The SDK-for-Node.js buildpack includes the community September/November 2020 security releases Node.js runtimes and introduces v14 runtimes.
The September 2020 security release includes fixes for three issues:
- HTTP Request Smuggling due to CR-to-Hyphen conversion (High) (CVE-2020-8201) which impacts all 12.x and 14.x runtimes
- Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical) (CVE-2020-8251) which impacts 14.x runtimes.
- fs.realpath.native may cause buffer overflow (Medium) (CVE-2020-8252) which impacts all versions of 10.x, 12.x, and 14.x runtimes
The November 2020 release includes a fix for the following issue:
- Denial of Service through DNS request (CVE-2020-8277) which impacts the 12.x and 14.x runtimes.
This buildpack contains the following Node.js runtimes: v10.22.1, v10.23.0, v12.19.0, v12.19.1, v14.15.0, v14.15.1. It is based on the community Node.js buildpack v1.7.36. The latest v10 runtime is the default runtime when one is not specified in the package.json. An existing application will not be affected by the new buildpack until you redeploy or restage. New applications will automatically use the new buildpack.