Skip to content

Commit 3626fea

Browse files
marco-ippolitomarco-ippolito
committed
2026-03-24, Version 20.20.2 'Iron' (LTS)
This is a security release. Notable changes: crypto: * (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC deps: * update undici to v6.24.1 * (CVE-2026-21717) fix array index hash collision http: * (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct permission: * (CVE-2026-21716) include permission check on lib/fs/promises * (CVE-2026-21715) add permission check to realpath.native src: * (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code tls: * (CVE-2026-21637) wrap SNICallback invocation in try/catch PR-URL: nodejs-private/node-private#842
1 parent f333d0b commit 3626fea

File tree

3 files changed

+32
-2
lines changed

3 files changed

+32
-2
lines changed

CHANGELOG.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,8 @@ release.
3535
</tr>
3636
<tr>
3737
<td valign="top">
38-
<b><a href="doc/changelogs/CHANGELOG_V20.md#20.20.1">20.20.1</a></b><br/>
38+
<b><a href="doc/changelogs/CHANGELOG_V20.md#20.20.2">20.20.2</a></b><br/>
39+
<a href="doc/changelogs/CHANGELOG_V20.md#20.20.1">20.20.1</a><br/>
3940
<a href="doc/changelogs/CHANGELOG_V20.md#20.20.0">20.20.0</a><br/>
4041
<a href="doc/changelogs/CHANGELOG_V20.md#20.19.6">20.19.6</a><br/>
4142
<a href="doc/changelogs/CHANGELOG_V20.md#20.19.5">20.19.5</a><br/>

doc/changelogs/CHANGELOG_V20.md

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
</tr>
1010
<tr>
1111
<td>
12+
<a href="#20.20.2">20.20.2</a><br/>
1213
<a href="#20.20.1">20.20.1</a><br/>
1314
<a href="#20.20.0">20.20.0</a><br/>
1415
<a href="#20.19.6">20.19.6</a><br/>
@@ -77,6 +78,34 @@
7778
* [io.js](CHANGELOG_IOJS.md)
7879
* [Archive](CHANGELOG_ARCHIVE.md)
7980

81+
<a id="20.20.2"></a>
82+
83+
## 2026-03-24, Version 20.20.2 'Iron' (LTS), @marco-ippolito
84+
85+
This is a security release.
86+
87+
### Notable Changes
88+
89+
* (CVE-2026-21717) fix array index hash collision (Joyee Cheung) <https://github.com/nodejs-private/node-private/pull/834>
90+
* (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) <https://github.com/nodejs-private/node-private/pull/822>
91+
* (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) <https://github.com/nodejs-private/node-private/pull/821>
92+
* (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/795>
93+
* (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/794>
94+
* (CVE-2026-21714) handle NGHTTP2\_ERR\_FLOW\_CONTROL error code (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/832>
95+
* (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) <https://github.com/nodejs-private/node-private/pull/819>
96+
97+
### Commits
98+
99+
* \[[`cfb51fa9ce`](https://github.com/nodejs/node/commit/cfb51fa9ce)] - **(CVE-2026-21713)** **crypto**: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) [nodejs-private/node-private#831](https://github.com/nodejs-private/node-private/pull/831)
100+
* \[[`f333d0be5f`](https://github.com/nodejs/node/commit/f333d0be5f)] - **deps**: V8: override `depot_tools` version (Richard Lau) [#62344](https://github.com/nodejs/node/pull/62344)
101+
* \[[`2acd5d1226`](https://github.com/nodejs/node/commit/2acd5d1226)] - **deps**: update undici to v6.24.1 (Matteo Collina) [#62285](https://github.com/nodejs/node/pull/62285)
102+
* \[[`af5c144ebc`](https://github.com/nodejs/node/commit/af5c144ebc)] - **(CVE-2026-21717)** **deps,build,test**: fix array index hash collision (Joyee Cheung) [nodejs-private/node-private#834](https://github.com/nodejs-private/node-private/pull/834)
103+
* \[[`00ad47a28e`](https://github.com/nodejs/node/commit/00ad47a28e)] - **(CVE-2026-21710)** **http**: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://github.com/nodejs-private/node-private/pull/821)
104+
* \[[`0123309566`](https://github.com/nodejs/node/commit/0123309566)] - **(CVE-2026-21716)** **permission**: include permission check on lib/fs/promises (RafaelGSS) [nodejs-private/node-private#840](https://github.com/nodejs-private/node-private/pull/840)
105+
* \[[`00830712bc`](https://github.com/nodejs/node/commit/00830712bc)] - **(CVE-2026-21715)** **permission**: add permission check to realpath.native (RafaelGSS) [nodejs-private/node-private#838](https://github.com/nodejs-private/node-private/pull/838)
106+
* \[[`a0c73425da`](https://github.com/nodejs/node/commit/a0c73425da)] - **(CVE-2026-21714)** **src**: handle NGHTTP2\_ERR\_FLOW\_CONTROL error code (RafaelGSS) [nodejs-private/node-private#832](https://github.com/nodejs-private/node-private/pull/832)
107+
* \[[`cc3f294507`](https://github.com/nodejs/node/commit/cc3f294507)] - **(CVE-2026-21637)** **tls**: wrap SNICallback invocation in try/catch (Matteo Collina) [nodejs-private/node-private#839](https://github.com/nodejs-private/node-private/pull/839)
108+
80109
<a id="20.20.1"></a>
81110

82111
## 2026-03-05, Version 20.20.1 'Iron' (LTS), @marco-ippolito

src/node_version.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@
2929
#define NODE_VERSION_IS_LTS 1
3030
#define NODE_VERSION_LTS_CODENAME "Iron"
3131

32-
#define NODE_VERSION_IS_RELEASE 0
32+
#define NODE_VERSION_IS_RELEASE 1
3333

3434
#ifndef NODE_STRINGIFY
3535
#define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)

0 commit comments

Comments
 (0)