Mirror of packages feed https://git.openwrt.org/feed/packages/atom?h=master 2026-04-05T12:48:32Z 2026-04-05T12:48:32Z Hirokazu MORIKAWA 2026-04-04T23:04:53Z urn:sha1:3d5f717b7a47fc49b6ae67af7e087da0cfc33a64 This is a security release. Notable Changes * (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High * (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High * (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) - Medium * (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium * (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium * (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low * (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com> 2026-01-22T18:53:49Z Hirokazu MORIKAWA 2026-01-20T04:22:04Z urn:sha1:3cb4028f46ae4bab15a2420d068aeed6e4c8f6d8 HOST BUILD ONLY Update to 22.22.0 This is a security release. Notable Changes (CVE-2025-59465) add TLSSocket default error handler (CVE-2025-55132) disable futimes when permission model is enabled lib,permission: (CVE-2025-55130) require full read and write to symlink APIs src: (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks src,lib: (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle tls: (CVE-2026-21637) route callback exceptions through error handlers Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com> 2025-03-15T06:36:29Z Hirokazu MORIKAWA 2025-03-10T00:29:09Z urn:sha1:853ea061b842eb8ad1d2a2c3252dca61086a7866 https://github.com/openwrt/packages/issues/26078 As a result of the discussion in this thread, the node.js package was changed to hostpkg only.
In addition, this fix uses the pre-built version distributed on nodejs. The use of pre-build is based on the suggestion of @artynet. The packages in the node module are successfully built, but the target node.js itself cannot be provided, so it cannot be used. Yarn, which is used in packages for web front ends, etc., can be used without any problems. Support for host builds other than linux x86_64. Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com> 2025-03-05T14:49:25Z Hannu Nyman 2025-03-05T14:49:25Z urn:sha1:baba458d52478c0ec3e434db1add770e20d8dc9e Mark node BROKEN to disable its build in buildbot in order to test the impact on preventing frequent buildbot hangups. It is suspected that node causes frequent build timeouts/hangups on aarch/arm/i386/x86 builds: approx 1/3 of builds get timeouted. Disable node for now to test the hypothesis. Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi> 2025-02-17T10:51:17Z Hirokazu MORIKAWA 2025-02-17T04:06:16Z urn:sha1:21200cd0832e4b367159064ab94c4908b5b8eccc Notable Changes [82a9000e9e] - crypto: update root certificates to NSS 3.107 (Node.js GitHub Bot) #56566 [b7fe54fc88] - (SEMVER-MINOR) fs: allow exclude option in globs to accept glob patterns (Daeyeon Jeong) #56489 [3ac92ef607] - (SEMVER-MINOR) lib: add typescript support to STDIN eval (Marco Ippolito) #56359 [1614e8e7bc] - (SEMVER-MINOR) module: add ERR_UNSUPPORTED_TYPESCRIPT_SYNTAX (Marco Ippolito) #56610 [6d6cffa9cc] - (SEMVER-MINOR) module: add findPackageJSON util (Jacob Smith) #55412 [d35333ae18] - (SEMVER-MINOR) process: add process.ref() and process.unref() methods (James M Snell) #56400 [07ff3ddcb5] - (SEMVER-MINOR) sqlite: support TypedArray and DataView in StatementSync (Alex Yang) #56385 [94d3fe1b62] - (SEMVER-MINOR) src: add --disable-sigusr1 to prevent signal i/o thread (Rafael Gonzaga) #56441 [5afffb4415] - (SEMVER-MINOR) src,worker: add isInternalWorker (Carlos Espa) #56469 [697a851fb3] - (SEMVER-MINOR) test_runner: add TestContext.prototype.waitFor() (Colin Ihrig) #56595 [047537b48c] - (SEMVER-MINOR) test_runner: add t.assert.fileSnapshot() (Colin Ihrig) #56459 [926cf84e95] - (SEMVER-MINOR) test_runner: add assert.register() API (Colin Ihrig) #56434 [c658a8afdf] - (SEMVER-MINOR) worker: add eval ts input (Marco Ippolito) #56394 Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com> 2025-01-24T07:55:15Z Hirokazu MORIKAWA 2025-01-23T05:27:18Z urn:sha1:643afd8977be40464ec2aed66972a754aa2585ac This is a security release. Notable Changes CVE-2025-23083 - src,loader,permission: throw on InternalWorker use when permission model is enabled (High) CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium) CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium) Dependency update: CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium) Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com> 2024-12-30T03:32:05Z Hirokazu MORIKAWA 2024-12-27T22:40:50Z urn:sha1:e6178717d73b753c61366952b17d891119c9f2e4 remake this commit https://github.com/openwrt/packages/pull/25582 Fix nodejs compile errors after the introduction of abseil-cpp in #25565 Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com> 2024-12-26T11:35:49Z Alexandru Ardelean 2024-12-26T08:24:40Z urn:sha1:031bf6f3554921676e6ba3fa67be336115300c8e This reverts commit 9e70d3c5b07ac87d0f6d2ad85f60ca8bd0e74105. As mentioned here: https://github.com/openwrt/packages/pull/25582#issuecomment-2561673222 Signed-off-by: Alexandru Ardelean <alex@shruggie.ro> 2024-12-24T15:46:18Z Austin Lane 2024-12-19T21:15:13Z urn:sha1:9e70d3c5b07ac87d0f6d2ad85f60ca8bd0e74105 Signed-off-by: Austin Lane <vidplace7@gmail.com> 2024-11-23T09:02:23Z Hirokazu MORIKAWA 2024-11-23T05:51:28Z urn:sha1:af7183fc30c6f1523571f0c5d4fb853568a73da1 Upgrade Version 22.11.0 'Jod' (LTS) Notable Changes This release marks the transition of Node.js 22.x into Long Term Support (LTS) with the codename 'Jod'. The 22.x release line now moves into "Active LTS" and will remain so until October 2025. After that time, it will move into "Maintenance" until end of life in April 2027. Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>