v22.22.2
📦 node-jsView on GitHub →
🐛 7 fixes🔧 5 symbols
Summary
This is a security release addressing several high and medium severity vulnerabilities, including prototype pollution and cryptographic issues. It also includes dependency updates for npm and undici.
🐛 Bug Fixes
- (CVE-2026-21637) wrap SNICallback invocation in try/catch to prevent crashes.
- (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct to mitigate prototype pollution.
- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC.
- (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code.
- (CVE-2026-21717) test array index hash collision.
- (CVE-2026-21715) add permission check to realpath.native.
- (CVE-2026-21716) include permission check on lib/fs/promises.