Skip to content

Commit 1f7186e

Browse files
marco-ippolitoRafaelGSS
marco-ippolito
authored and
RafaelGSS
committed
2026-01-13, Version 20.20.0 'Iron' (LTS)
This is a security release. Notable changes: lib: * (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#802 * (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797 lib,permission: * (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760 src: * (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773 src,lib: * (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#799 tls: * (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796 PR-URL: nodejs-private/node-private#804
1 parent 51f4de4 commit 1f7186e

File tree

3 files changed

+38
-4
lines changed

3 files changed

+38
-4
lines changed

CHANGELOG.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,8 @@ release.
3535
</tr>
3636
<tr>
3737
<td valign="top">
38-
<b><a href="doc/changelogs/CHANGELOG_V20.md#20.19.6">20.19.6</a></b><br/>
38+
<b><a href="doc/changelogs/CHANGELOG_V20.md#20.20.0">20.20.0</a></b><br/>
39+
<a href="doc/changelogs/CHANGELOG_V20.md#20.19.6">20.19.6</a><br/>
3940
<a href="doc/changelogs/CHANGELOG_V20.md#20.19.5">20.19.5</a><br/>
4041
<a href="doc/changelogs/CHANGELOG_V20.md#20.19.4">20.19.4</a><br/>
4142
<a href="doc/changelogs/CHANGELOG_V20.md#20.19.3">20.19.3</a><br/>

doc/changelogs/CHANGELOG_V20.md

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@
99
</tr>
1010
<tr>
1111
<td>
12+
<a href="#20.20.0">20.20.0</a><br/>
1213
<a href="#20.19.6">20.19.6</a><br/>
1314
<a href="#20.19.5">20.19.5</a><br/>
1415
<a href="#20.19.4">20.19.4</a><br/>
@@ -75,6 +76,38 @@
7576
* [io.js](CHANGELOG_IOJS.md)
7677
* [Archive](CHANGELOG_ARCHIVE.md)
7778

79+
<a id="20.20.0"></a>
80+
81+
## 2026-01-13, Version 20.20.0 'Iron' (LTS), @marco-ippolito
82+
83+
This is a security release.
84+
85+
### Notable Changes
86+
87+
lib:
88+
89+
* (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/802>
90+
* (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/797>
91+
lib,permission:
92+
* (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/760>
93+
src:
94+
* (CVE-2025-59466) rethrow stack overflow exceptions in async\_hooks (Matteo Collina) <https://github.com/nodejs-private/node-private/pull/773>
95+
src,lib:
96+
* (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) <https://github.com/nodejs-private/node-private/pull/759>
97+
tls:
98+
* (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) <https://github.com/nodejs-private/node-private/pull/796>
99+
100+
### Commits
101+
102+
* \[[`8f9ba3f623`](https://github.com/nodejs/node/commit/8f9ba3f623)] - **deps**: update c-ares to v1.34.6 (Node.js GitHub Bot) [#60997](https://github.com/nodejs/node/pull/60997)
103+
* \[[`97fc9b0eb7`](https://github.com/nodejs/node/commit/97fc9b0eb7)] - **deps**: update undici to 6.23.0 (Matteo Collina) [nodejs-private/node-private#792](https://github.com/nodejs-private/node-private/pull/792)
104+
* \[[`14fbbb510c`](https://github.com/nodejs/node/commit/14fbbb510c)] - **(CVE-2025-55132)** **lib**: disable futimes when permission model is enabled (RafaelGSS) [nodejs-private/node-private#802](https://github.com/nodejs-private/node-private/pull/802)
105+
* \[[`1febc48d5b`](https://github.com/nodejs/node/commit/1febc48d5b)] - **(CVE-2025-59465)** **lib**: add TLSSocket default error handler (RafaelGSS) [nodejs-private/node-private#797](https://github.com/nodejs-private/node-private/pull/797)
106+
* \[[`494f62dc23`](https://github.com/nodejs/node/commit/494f62dc23)] - **(CVE-2025-55130)** **lib,permission**: require full read and write to symlink APIs (RafaelGSS) [nodejs-private/node-private#760](https://github.com/nodejs-private/node-private/pull/760)
107+
* \[[`d7a5c587c0`](https://github.com/nodejs/node/commit/d7a5c587c0)] - **(CVE-2025-59466)** **src**: rethrow stack overflow exceptions in async\_hooks (Matteo Collina) [nodejs-private/node-private#773](https://github.com/nodejs-private/node-private/pull/773)
108+
* \[[`51f4de4b4a`](https://github.com/nodejs/node/commit/51f4de4b4a)] - **(CVE-2025-55131)** **src,lib**: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) [nodejs-private/node-private#759](https://github.com/nodejs-private/node-private/pull/759)
109+
* \[[`85f73e7057`](https://github.com/nodejs/node/commit/85f73e7057)] - **(CVE-2026-21637)** **tls**: route callback exceptions through error handlers (Matteo Collina) [nodejs-private/node-private#796](https://github.com/nodejs-private/node-private/pull/796)
110+
78111
<a id="20.19.6"></a>
79112

80113
## 2025-11-25, Version 20.19.6 'Iron' (LTS), @marco-ippolito

src/node_version.h

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -23,13 +23,13 @@
2323
#define SRC_NODE_VERSION_H_
2424

2525
#define NODE_MAJOR_VERSION 20
26-
#define NODE_MINOR_VERSION 19
27-
#define NODE_PATCH_VERSION 7
26+
#define NODE_MINOR_VERSION 20
27+
#define NODE_PATCH_VERSION 0
2828

2929
#define NODE_VERSION_IS_LTS 1
3030
#define NODE_VERSION_LTS_CODENAME "Iron"
3131

32-
#define NODE_VERSION_IS_RELEASE 0
32+
#define NODE_VERSION_IS_RELEASE 1
3333

3434
#ifndef NODE_STRINGIFY
3535
#define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)

0 commit comments

Comments
 (0)