chore(deps): update node.js to v24.14.1 #783

2026-03-26T06:06:19Z

renovate commented

2026-03-26 06:06:19 +00:00

This PR contains the following updates:

Package	Type	Update	Change
node	final	patch	`24.14.0-alpine` → `24.14.1-alpine`

Release Notes

nodejs/node (node)

`v24.14.1`: 2026-03-24, Version 24.14.1 'Krypton' (LTS), @RafaelGSS prepared by @juanarbol

Compare Source

This is a security release.

Notable Changes

(CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
(CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
(CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
(CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
(CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
(CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
(CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low
(CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low

Commits

[6fae244080] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#828
[cc0910c62e] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) nodejs-private/node-private#822
[80cb042cf3] - deps: update undici to 7.24.4 (Node.js GitHub Bot) #62271
[f5b8667dc2] - deps: update undici to 7.24.3 (Node.js GitHub Bot) #62233
[08852637d9] - deps: update undici to 7.22.0 (Node.js GitHub Bot) #62035
[61097db9fb] - deps: upgrade npm to 11.11.0 (npm team) #61994
[9ac0f9f81e] - deps: upgrade npm to 11.10.1 (npm team) #61892
[3dab3c4698] - deps: V8: override depot_tools version (Richard Lau) #62344
[87521e99d1] - deps: V8: backport 1361b2a (Joyee Cheung) nodejs-private/node-private#828
[045013366f] - deps: V8: backport 185f0fe (Joyee Cheung) nodejs-private/node-private#828
[af22629ea8] - deps: V8: backport 0a8b1cd (snek) nodejs-private/node-private#828
[380ea72eef] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821
[d6b6051e08] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795
[bfdecef9da] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794
[c015edf313] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832
[cba66c48a5] - (CVE-2026-21712) src: handle url crash on different url formats (RafaelGSS) nodejs-private/node-private#816
[df8fbfb93d] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [node](https://github.com/nodejs/node) | final | patch | `24.14.0-alpine` → `24.14.1-alpine` | --- ### Release Notes <details> <summary>nodejs/node (node)</summary> ### [`v24.14.1`](https://github.com/nodejs/node/releases/tag/v24.14.1): 2026-03-24, Version 24.14.1 'Krypton' (LTS), @RafaelGSS prepared by @juanarbol [Compare Source](https://github.com/nodejs/node/compare/v24.14.0...v24.14.1) This is a security release. ##### Notable Changes - (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High - (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High - (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium - (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium - (CVE-2026-21714) handle NGHTTP2\_ERR\_FLOW\_CONTROL error code (RafaelGSS) - Medium - (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium - (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low - (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low ##### Commits - \[[`6fae244080`](https://github.com/nodejs/node/commit/6fae244080)] - **(CVE-2026-21717)** **build,test**: test array index hash collision (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828) - \[[`cc0910c62e`](https://github.com/nodejs/node/commit/cc0910c62e)] - **(CVE-2026-21713)** **crypto**: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) [nodejs-private/node-private#822](https://github.com/nodejs-private/node-private/pull/822) - \[[`80cb042cf3`](https://github.com/nodejs/node/commit/80cb042cf3)] - **deps**: update undici to 7.24.4 (Node.js GitHub Bot) [#62271](https://github.com/nodejs/node/pull/62271) - \[[`f5b8667dc2`](https://github.com/nodejs/node/commit/f5b8667dc2)] - **deps**: update undici to 7.24.3 (Node.js GitHub Bot) [#62233](https://github.com/nodejs/node/pull/62233) - \[[`08852637d9`](https://github.com/nodejs/node/commit/08852637d9)] - **deps**: update undici to 7.22.0 (Node.js GitHub Bot) [#62035](https://github.com/nodejs/node/pull/62035) - \[[`61097db9fb`](https://github.com/nodejs/node/commit/61097db9fb)] - **deps**: upgrade npm to 11.11.0 (npm team) [#61994](https://github.com/nodejs/node/pull/61994) - \[[`9ac0f9f81e`](https://github.com/nodejs/node/commit/9ac0f9f81e)] - **deps**: upgrade npm to 11.10.1 (npm team) [#61892](https://github.com/nodejs/node/pull/61892) - \[[`3dab3c4698`](https://github.com/nodejs/node/commit/3dab3c4698)] - **deps**: V8: override `depot_tools` version (Richard Lau) [#62344](https://github.com/nodejs/node/pull/62344) - \[[`87521e99d1`](https://github.com/nodejs/node/commit/87521e99d1)] - **deps**: V8: backport [`1361b2a`](https://github.com/nodejs/node/commit/1361b2a49d02) (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828) - \[[`045013366f`](https://github.com/nodejs/node/commit/045013366f)] - **deps**: V8: backport [`185f0fe`](https://github.com/nodejs/node/commit/185f0fe09b72) (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828) - \[[`af22629ea8`](https://github.com/nodejs/node/commit/af22629ea8)] - **deps**: V8: backport [`0a8b1cd`](https://github.com/nodejs/node/commit/0a8b1cdcc8b2) (snek) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828) - \[[`380ea72eef`](https://github.com/nodejs/node/commit/380ea72eef)] - **(CVE-2026-21710)** **http**: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://github.com/nodejs-private/node-private/pull/821) - \[[`d6b6051e08`](https://github.com/nodejs/node/commit/d6b6051e08)] - **(CVE-2026-21716)** **permission**: include permission check on lib/fs/promises (RafaelGSS) [nodejs-private/node-private#795](https://github.com/nodejs-private/node-private/pull/795) - \[[`bfdecef9da`](https://github.com/nodejs/node/commit/bfdecef9da)] - **(CVE-2026-21715)** **permission**: add permission check to realpath.native (RafaelGSS) [nodejs-private/node-private#794](https://github.com/nodejs-private/node-private/pull/794) - \[[`c015edf313`](https://github.com/nodejs/node/commit/c015edf313)] - **(CVE-2026-21714)** **src**: handle NGHTTP2\_ERR\_FLOW\_CONTROL error code (RafaelGSS) [nodejs-private/node-private#832](https://github.com/nodejs-private/node-private/pull/832) - \[[`cba66c48a5`](https://github.com/nodejs/node/commit/cba66c48a5)] - **(CVE-2026-21712)** **src**: handle url crash on different url formats (RafaelGSS) [nodejs-private/node-private#816](https://github.com/nodejs-private/node-private/pull/816) - \[[`df8fbfb93d`](https://github.com/nodejs/node/commit/df8fbfb93d)] - **(CVE-2026-21637)** **tls**: wrap SNICallback invocation in try/catch (Matteo Collina) [nodejs-private/node-private#819](https://github.com/nodejs-private/node-private/pull/819) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

renovate added 1 commit 2026-03-26 13:06:52 +00:00

chore(deps): update node.js to v24.14.1

schemas / vulnerabilities (pull_request) Successful in 2m32s

Details

schemas / check (pull_request) Successful in 2m50s

Details

schemas / check-release (pull_request) Successful in 2m54s

Details

schemas / build (pull_request) Successful in 6m5s

Details

pre-commit / pre-commit (pull_request) Successful in 6m57s

Details