Fedora Linux 8812 Published by

A nodejs security update has been released for Fedora 35.



SECURITY: Fedora 35 Update: nodejs-16.14.0-2.fc35


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2022-97b214b298
2022-02-19 01:30:44.345535
--------------------------------------------------------------------------------

Name : nodejs
Product : Fedora 35
Version : 16.14.0
Release : 2.fc35
URL :   http://nodejs.org/
Summary : JavaScript runtime
Description :
Node.js is a platform built on Chrome's JavaScript runtime
for easily building fast, scalable network applications.
Node.js uses an event-driven, non-blocking I/O model that
makes it lightweight and efficient, perfect for data-intensive
real-time applications that run across distributed devices.

--------------------------------------------------------------------------------
Update Information:

## 2022-02-08, Version 16.14.0 'Gallium' (LTS), @danielleadams ### Notable
changes #### Importing JSON modules now requires experimental import assertions
syntax This release adds experimental support for the import assertions stage 3
proposal. To keep Node.js ESM implementation as compatible as possible with the
HTML spec, import assertions are now required to import JSON modules (still
behind the `--experimental-json-modules` CLI flag): ```mjs import info from
'./package.json' assert { type: 'json' }; ``` Or use dynamic import: ```mjs
const info = await import('./package.json', { assert: { type: 'json' } }); ```
Contributed by Antoine du Hamel and Geoffrey Booth
[#40250](  https://github.com/nodejs/node/pull/40250) #### Other notable changes
* **async\_hooks**: * **(SEMVER-MINOR)** expose async\_wrap providers (Rafael
Gonzaga) [#40760](  https://github.com/nodejs/node/pull/40760) *
**child\_process**: * **(SEMVER-MINOR)** add support for URL to `cp.fork`
(Antoine du Hamel) [#41225](  https://github.com/nodejs/node/pull/41225) *
**doc**: * add @Mesteery to collaborators (Mestery)
[#41543](  https://github.com/nodejs/node/pull/41543) * add @bnb as a
collaborator (Tierney Cyren) [#41100](  https://github.com/nodejs/node/pull/41100)
* **esm**: * **(SEMVER-MINOR)** graduate capturerejections to supported (James
M Snell) [#41267](  https://github.com/nodejs/node/pull/41267) * **(SEMVER-
MINOR)** add EventEmitterAsyncResource to core (James M Snell)
[#41246](  https://github.com/nodejs/node/pull/41246) * **events**: * **(SEMVER-
MINOR)** propagate weak option for kNewListener (James M Snell)
[#40899](  https://github.com/nodejs/node/pull/40899) * **fs**: * **(SEMVER-
MINOR)** accept URL as argument for `fs.rm` and `fs.rmSync` (Antoine du Hamel)
[#41132](  https://github.com/nodejs/node/pull/41132) * **lib**: * **(SEMVER-
MINOR)** make AbortSignal cloneable/transferable (James M Snell)
[#41050](  https://github.com/nodejs/node/pull/41050) * **(SEMVER-MINOR)** add
AbortSignal.timeout (James M Snell)
[#40899](  https://github.com/nodejs/node/pull/40899) * **(SEMVER-MINOR)** add
reason to AbortSignal (James M Snell)
[#40807](  https://github.com/nodejs/node/pull/40807) * **(SEMVER-MINOR)** add
unsubscribe method to non-active DC channels (simon-id)
[#40433](  https://github.com/nodejs/node/pull/40433) * **(SEMVER-MINOR)** add
return value for DC channel.unsubscribe (simon-id)
[#40433](  https://github.com/nodejs/node/pull/40433) * **loader**: * **(SEMVER-
MINOR)** return package format from defaultResolve if known (Gabriel Bota)
[#40980](  https://github.com/nodejs/node/pull/40980) * **perf\_hooks**: *
**(SEMVER-MINOR)** multiple fixes for Histogram (James M Snell)
[#41153](  https://github.com/nodejs/node/pull/41153) * **process**: *
**(SEMVER-MINOR)** add `getActiveResourcesInfo()` (Darshan Sen)
[#40813](  https://github.com/nodejs/node/pull/40813) * **src**: * **(SEMVER-
MINOR)** add x509.fingerprint512 to crypto module (3nprob)
[#39809](  https://github.com/nodejs/node/pull/39809) * **(SEMVER-MINOR)** add
flags for controlling process behavior (Cheng Zhao)
[#40339](  https://github.com/nodejs/node/pull/40339) * **stream**: * **(SEMVER-
MINOR)** add filter method to readable (Benjamin Gruenbaum)
[#41354](  https://github.com/nodejs/node/pull/41354) * **(SEMVER-MINOR)** add
isReadable helper (Robert Nagy)
[#41199](  https://github.com/nodejs/node/pull/41199) * **(SEMVER-MINOR)** add
map method to Readable (Benjamin Gruenbaum)
[#40815](  https://github.com/nodejs/node/pull/40815) * deprecate thenable
support (Antoine du Hamel) [#40860](  https://github.com/nodejs/node/pull/40860) *
**util**: * **(SEMVER-MINOR)** pass through the inspect function to custom
inspect functions (Ruben Bridgewater)
[#41019](  https://github.com/nodejs/node/pull/41019) * **(SEMVER-MINOR)** add
numericSeparator to util.inspect (Ruben Bridgewater)
[#41003](  https://github.com/nodejs/node/pull/41003) * **(SEMVER-MINOR)**
always visualize cause property in errors during inspection (Ruben Bridgewater)
[#41002](  https://github.com/nodejs/node/pull/41002) * **timers**: * **(SEMVER-
MINOR)** add experimental scheduler api (James M Snell)
[#40909](  https://github.com/nodejs/node/pull/40909) * **v8**: * **(SEMVER-
MINOR)** multi-tenant promise hook api (Stephen Belanger)
[#39283](  https://github.com/nodejs/node/pull/39283) ---- Fix for
CVE-2021-43616
--------------------------------------------------------------------------------
ChangeLog:

* Wed Feb 9 2022 Zuzana Svetlikova - 1:16.14.0-2
- Replace explicit version of npm in %check with variable and make build fail if it doesn't match
* Tue Feb 8 2022 Stephen Gallagher - 1:16.14.0-1
- Update to Node.js 16.14.0
* Thu Feb 3 2022 Stephen Gallagher - 1:16.13.2-8
- Update npm to 8.3.1 (CVE-2021-43616)
* Wed Feb 2 2022 Stephen Gallagher - 1:16.13.2-7
- Fix incorrect version Provides: for npm (bz#2049873)
* Mon Jan 31 2022 Stephen Gallagher - 1:16.13.2-6
- Rebuild for more architectures
* Mon Jan 31 2022 Stephen Gallagher - 1:16.13.2-5
- Tweak some dependencies on EPEL 7 (bz2048589)
- Add Provides: bundled(zlib)
* Wed Jan 19 2022 Stephen Gallagher - 1:16.13.2-3
- Bundle zlib on EPEL 7
* Mon Jan 17 2022 Stephen Gallagher - 1:16.13.2-2
- Add support for building on EPEL 7
--------------------------------------------------------------------------------
References:

[ 1 ] Bug #2050282 - CVE-2021-43616 npm: npm ci succeeds when package-lock.json doesn't match package.json
  https://bugzilla.redhat.com/show_bug.cgi?id=2050282
--------------------------------------------------------------------------------

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2022-97b214b298' at the command
line. For more information, refer to the dnf documentation available at
  http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
  https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________