This is a security release.
Notable Changes
- CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium)
- CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)
Dependency update:
- CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)
Commits
- [
c03ad5ed63] - build: use rclone instead of aws CLI (Michaël Zasso) #55617 - [
8232463294] - build, tools: drop leading/fromr2dir(Richard Lau) #53951 - [
b26bcd3394] - build, tools: copy release assets to staging R2 bucket once built (flakey5) #51394 - [
56df127b7b] - build,tools: simplify upload of shasum signatures (Michaël Zasso) #53892 - [
a63e9372ed] - (CVE-2025-22150) deps: update undici to v5.28.5 (Matteo Collina) nodejs-private/node-private#657 - [
da2d177f91] - (CVE-2025-23084) path: fix path traversal in normalize() on Windows (Tobias Nießen) nodejs-private/node-private#555 - [
6cc8d58e6f] - (CVE-2025-23085) src: fix HTTP2 mem leak on premature close and ERR_PROTO (RafaelGSS) nodejs-private/node-private#650