feat(blog): create post for v20.20.0 #8535
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #8535 +/- ##
==========================================
+ Coverage 75.00% 75.02% +0.02%
==========================================
Files 103 103
Lines 9036 9036
Branches 311 311
==========================================
+ Hits 6777 6779 +2
+ Misses 2257 2255 -2
Partials 2 2 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Pull request overview
This PR creates a blog post announcing Node.js v20.20.0 (LTS), a security release that addresses six CVE vulnerabilities. The post includes notable security changes, commit details, download links, and SHA checksums.
Changes:
- Added a new blog post file for Node.js v20.20.0 security release
- Documented six security fixes (CVEs) addressing permission model bypasses, error handling issues, and buffer safety
- Included standard release artifacts (download links, checksums, and PGP signatures)
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| src,lib: | ||
| - (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) <https://github.com/nodejs-private/node-private/pull/759> | ||
| tls: | ||
| - (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) <https://github.com/nodejs-private/node-private/pull/796> |
There was a problem hiding this comment.
The CVE identifier uses year 2026 (CVE-2026-21637) while all other CVEs in this release use year 2025. This is inconsistent and likely a typo. CVE identifiers should use the year when the vulnerability was assigned, and this appears to be part of the same security release as the other 2025 CVEs.
| - (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) <https://github.com/nodejs-private/node-private/pull/796> | |
| - (CVE-2025-21637) route callback exceptions through error handlers (Matteo Collina) <https://github.com/nodejs-private/node-private/pull/796> |
| - \[[`494f62dc23`](https://github.com/nodejs/node/commit/494f62dc23)] - **(CVE-2025-55130)** **lib,permission**: require full read and write to symlink APIs (RafaelGSS) [nodejs-private/node-private#760](https://github.com/nodejs-private/node-private/pull/760) | ||
| - \[[`d7a5c587c0`](https://github.com/nodejs/node/commit/d7a5c587c0)] - **(CVE-2025-59466)** **src**: rethrow stack overflow exceptions in async_hooks (Matteo Collina) [nodejs-private/node-private#773](https://github.com/nodejs-private/node-private/pull/773) | ||
| - \[[`51f4de4b4a`](https://github.com/nodejs/node/commit/51f4de4b4a)] - **(CVE-2025-55131)** **src,lib**: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) [nodejs-private/node-private#759](https://github.com/nodejs-private/node-private/pull/759) | ||
| - \[[`85f73e7057`](https://github.com/nodejs/node/commit/85f73e7057)] - **(CVE-2026-21637)** **tls**: route callback exceptions through error handlers (Matteo Collina) [nodejs-private/node-private#796](https://github.com/nodejs-private/node-private/pull/796) |
There was a problem hiding this comment.
The CVE identifier uses year 2026 (CVE-2026-21637) while all other CVEs in this release use year 2025. This is inconsistent and likely a typo. CVE identifiers should use the year when the vulnerability was assigned, and this appears to be part of the same security release as the other 2025 CVEs.
github-actions
bot
removed
the
github_actions:pull-request
|
Lighthouse Results
|
Creates a new blog post for v20.20.0
Check this workflow's logs at https://github.com/nodejs/nodejs.org/actions/runs/20959329517.