v22.13.1
Breaking Changes📦 node-jsView on GitHub →
⚠ 1 breaking🐛 3 fixes🔧 5 symbols
Summary
This security release addresses critical vulnerabilities including a path traversal on Windows, an HTTP/2 memory leak, and unauthorized InternalWorker access when the permission model is active.
⚠️ Breaking Changes
- InternalWorker now throws an error when used while the permission model is enabled to prevent security bypasses (CVE-2025-23083).
Migration Steps
- Update Node.js to the latest version to apply security patches.
- If using the experimental permission model, ensure that any reliance on InternalWorker is reviewed as it will now throw an error.
🐛 Bug Fixes
- Fixed a path traversal vulnerability in path.normalize() on Windows (CVE-2025-23084).
- Fixed an HTTP/2 memory leak occurring on premature connection close and ERR_PROTO (CVE-2025-23085).
- Addressed use of insufficiently random values in undici fetch() by updating the dependency (CVE-2025-22150).