This is a security release.
Notable Changes
- CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
- CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
- CVE-2024-22018 - fs.lstat bypasses permission model (Low)
- CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)
- CVE-2024-37372 - Permission model improperly processes UNC paths (Low)
Commits
- [
110902ff5e] - lib,esm: handle bypass network-import via data: (RafaelGSS) nodejs-private/node-private#522 - [
0a0de3d491] - lib,permission: support fs.lstat (RafaelGSS) - [
93574335ff] - lib,permission: disable fchmod/fchown when pm enabled (RafaelGSS) nodejs-private/node-private#584 - [
09899e6302] - src: handle permissive extension on cmd check (RafaelGSS) nodejs-private/node-private#596 - [
5d9c811634] - src,permission: fix UNC path resolution (RafaelGSS) nodejs-private/node-private#581