v23.6.1
Breaking Changes📦 node-jsView on GitHub →
⚠ 1 breaking🐛 3 fixes🔧 4 symbols
Summary
Security release addressing multiple CVEs including path traversal on Windows, HTTP/2 memory leaks, and permission model bypasses.
⚠️ Breaking Changes
- InternalWorker now throws an error when used while the permission model is enabled to prevent security bypasses (CVE-2025-23083).
Migration Steps
- Update Node.js to the latest security release.
- If using the experimental permission model, ensure that any reliance on InternalWorker is reviewed as it will now throw.
🐛 Bug Fixes
- Fixed a path traversal vulnerability in path.normalize() on Windows (CVE-2025-23084).
- Fixed a memory leak in HTTP/2 occurring on premature connection close and ERR_PROTO (CVE-2025-23085).
- Fixed use of insufficiently random values in undici fetch() by updating the dependency (CVE-2025-22150).