Skip to content

Commit 7be0e28

Browse files
marco-ippolitomarco-ippolito
committed
2026-03-24, Version 20.20.2 'Iron' (LTS)
This is a security release. Notable changes: crypto: * (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC deps: * update undici to v6.24.1 * (CVE-2026-21717) fix array index hash collision http: * (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct permission: * (CVE-2026-21716) include permission check on lib/fs/promises * (CVE-2026-21715) add permission check to realpath.native src: * (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code tls: * (CVE-2026-21637) wrap SNICallback invocation in try/catch PR-URL: nodejs-private/node-private#842
1 parent d88a46a commit 7be0e28

File tree

2 files changed

+31
-1
lines changed

2 files changed

+31
-1
lines changed

CHANGELOG.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -115,7 +115,8 @@ release.
115115
<a href="doc/changelogs/CHANGELOG_V22.md#22.0.0">22.0.0</a><br/>
116116
</td>
117117
<td valign="top">
118-
<b><a href="doc/changelogs/CHANGELOG_V20.md#20.20.1">20.20.1</a></b><br/>
118+
<b><a href="doc/changelogs/CHANGELOG_V20.md#20.20.2">20.20.2</a></b><br/>
119+
<a href="doc/changelogs/CHANGELOG_V20.md#20.20.1">20.20.1</a><br/>
119120
<a href="doc/changelogs/CHANGELOG_V20.md#20.20.0">20.20.0</a><br/>
120121
<a href="doc/changelogs/CHANGELOG_V20.md#20.19.6">20.19.6</a><br/>
121122
<a href="doc/changelogs/CHANGELOG_V20.md#20.19.5">20.19.5</a><br/>

doc/changelogs/CHANGELOG_V20.md

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
</tr>
1010
<tr>
1111
<td>
12+
<a href="#20.20.2">20.20.2</a><br/>
1213
<a href="#20.20.1">20.20.1</a><br/>
1314
<a href="#20.20.0">20.20.0</a><br/>
1415
<a href="#20.19.6">20.19.6</a><br/>
@@ -82,6 +83,34 @@
8283
* [io.js](CHANGELOG_IOJS.md)
8384
* [Archive](CHANGELOG_ARCHIVE.md)
8485

86+
<a id="20.20.2"></a>
87+
88+
## 2026-03-24, Version 20.20.2 'Iron' (LTS), @marco-ippolito
89+
90+
This is a security release.
91+
92+
### Notable Changes
93+
94+
* (CVE-2026-21717) fix array index hash collision (Joyee Cheung) <https://github.com/nodejs-private/node-private/pull/834>
95+
* (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) <https://github.com/nodejs-private/node-private/pull/822>
96+
* (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) <https://github.com/nodejs-private/node-private/pull/821>
97+
* (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/795>
98+
* (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/794>
99+
* (CVE-2026-21714) handle NGHTTP2\_ERR\_FLOW\_CONTROL error code (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/832>
100+
* (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) <https://github.com/nodejs-private/node-private/pull/819>
101+
102+
### Commits
103+
104+
* \[[`cfb51fa9ce`](https://github.com/nodejs/node/commit/cfb51fa9ce)] - **(CVE-2026-21713)** **crypto**: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) [nodejs-private/node-private#831](https://github.com/nodejs-private/node-private/pull/831)
105+
* \[[`f333d0be5f`](https://github.com/nodejs/node/commit/f333d0be5f)] - **deps**: V8: override `depot_tools` version (Richard Lau) [#62344](https://github.com/nodejs/node/pull/62344)
106+
* \[[`2acd5d1226`](https://github.com/nodejs/node/commit/2acd5d1226)] - **deps**: update undici to v6.24.1 (Matteo Collina) [#62285](https://github.com/nodejs/node/pull/62285)
107+
* \[[`af5c144ebc`](https://github.com/nodejs/node/commit/af5c144ebc)] - **(CVE-2026-21717)** **deps,build,test**: fix array index hash collision (Joyee Cheung) [nodejs-private/node-private#834](https://github.com/nodejs-private/node-private/pull/834)
108+
* \[[`00ad47a28e`](https://github.com/nodejs/node/commit/00ad47a28e)] - **(CVE-2026-21710)** **http**: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://github.com/nodejs-private/node-private/pull/821)
109+
* \[[`0123309566`](https://github.com/nodejs/node/commit/0123309566)] - **(CVE-2026-21716)** **permission**: include permission check on lib/fs/promises (RafaelGSS) [nodejs-private/node-private#840](https://github.com/nodejs-private/node-private/pull/840)
110+
* \[[`00830712bc`](https://github.com/nodejs/node/commit/00830712bc)] - **(CVE-2026-21715)** **permission**: add permission check to realpath.native (RafaelGSS) [nodejs-private/node-private#838](https://github.com/nodejs-private/node-private/pull/838)
111+
* \[[`a0c73425da`](https://github.com/nodejs/node/commit/a0c73425da)] - **(CVE-2026-21714)** **src**: handle NGHTTP2\_ERR\_FLOW\_CONTROL error code (RafaelGSS) [nodejs-private/node-private#832](https://github.com/nodejs-private/node-private/pull/832)
112+
* \[[`cc3f294507`](https://github.com/nodejs/node/commit/cc3f294507)] - **(CVE-2026-21637)** **tls**: wrap SNICallback invocation in try/catch (Matteo Collina) [nodejs-private/node-private#839](https://github.com/nodejs-private/node-private/pull/839)
113+
85114
<a id="20.20.1"></a>
86115

87116
## 2026-03-05, Version 20.20.1 'Iron' (LTS), @marco-ippolito

0 commit comments

Comments
 (0)