v20.18.2
Breaking Changes📦 node-jsView on GitHub →
⚠ 1 breaking🐛 3 fixes🔧 5 symbols
Summary
This security release addresses several vulnerabilities including a high-severity issue in the Permission Model, path traversal on Windows, and memory leaks in HTTP/2.
⚠️ Breaking Changes
- InternalWorker now throws an error when used while the Permission Model is enabled (CVE-2025-23083).
Migration Steps
- Update Node.js to the latest security release.
- If using the experimental Permission Model, ensure your application does not rely on InternalWorker as it will now throw an error.
🐛 Bug Fixes
- Fixed a path traversal vulnerability in path.normalize() on Windows (CVE-2025-23084).
- Fixed an HTTP/2 memory leak occurring on premature connection close and ERR_PROTO (CVE-2025-23085).
- Fixed use of insufficiently random values in undici fetch() by updating the dependency (CVE-2025-22150).