This update for nodejs22 fixes the following issues:
Security fixes:
- CVE-2026-22036: Fixed unbounded decompression chain in HTTP response leading
to resource exhaustion (bsc#1256848)
- CVE-2026-21637: Fixed synchronous exceptions thrown during callbacks that bypass
TLS error handling and causing denial of service (bsc#1256576)
- CVE-2025-55132: Fixed futimes() ability to acces file even if process has read
permissions only (bsc#1256571)
- CVE-2025-55131: Fixed race condition that allowed allocations with leftover data
leading to in-process secrets exposure (bsc#1256570)
- CVE-2025-55130: Fixed filesystem permissions bypass via crafted symlinks (bsc#1256569)
- CVE-2025-59465: Fixed malformed HTTP/2 HEADERS frame with invalid HPACK leading
to crash (bsc#1256573)
- CVE-2025-59466: Fixed uncatchable 'Maximum call stack size exceeded' error
leading to crash (bsc#1256574)
Other fixes:
-
Update to 22.22.0:
- deps: updated undici to 6.23.0
- deps: updated bundled c-ares to 1.34.6 (if used)
- add TLSSocket default error handler
- disable futimes when permission model is enabled
- require full read and write to symlink APIs
- rethrow stack overflow exceptions in async_hooks
- refactor unsafe buffer creation to remove zero-fill toggle
- route callback exceptions through error handlers
-
Update to 22.21.1:
- src: avoid unnecessary string -> char* -> string round trips
- src: remove unnecessary shadowed functions on Utf8Value & BufferValue
- process: fix hrtime fast call signatures
- http: improve writeEarlyHints by avoiding for-of loop
-
Update to 22.21.0:
- cli: add --use-env-proxy
- http: support http proxy for fetch under NODE_USE_ENV_PROXY
- http: add shouldUpgradeCallback to let servers control HTTP upgrades
- http,https: add built-in proxy support in http/https.request and Agent
- src: add percentage support to --max-old-space-size
-
Update to 22.20.0
- doc: stabilize --disable-sigusr1
- doc: mark...