Update dependency node to v16.20.2

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
node		patch	16.20.0 -> 16.20.2
@types/node (source)	devDependencies	patch	16.18.35 -> 16.18.61

---

Release Notes

nodejs/node (node)

v16.20.2: 2023-08-09, Version 16.20.2 'Gallium' (LTS), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

• CVE-2023-32002: Policies can be bypassed via Module._load (High)
• CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
• CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
• OpenSSL Security Releases
  • OpenSSL security advisory 14th July.
  • OpenSSL security advisory 19th July.
  • OpenSSL security advisory 31st July

More detailed information on each of the vulnerabilities can be found in August 2023 Security Releases blog post.

Commits

• [40c3958a5a] - deps: update archs files for OpenSSL-1.1.1v (RafaelGSS) #​49043
• [a9ac9da89a] - deps: fix openssl crypto clean (RafaelGSS) #​49043
• [362d4c7494] - deps: upgrade openssl sources to OpenSSL_1_1_1v (RafaelGSS) #​49043
• [d8ccfe9ad4] - policy: handle Module.constructor and main.extensions bypass (RafaelGSS) nodejs-private/node-private#445
• [242aaa0caa] - policy: disable process.binding() when enabled (Tobias Nießen) nodejs-private/node-private#459

v16.20.1: 2023-06-20, Version 16.20.1 'Gallium' (LTS), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

• CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High)
• CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
• CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
• CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
• CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
• OpenSSL Security Releases
  • OpenSSL security advisory 28th March.
  • OpenSSL security advisory 20th April.
  • OpenSSL security advisory 30th May
• c-ares vulnerabilities:
  • GHSA-9g78-jv2r-p7vc
  • GHSA-8r8p-23f3-64c2
  • GHSA-54xr-f67r-4pc4
  • GHSA-x6mf-cxr9-8q6v

More detailed information on each of the vulnerabilities can be found in June 2023 Security Releases blog post.

Commits

• [5a92ea7a3b] - crypto: handle cert with invalid SPKI gracefully (Tobias Nießen)
• [5df04e893a] - deps: set CARES_RANDOM_FILE for c-ares (Richard Lau) #​48156
• [c171cbd124] - deps: update c-ares to 1.19.1 (RafaelGSS) #​48115
• [155d3aac02] - deps: update archs files for OpenSSL-1.1.1u+quic (RafaelGSS) #​48369
• [8d4c8f8ebe] - deps: upgrade openssl sources to OpenSSL_1_1_1u (RafaelGSS) #​48369
• [1a5c9284eb] - doc,test: clarify behavior of DH generateKeys (Tobias Nießen) nodejs-private/node-private#426
• [e42ff4b018] - http: disable request smuggling via empty headers (Paolo Insogna) nodejs-private/node-private#429
• [10042683c8] - msi: do not create AppData\Roaming\npm (Tobias Nießen) nodejs-private/node-private#408
• [a6f4e87bc9] - policy: handle mainModule.__proto__ bypass (RafaelGSS) nodejs-private/node-private#416
• [b77000f4d7] - test: allow SIGBUS in signal-handler abort test (Michaël Zasso) #​47851

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (4e06f4f) 94.47% compared to head (73c0ba5) 94.47%.
Report is 10 commits behind head on master.

❗ Current head 73c0ba5 differs from pull request most recent head dab8b9c. Consider uploading reports for the commit dab8b9c to get more accurate results

Additional details and impacted files

@@           Coverage Diff           @@
##           master      #74   +/-   ##
=======================================
  Coverage   94.47%   94.47%           
=======================================
  Files           2        2           
  Lines         344      344           
=======================================
  Hits          325      325           
  Misses         19       19           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.