Summary

The Node.js project will release new versions of the 16.x, 18.x and 20.x releases lines on or shortly after, Tuesday June 20 2023 in order to address:

• 7 medium severity issues.
• 3 high severity issues.
• OpenSSL security updates for which the highest vulnerability severity is Moderate. You can read more about this update in the
  • OpenSSL security advisory 28th March.
  • OpenSSL security advisory 20th April.
  • OpenSSL security advisory 30th May.
• c-ares 22th May security updates

Impact

The 20.x release line of Node.js is vulnerable to 7 medium severity issues, and 3 high severity issues.

The 18.x release line of Node.js is vulnerable to 4 medium severity issues, and 1 high severity issues.

The 16.x release line of Node.js is vulnerable to 4 medium severity issues, and 1 high severity issues.

All the active release lines will be patched with the OpenSSL security update and c-ares security update.

Release timing

Releases will be available on, or shortly after, Tuesday June 20 2023.

Contact and future updates

The current Node.js security policy can be found at https://nodejs.org/en/security/. Please follow the process outlined in https://github.com/nodejs/node/blob/master/SECURITY.md if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.