https://github.com/nodejs/node/commit/bfdecef9da)] - **(CVE-2026-21715)** **permission**: add permission check to realpath.native (RafaelGSS) [nodejs-private/node-private#794](https://github.com/nodejs-private/node-private/pull/794)
+* \[[`c015edf313`](https://github.com/nodejs/node/commit/c015edf313)] - **(CVE-2026-21714)** **src**: handle NGHTTP2\_ERR\_FLOW\_CONTROL error code (RafaelGSS) [nodejs-private/node-private#832](https://github.com/nodejs-private/node-private/pull/832)
+* \[[`cba66c48a5`](https://github.com/nodejs/node/commit/cba66c48a5)] - **(CVE-2026-21712)** **src**: handle url crash on different url formats (RafaelGSS) [nodejs-private/node-private#816](https://github.com/nodejs-private/node-private/pull/816)
+* \[[`df8fbfb93d`](https://github.com/nodejs/node/commit/df8fbfb93d)] - **(CVE-2026-21637)** **tls**: wrap SNICallback invocation in try/catch (Matteo Collina) [nodejs-private/node-private#819](https://github.com/nodejs-private/node-private/pull/819)
+
 <a id="24.14.0"></a>
 
 ## 2026-02-24, Version 24.14.0 'Krypton' (LTS), @ruyadorno prepared by @aduh95

package/include/node/common.gypi

@@ -38,7 +38,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.41',
+    'v8_embedder_string': '-node.44',
 
     ##### V8 defaults for Node.js #####
 

package/include/node/node_version.h

@@ -24,7 +24,7 @@
 
 #define NODE_MAJOR_VERSION 24
 #define NODE_MINOR_VERSION 14
-#define NODE_PATCH_VERSION 0
+#define NODE_PATCH_VERSION 1
 
 #define NODE_VERSION_IS_LTS 1
 #define NODE_VERSION_LTS_CODENAME "Krypton"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "node-linux-s390x",
-  "version": "24.14.0",
+  "version": "24.14.1",
   "description": "node",
   "repository": {
     "url": "git+https://github.com/aredridel/node-bin-gen.git"