v24.13.0
Breaking Changes📦 node-jsView on GitHub →
⚠ 2 breaking🐛 4 fixes🔧 6 symbols
Summary
This is a security release addressing several CVEs across various components including TLS, lib, and src. Key fixes involve error handling, permission requirements for symlinks, and buffer creation refactoring.
⚠️ Breaking Changes
- Refactor of unsafe buffer creation removed the zero-fill toggle, which might affect code relying on this specific behavior for buffer initialization.
- Symlink APIs now require full read and write permissions, potentially breaking scripts that previously operated with fewer permissions.
Migration Steps
- Ensure applications using unsafe buffer creation are aware that the zero-fill toggle has been removed.
- Verify that processes interacting with symlink APIs have full read and write permissions, as required by CVE-2025-55130.
🐛 Bug Fixes
- Added a default error handler for TLSSocket to address CVE-2025-59465.
- Disabled futimes when the permission model is enabled to address CVE-2025-55132.
- Stack overflow exceptions in async_hooks are now rethrown to address CVE-2025-59466.
- Callback exceptions in TLS are now routed through error handlers to address CVE-2026-21637.