winget install --id OpenJS.NodeJS.14About Node.js 14
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
What's new in 14.21.3
This is a security release. Notable Changes The following CVEs are fixed in this release: - CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High) - CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low) More detailed information on each of the vulnerabilities can be found in February 2023 Security Releases blog post. This security release includes OpenSSL security updates as outlined in the recent OpenSSL security advisory. This security release also includes an npm update for Node.js 14 to address a number of CVEs which either do not affect Node.js or are low severity in the context of Node.js. You can get more details for the individual CVEs in nodejs-dependency-vuln-assessments. Commits - [97a0443f13] - build: build ICU with ICU_NO_USER_DATA_OVERRIDE (RafaelGSS) nodejs-private/node-private#374 - [9e6221529b] - deps: cherry-pick Windows ARM64 fix for openssl (Richard Lau) #46566 - [0d5f86451d] - deps: update archs files for OpenSSL-1.1.1t (RafaelGSS) #46566 - [8c11d17b40] - deps: upgrade openssl sources to 1.1.1t (RafaelGSS) #46566 - [224e93c9ef] - deps: upgrade npm to 6.14.18 (Ruy Adorno) #45936 - [d73ea4de13] - doc: clarify release notes for Node.js 14.21.2 (Richard Lau) #45846 - [f7892c16be] - lib: makeRequireFunction patch when experimental policy (RafaelGSS) nodejs-private/node-private#358 - [fa115ee8ac] - module: protect against prototype mutation (Antoine du Hamel) #44007 - [83975b7fb4] - policy: makeRequireFunction on mainModule.require (RafaelGSS) nodejs-private/node-private#358 - [a5f...
Version history
| Version | Updated | Notes |
|---|---|---|
| 14.21.3 | Unknown | This is a security release. Notable Changes The following CVEs are fixed in this release: - CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High) - CVE-2023-23920: Node.js insecure lo... |
| 14.21.2 | Unknown | Notable Changes OpenSSL 1.1.1s This update is a bugfix release and does not address any security vulnerabilities. Root certificates updated to NSS 3.85 Certificates added: - Autoridad de Certificacion Firmaprofesional CI... |
| 14.21.1 | Unknown | This is a security release. Notable changes The following CVEs are fixed in this release: - CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP address (Medium) More detailed information on each of the vulner... |
| 14.21.0 | Unknown | Notable changes - deps: - update corepack to 0.14.2 (Node.js GitHub Bot) #44775 - src: - add --openssl-shared-config option (Daniel Bevenius) #43124 Commits - [773f587912] - deps: cherry-pick libuv/libuv@3a7b955 (Ben Noo... |
| 14.20.1 | Unknown | This is a security release. Notable changes The following CVEs are fixed in this release: - CVE-2022-32212: DNS rebinding in --inspect on macOS (High) - CVE-2022-32213: bypass via obs-fold mechanic (Medium) - CVE-2022-35... |
| 14.20.0 | Unknown | This is a security release. Notable Changes - [8e8aef836c] - (SEMVER-MAJOR) src,deps,build,test: add OpenSSL config appname (Daniel Bevenius) #43124 - [98965b137d] - deps: upgrade openssl sources to 1.1.1q (RafaelGSS) #4... |
| 14.19.3 | Unknown | Notable Changes - This release updates OpenSSL to 1.1.1o. This update is not being treated as a security release as the issues addressed in OpenSSL 1.1.1o were assessed to not affect Node.js 14. See https://nodejs.org/en... |
| 14.19.2 | Unknown | Notable Changes doc: - New release key for Bryan English Learn more at: https://github.com/nodejs/node/pull/42102 Contributed by Bryan English (@bengl) npm: - Upgrade npm to v6.14.17. Learn more at: https://github.com/no... |
| 14.19.1 | Unknown | This is a security release. Notable Changes Update to OpenSSL 1.1.1n, which addresses the following vulnerability: - Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)(CVE-2022-0778) More details a... |
| 14.19.0 | Unknown | Notable Changes Corepack Node.js now includes Corepack, a script that acts as a bridge between Node.js projects and the package managers they are intended to be used with during development. In practical terms, Corepack... |
| 14.18.3 | Unknown | This is a security release. Notable changes Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531) Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to us... |
| 14.18.2 | Unknown | Notable changes This release contains a c-ares update to fix a regression introduced in Node.js 14.17.5 resolving CNAME records containing underscores #39780. Also included are commits to allow Node.js 14 to continue to... |
| 14.18.1 | Unknown | This is a security release. Notable changes - CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium) - The http parser accepts requests with a space (SP) right after the header name before the colon. Th... |
| 14.18.0 | Unknown | Release notes |
| 14.17.6 | Unknown | This is a security release. Notable Changes These are vulnerabilities in the node-tar, arborist, and npm cli modules which are related to the initial reports and subsequent remediation of node-tar vulnerabilities CVE-202... |
| 14.17.5 | Unknown | This is a security release. Notable Changes - CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High) - Node.js was vulnerable to Remote Code Execution, XSS, application crashes due... |
| 14.17.4 | Unknown | Release notes |
| 14.17.3 | Unknown | Notable Changes Node.js 14.17.2 introduced a regression in the Windows installer on non-English locales that is being fixed in this release. There is no need to download this release if you are not using the Windows inst... |
| 14.17.2 | Unknown | This is a security release. Notable Changes Vulnerabilities fixed: - CVE-2021-22918: libuv upgrade - Out of bounds read (Medium) - Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which... |
| 14.17.1 | Unknown | Release notes |