chore(deps): update hermit tools #12
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
Author
Branch automerge failureThis PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead. |
renovate
bot
force-pushed
the
renovate/hermit-tools
branch
6 times, most recently
from
66e4163 to
2a26ad1
Compare
renovate
bot
force-pushed
the
renovate/hermit-tools
branch
3 times, most recently
from
28650e6 to
f212121
Compare
renovate
bot
force-pushed
the
renovate/hermit-tools
branch
from
f212121 to
181f91d
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
24.12.0→24.13.010.27.0→10.28.23.46.4→3.48.0Release Notes
nodejs/node (node)
v24.13.0: 2026-01-13, Version 24.13.0 'Krypton' (LTS), @marco-ippolitoCompare Source
This is a security release.
Notable Changes
lib:
lib,permission:
src:
src,lib:
tls:
Commits
2092785d01] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #609973e58b7f2af] - deps: update undici to 7.18.2 (Node.js GitHub Bot) #612834ba536a5a6] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#79789adaa21fd] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#7487302b4dae1] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760ac030753c4] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#77320075692fe] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#75920591b0618] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796pnpm/pnpm (pnpm)
v10.28.2: pnpm 10.28.2Compare Source
Patch Changes
Security fix: prevent path traversal in
directories.binfield.When pnpm installs a
file:orgit:dependency, it now validates that symlinks point within the package directory. Symlinks to paths outside the package root are skipped to prevent local data from being leaked intonode_modules.This fixes a security issue where a malicious package could create symlinks to sensitive files (e.g.,
/etc/passwd,~/.ssh/id_rsa) and have their contents copied when the package is installed.Note: This only affects
file:andgit:dependencies. Registry packages (npm) have symlinks stripped during publish and are not affected.Fixed optional dependencies to request full metadata from the registry to get the
libcfield, which is required for proper platform compatibility checks #9950.Platinum Sponsors
Gold Sponsors
v10.28.1: pnpm 10.28.1Compare Source
Patch Changes
Fixed installation of config dependencies from private registries.
Added support for object type in
configDependencieswhen the tarball URL returned from package metadata differs from the computed URL #10431.Fix path traversal vulnerability in binary fetcher ZIP extraction
ERR_PNPM_PATH_TRAVERSALerrorSupport plain
http://andhttps://URLs ending with.gitas git repository dependencies.Previously, URLs like
https://gitea.example.org/user/repo.git#commitwere not recognized as git repositories because they lacked thegit+prefix (e.g.,git+https://). This caused issues when installing dependencies from self-hosted git servers like Gitea or Forgejo that don't provide tarball downloads.Changes:
http://andhttps://URLs ending in.gitas git repositoriesisRepositorycheck from the tarball resolver since it's no longer needed with the new resolver orderFixes #10468
pnpm run -randpnpm run --filternow fail with a non-zero exit code when no packages have the specified script. Previously, this only failed when all packages were selected. Use--if-presentto suppress this error #6844.Fixed a path traversal vulnerability in tarball extraction on Windows. The path normalization was only checking for
./but not.\. Since backslashes are directory separators on Windows, malicious packages could use paths likefoo\..\..\.npmrcto write files outside the package directory.When running "pnpm exec" from a subdirectory of a project, don't change the current working directory to the root of the project #5759.
Fixed a path traversal vulnerability in pnpm's bin linking. Bin names starting with
@bypassed validation, and after scope normalization, path traversal sequences like../../remained intact.Revert Try to avoid making network calls with preferOffline #10334.
Fix
--save-peerto write valid semver ranges topeerDependenciesfor protocol-based installs (e.g.jsr:) by deriving from resolved versions when available and falling back to*if none is available #10417.Do not exclude the root workspace project, when it is explicitly selected via a filter #10465.
Platinum Sponsors
Gold Sponsors
v10.28.0: pnpm 10.28Compare Source
Minor Changes
beforePackingthat can be used to customize thepackage.jsoncontents at publish time #3816.pnpm install --filter ...) was slower than runningpnpm installwithout any filter arguments. This performance regression is now fixed. Filtered installs should be as fast or faster than a full install #10408.Patch Changes
requiredScriptssetting inpnpm-workspace.yaml#10261.Platinum Sponsors
Gold Sponsors
go-task/task (task)
v3.48.0if:conditions when using to check dynamic variables. Also, skipvariable prompt if task would be skipped by
if:(#2658, #2660 by @vmaerten).ROOT_TASKFILEvariable pointing to directory instead of the actualTaskfile path when no explicit
-tflag is provided (#2635, #1706 by@trulede).
silent: truenow properly propagate silence to theirtasks, while still allowing individual tasks to override with
silent: false(#2640, #1319 by @trulede).
--cacertforself-signed certificates and
--cert/--cert-keyfor mTLS authentication(#2537, #2242 by @vmaerten).
v3.47.0directory includes are properly resolved (#2602 by @vmaerten).
output: prefixed, printprefix:if set instead of task name (#1566,#2633 by @trulede).
--color=false(#2560, #2584 by@trulede).
s-*as alias for
start-*) (#1900, #2234 by @vmaerten).iffield: skip tasks, commands, or taskcalls based on shell exit codes or template expressions like
{{ eq .ENV "prod" }}(#2564, #608 by @vmaerten).in a TTY, with support for enum selection menus. Enable with
--interactiveflag or
interactive: truein.taskrc.yml(#2579, #2079 by @vmaerten).Configuration
📅 Schedule: Branch creation - "after 10pm every weekday,before 6am every weekday,every weekend" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.