Recommended update for nodejs20

Announcement ID:	SUSE-RU-2023:4344-1
Rating:	moderate
References:	jsc#PED-4819 jsc#PED-7088
Affected Products:	openSUSE Leap 15.5 SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP5 Web and Scripting Module 15-SP5

An update that contains two features can now be installed.

Description:

This update for nodejs20 fixes the following issues:

This update provides nodejs 20 in version 20.8.1.

For overview of changes and details since 19.x and earlier see:

https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V20.md#20.0.0

• Permission Model

Node.js now has an experimental feature called the Permission Model. It allows developers to restrict access to specific resources during program execution, such as file system operations, child process spawning, and worker thread creation. The API exists behind a flag --experimental-permission which when enabled will restrict access to all available permissions. By using this feature, developers can prevent their applications from accessing or modifying sensitive data or running potentially harmful code. More information about the Permission Model can be found in the Node.js documentation.

The Permission Model was a contribution by Rafael Gonzaga in #44004.

• Custom ESM loader hooks run on dedicated thread

ESM hooks supplied via loaders (--experimental-loader=foo.mjs) now run in a dedicated thread, isolated from the main thread. This provides a separate scope for loaders and ensures no cross-contamination between loaders and application code.

• Synchronous import.meta.resolve()

In alignment with browser behavior, this function now returns synchronously. Despite this, user loader resolve hooks can still be defined as async functions (or as sync functions, if the author prefers). Even when there are async resolve hooks loaded, import.meta.resolve will still return synchronously for application code.

Contributed by Anna Henningsen, Antoine du Hamel, Geoffrey Booth, Guy Bedford, Jacob Smith, and Michaël Zasso in #44710

• V8 11.3

The V8 engine is updated to version 11.3, which is part of Chromium 113. This version includes three new features to the JavaScript API:

String.prototype.isWellFormed and toWellFormed Methods that change Array and TypedArray by copy Resizable ArrayBuffer and growable SharedArrayBuffer RegExp v flag with set notation + properties of strings WebAssembly Tail Call

The V8 update was a contribution by Michaël Zasso in #47251.

• Stable Test Runner

The recent update to Node.js, version 20, includes an important change to the test_runner module. The module has been marked as stable after a recent update. Previously, the test_runner module was experimental, but this change marks it as a stable module that is ready for production use.

Contributed by Colin Ihrig in #46983

• Ada 2.0

Node.js v20 comes with the latest version of the URL parser, Ada. This update brings significant performance improvements to URL parsing, including enhancements to the url.domainToASCII and url.domainToUnicode functions in node:url.

Ada 2.0 has been integrated into the Node.js codebase, ensuring that all parts of the application can benefit from the improved performance. Additionally, Ada 2.0 features a significant performance boost over its predecessor, Ada 1.0.4, while also eliminating the need for the ICU requirement for URL hostname parsing.

Contributed by Yagiz Nizipli and Daniel Lemire in #47339

• Preparing single executable apps now requires injecting a Blob

Building a single executable app now requires injecting a blob prepared by Node.js from a JSON config instead of injecting the raw JS file. This opens up the possibility of embedding multiple co-existing resources into the SEA (Single Executable Apps).

Contributed by Joyee Cheung in #47125

• Web Crypto API

Web Crypto API functions' arguments are now coerced and validated as per their WebIDL definitions like in other Web Crypto API implementations. This further improves interoperability with other implementations of Web Crypto API.

This change was made by Filip Skokan in #46067.

• WASI version must now be specified

When new WASI() is called, the version option is now required and has no default value. Any code that relied on the default for the version will need to be updated to request a specific version.

This change was made by Michael Dawson in #47391.

• Deprecations and Removals

• (SEMVER-MAJOR) url: runtime-deprecate url.parse() with invalid ports (Rich Trott) #45526

  url.parse() accepts URLs with ports that are not numbers. This behavior might result in host name spoofing with unexpected input. These URLs will throw an error in future versions of Node.js, as the WHATWG URL API does already. Starting with Node.js 20, these URLS cause url.parse() to emit a warning.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• openSUSE Leap 15.5
  zypper in -t patch SUSE-2023-4344=1 openSUSE-SLE-15.5-2023-4344=1
• Web and Scripting Module 15-SP5
  zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP5-2023-4344=1

Package List:

• openSUSE Leap 15.5 (aarch64 ppc64le s390x x86_64 i586)
  • nodejs20-20.8.1-150500.11.3.1
  • nodejs20-debugsource-20.8.1-150500.11.3.1
  • nodejs20-devel-20.8.1-150500.11.3.1
  • npm20-20.8.1-150500.11.3.1
  • nodejs20-debuginfo-20.8.1-150500.11.3.1
  • corepack20-20.8.1-150500.11.3.1
• openSUSE Leap 15.5 (noarch)
  • nodejs20-docs-20.8.1-150500.11.3.1
• Web and Scripting Module 15-SP5 (aarch64 ppc64le s390x x86_64)
  • nodejs20-20.8.1-150500.11.3.1
  • nodejs20-debugsource-20.8.1-150500.11.3.1
  • nodejs20-devel-20.8.1-150500.11.3.1
  • npm20-20.8.1-150500.11.3.1
  • nodejs20-debuginfo-20.8.1-150500.11.3.1
• Web and Scripting Module 15-SP5 (noarch)
  • nodejs20-docs-20.8.1-150500.11.3.1

References:

• https://jira.suse.com/browse/PED-4819
• https://jira.suse.com/browse/PED-7088