Skip to content

Commit 2645dc7

Browse files
aduh95aduh95
committed
2026-03-24, Version 22.22.2 'Jod' (LTS)
This is a security release. Notable changes: build,test,deps: * (CVE-2026-21717) test array index hash collision crypto: * (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC http: * (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct permission: * (CVE-2026-21716) include permission check on lib/fs/promises * (CVE-2026-21715) add permission check to realpath.native src: * (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code tls: * (CVE-2026-21637) wrap SNICallback invocation in try/catch PR-URL: nodejs-private/node-private#844
1 parent 30a3ab1 commit 2645dc7

File tree

3 files changed

+39
-2
lines changed

3 files changed

+39
-2
lines changed

CHANGELOG.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,8 @@ release.
3737
</tr>
3838
<tr>
3939
<td valign="top">
40-
<b><a href="doc/changelogs/CHANGELOG_V22.md#22.22.1">22.22.1</a></b><br/>
40+
<b><a href="doc/changelogs/CHANGELOG_V22.md#22.22.2">22.22.2</a></b><br/>
41+
<a href="doc/changelogs/CHANGELOG_V22.md#22.22.1">22.22.1</a><br/>
4142
<a href="doc/changelogs/CHANGELOG_V22.md#22.22.0">22.22.0</a><br/>
4243
<a href="doc/changelogs/CHANGELOG_V22.md#22.21.1">22.21.1</a><br/>
4344
<a href="doc/changelogs/CHANGELOG_V22.md#22.21.0">22.21.0</a><br/>

doc/changelogs/CHANGELOG_V22.md

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
</tr>
1010
<tr>
1111
<td>
12+
<a href="#22.22.2">22.22.2</a><br/>
1213
<a href="#22.22.1">22.22.1</a><br/>
1314
<a href="#22.22.0">22.22.0</a><br/>
1415
<a href="#22.21.1">22.21.1</a><br/>
@@ -69,6 +70,41 @@
6970
* [io.js](CHANGELOG_IOJS.md)
7071
* [Archive](CHANGELOG_ARCHIVE.md)
7172

73+
<a id="22.22.2"></a>
74+
75+
## 2026-03-24, Version 22.22.2 'Jod' (LTS), @RafaelGSS prepared by @aduh95
76+
77+
This is a security release.
78+
79+
### Notable Changes
80+
81+
* (CVE-2026-21637) wrap `SNICallback` invocation in `try`/`catch` (Matteo Collina) - High
82+
* (CVE-2026-21710) use null prototype for `headersDistinct`/`trailersDistinct` (Matteo Collina) - High
83+
* (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) - Medium
84+
* (CVE-2026-21714) handle `NGHTTP2_ERR_FLOW_CONTROL` error code (RafaelGSS) - Medium
85+
* (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
86+
* (CVE-2026-21715) add permission check to `realpath.native` (RafaelGSS) - Low
87+
* (CVE-2026-21716) include permission check on `lib/fs/promises` (RafaelGSS) - Low
88+
89+
### Commits
90+
91+
* \[[`6f14ee5101`](https://github.com/nodejs/node/commit/6f14ee5101)] - **(CVE-2026-21717)** **build,test**: test array index hash collision (Joyee Cheung) [nodejs-private/node-private#809](https://github.com/nodejs-private/node-private/pull/809)
92+
* \[[`52a52ef619`](https://github.com/nodejs/node/commit/52a52ef619)] - **(CVE-2026-21713)** **crypto**: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) [nodejs-private/node-private#822](https://github.com/nodejs-private/node-private/pull/822)
93+
* \[[`30a3ab11e2`](https://github.com/nodejs/node/commit/30a3ab11e2)] - **(CVE-2026-21717)** **deps**: V8: cherry-pick aac14dd95e5b (Joyee Cheung) [nodejs-private/node-private#809](https://github.com/nodejs-private/node-private/pull/809)
94+
* \[[`e3f4d6a42e`](https://github.com/nodejs/node/commit/e3f4d6a42e)] - **(CVE-2026-21717)** **deps**: V8: backport 1361b2a49d02 (Joyee Cheung) [nodejs-private/node-private#809](https://github.com/nodejs-private/node-private/pull/809)
95+
* \[[`7dc00fa5f4`](https://github.com/nodejs/node/commit/7dc00fa5f4)] - **(CVE-2026-21717)** **deps**: V8: backport 185f0fe09b72 (Joyee Cheung) [nodejs-private/node-private#809](https://github.com/nodejs-private/node-private/pull/809)
96+
* \[[`076acd052d`](https://github.com/nodejs/node/commit/076acd052d)] - **(CVE-2026-21717)** **deps**: V8: backport 0a8b1cdcc8b2 (snek) [nodejs-private/node-private#809](https://github.com/nodejs-private/node-private/pull/809)
97+
* \[[`963c60a951`](https://github.com/nodejs/node/commit/963c60a951)] - **deps**: V8: override `depot_tools` version (Richard Lau) [#62344](https://github.com/nodejs/node/pull/62344)
98+
* \[[`a688117d5d`](https://github.com/nodejs/node/commit/a688117d5d)] - **deps**: upgrade npm to 10.9.7 (npm team) [#62330](https://github.com/nodejs/node/pull/62330)
99+
* \[[`859c8c761b`](https://github.com/nodejs/node/commit/859c8c761b)] - **deps**: update undici to v6.24.1 (Matteo Collina) [#62285](https://github.com/nodejs/node/pull/62285)
100+
* \[[`d5ed384a2f`](https://github.com/nodejs/node/commit/d5ed384a2f)] - **deps**: upgrade npm to 10.9.6 (npm team) [#62215](https://github.com/nodejs/node/pull/62215)
101+
* \[[`a2fe9fd81a`](https://github.com/nodejs/node/commit/a2fe9fd81a)] - **(CVE-2026-21710)** **http**: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://github.com/nodejs-private/node-private/pull/821)
102+
* \[[`73deff77c1`](https://github.com/nodejs/node/commit/73deff77c1)] - **lib**: backport `_tls_common` and `_tls_wrap` refactors (Dario Piotrowicz) [#57643](https://github.com/nodejs/node/pull/57643)
103+
* \[[`06fc3436f6`](https://github.com/nodejs/node/commit/06fc3436f6)] - **(CVE-2026-21716)** **permission**: include permission check on lib/fs/promises (RafaelGSS) [nodejs-private/node-private#795](https://github.com/nodejs-private/node-private/pull/795)
104+
* \[[`db48d9c675`](https://github.com/nodejs/node/commit/db48d9c675)] - **(CVE-2026-21715)** **permission**: add permission check to realpath.native (RafaelGSS) [nodejs-private/node-private#794](https://github.com/nodejs-private/node-private/pull/794)
105+
* \[[`2a6105a63b`](https://github.com/nodejs/node/commit/2a6105a63b)] - **(CVE-2026-21714)** **src**: handle NGHTTP2\_ERR\_FLOW\_CONTROL error code (RafaelGSS) [nodejs-private/node-private#832](https://github.com/nodejs-private/node-private/pull/832)
106+
* \[[`91b970886f`](https://github.com/nodejs/node/commit/91b970886f)] - **(CVE-2026-21637)** **tls**: wrap SNICallback invocation in try/catch (Matteo Collina) [nodejs-private/node-private#819](https://github.com/nodejs-private/node-private/pull/819)
107+
72108
<a id="22.22.1"></a>
73109

74110
## 2026-03-05, Version 22.22.1 'Jod' (LTS), @marco-ippolito prepared by @aduh95

src/node_version.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,7 @@
2929
#define NODE_VERSION_IS_LTS 1
3030
#define NODE_VERSION_LTS_CODENAME "Jod"
3131

32-
#define NODE_VERSION_IS_RELEASE 0
32+
#define NODE_VERSION_IS_RELEASE 1
3333

3434
#ifndef NODE_STRINGIFY
3535
#define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)

0 commit comments

Comments
 (0)