winget install --id OpenJS.NodeJS.16About Node.js 16
Node.js® is a free, open-source, cross-platform JavaScript runtime environment that lets developers create servers, web apps, command line tools and scripts.
What's new in 16.20.2
This is a security release. Notable Changes The following CVEs are fixed in this release: - CVE-2023-32002: Policies can be bypassed via Module._load (High) - CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium) - CVE-2023-32559: Policies can be bypassed via process.binding (Medium) - OpenSSL Security Releases - OpenSSL security advisory 14th July. - OpenSSL security advisory 19th July. - OpenSSL security advisory 31st July More detailed information on each of the vulnerabilities can be found in August 2023 Security Releases blog post. Commits - [40c3958a5a] - deps: update archs files for OpenSSL-1.1.1v (RafaelGSS) #49043 - [a9ac9da89a] - deps: fix openssl crypto clean (RafaelGSS) #49043 - [362d4c7494] - deps: upgrade openssl sources to OpenSSL_1_1_1v (RafaelGSS) #49043 - [d8ccfe9ad4] - policy: handle Module.constructor and main.extensions bypass (RafaelGSS) nodejs-private/node-private#445 - [242aaa0caa] - policy: disable process.binding() when enabled (Tobias Nießen) nodejs-private/node-private#459
Version history
| Version | Updated | Notes |
|---|---|---|
| 16.20.2 | Unknown | This is a security release. Notable Changes The following CVEs are fixed in this release: - CVE-2023-32002: Policies can be bypassed via Module._load (High) - CVE-2023-32006: Policies can be bypassed by module.constructo... |
| 16.20.1 | Unknown | This is a security release. Notable Changes The following CVEs are fixed in this release: - CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High) - CVE-2023-30585: Privilege escalation via Mali... |
| 16.20.0 | Unknown | Notable Changes - deps: - update undici to 5.20.0 (Node.js GitHub Bot) #46711 - update c-ares to 1.19.0 (Michaël Zasso) #46415 - upgrade npm to 8.19.4 (npm team) #46677 - update corepack to 0.17.0 (Node.js GitHub Bot) #4... |
| 16.19.1 | Unknown | This is a security release. Notable Changes The following CVEs are fixed in this release: - CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High) - CVE-2023-23919: Node.js OpenSSL err... |
| 16.19.0 | Unknown | Notable Changes OpenSSL 1.1.1s This update is a bugfix release and does not address any security vulnerabilities. Root certificates updated to NSS 3.85 Certificates added: - Autoridad de Certificacion Firmaprofesional CI... |
| 16.18.1 | Unknown | This is a security release. Notable changes The following CVEs are fixed in this release: - CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP address (Medium) More detailed information on each of the vulner... |
| 16.18.0 | Unknown | Release notes |
| 16.17.1 | Unknown | This is a security release. Notable changes The following CVEs are fixed in this release: - CVE-2022-32212: DNS rebinding in --inspect on macOS (High) - CVE-2022-32213: bypass via obs-fold mechanic (Medium) - CVE-2022-35... |
| 16.17.0 | Unknown | Release notes |
| 16.16.0 | Unknown | This is a security release. Notable changes - deps: - upgrade openssl sources to OpenSSL_1_1_1q (RafaelGSS) #43692 - src: - add OpenSSL config appname (Daniel Bevenius) #43124 Commits - [2303fd3fe5] - deps: update archs... |
| 16.15.1 | Unknown | Notable Changes - deps: - upgrade npm to 8.11.0 (npm-cli+bot@github.com) #43210 - docs: - add release key for RafaelGSS (Rafael Gonzaga) #43131 - add release key for Juan Arboleda (Juan José) #42961 Commits - [f7c4ce2255... |
| 16.15.0 | Unknown | Release notes |
| 16.14.2 | Unknown | This is a security release. Notable Changes Update to OpenSSL 1.1.1n, which addresses the following vulnerability: - Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)(CVE-2022-0778) More details a... |
| 16.14.1 | Unknown | Release notes |
| 16.14.0 | Unknown | Release notes |
| 16.13.2 | Unknown | This is a security release. Notable changes Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531) Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to us... |
| 16.13.1 | Unknown | Release notes |
| 16.13.0 | Unknown | Notable Changes This release marks the transition of Node.js 16.x into Long Term Support (LTS) with the codename 'Gallium'. The 16.x release line now moves into "Active LTS" and will remain so until October 2022. After t... |
| 16.12.0 | Unknown | Notable Changes Experimental ESM Loader Hooks API Node.js ESM Loader hooks have been consolidated to represent the steps involved needed to facilitate future loader chaining: 1. resolve: resolve [+ getFormat] 2. load: ge... |
| 16.11.1 | Unknown | This is a security release. Notable changes - CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium) - The http parser accepts requests with a space (SP) right after the header name before the colon. Th... |