This is a security release.

Notable Changes

The following CVEs are fixed in this release:

• CVE-2023-44487: nghttp2 Security Release (High)
• CVE-2023-45143: undici Security Release (High)
• CVE-2023-39332: Path traversal through path stored in Uint8Array (High)
• CVE-2023-39331: Permission model improperly protects against path traversal (High)
• CVE-2023-38552: Integrity checks according to policies can be circumvented (Medium)
• CVE-2023-39333: Code injection via WebAssembly export names (Low)

More detailed information on each of the vulnerabilities can be found in October 2023 Security Releases blog post.

Commits

• [c86883e844] - deps: update nghttp2 to 1.57.0 (James M Snell) #50121
• [2860631359] - deps: update undici to v5.26.3 (Matteo Collina) #50153
• [cd37838bf8] - lib: let deps require node prefixed modules (Matthew Aitken) #50047
• [f5c90b2951] - module: fix code injection through export names (Tobias Nießen) nodejs-private/node-private#461
• [fa5dae1944] - permission: fix Uint8Array path traversal (Tobias Nießen) nodejs-private/node-private#456
• [cd35275111] - permission: improve path traversal protection (Tobias Nießen) nodejs-private/node-private#456
• [a4cb7fc7c0] - policy: use tamper-proof integrity check function (Tobias Nießen) nodejs-private/node-private#462