build: update dependency node to v22.23.0 (22.0.x)#33417
Conversation
See associated pull request for more information.
angular-robot
added
action: merge
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the Node.js version from 22.22.3 to 22.23.0 in .nvmrc and the main Bazel toolchain configuration to address security vulnerabilities. Feedback indicates that the development toolchain (node_dev) was missed in this update and should also be upgraded to 22.23.0 to ensure consistency and security across all environments.
| "22.23.0-windows_amd64": ("node-v22.23.0-win-x64.zip", "node-v22.23.0-win-x64", "425a5bd68cc95e8eb16bcccd0a75081b48983fc6a26f67126bd4d6c7198231e8"), | ||
| }, | ||
| node_version = "22.22.3", | ||
| node_version = "22.23.0", |
There was a problem hiding this comment.
The main Node.js toolchain has been updated to 22.23.0 to address several security vulnerabilities (including CVE-2026-48618 and CVE-2026-48933). However, the node_dev extension's node22 toolchain (defined on lines 66-78) remains on the older, vulnerable version 22.22.3.
To ensure that development and testing environments are secure and aligned with the main toolchain, please update the node22 toolchain under node_dev to 22.23.0 as well, using the same repository hashes:
# Node.js 22
node_dev.toolchain(
name = "node22",
node_repositories = {
"22.23.0-darwin_arm64": ("node-v22.23.0-darwin-arm64.tar.gz", "node-v22.23.0-darwin-arm64", "e0f383a215dd3093de6d2c74f87056dc2306a2e09ad494cbffdba28f89046f56"),
"22.23.0-darwin_amd64": ("node-v22.23.0-darwin-x64.tar.gz", "node-v22.23.0-darwin-x64", "dc2ccab261fd70c347e4cc52085d8d226f471ccba1fc2a7252283949b31ca9f9"),
"22.23.0-linux_arm64": ("node-v22.23.0-linux-arm64.tar.xz", "node-v22.23.0-linux-arm64", "4018815ac1bed4f18208901bbde524fee881253b591ee7bc952660e69bd057af"),
"22.23.0-linux_ppc64le": ("node-v22.23.0-linux-ppc64le.tar.xz", "node-v22.23.0-linux-ppc64le", "864760dde36a03bf0da8f74b511c41a31adae4f50284a20066518775269539aa"),
"22.23.0-linux_s390x": ("node-v22.23.0-linux-s390x.tar.xz", "node-v22.23.0-linux-s390x", "8c5ba195dff6c11a292ffbe199931c7b52d3f233d25fa908718b99d0e0f9d09d"),
"22.23.0-linux_amd64": ("node-v22.23.0-linux-x64.tar.xz", "node-v22.23.0-linux-x64", "14d7de44f235534799f8b171a4050d9a6a4bc99c87e053a25d3d54afa580aa20"),
"22.23.0-windows_amd64": ("node-v22.23.0-win-x64.zip", "node-v22.23.0-win-x64", "425a5bd68cc95e8eb16bcccd0a75081b48983fc6a26f67126bd4d6c7198231e8"),
},
node_version = "22.23.0",
)1 participant
This PR contains the following updates:
22.22.3→22.23.0Release Notes
nodejs/node (node)
v22.23.0: 2026-06-18, Version 22.23.0 'Jod' (LTS), @aduh95Compare Source
This is a security release.
Notable Changes
Commits
38b4c5ed51] - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) nodejs-private/node-private#878ad8a10c1bb] - deps: update llhttp to 9.4.2 (Antoine du Hamel) nodejs-private/node-private#890ca825a87cc] - deps: update undici to 6.27.0 (aduh95) #63711a1a5bb9683] - (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 (Tim Perry) #628910f48583512] - (SEMVER-MAJOR) deps: update nghttp2 to 1.69.0 (Node.js GitHub Bot) #6289138c869fc05] - deps: update nghttp2 to 1.68.0 (nodejs-github-bot) #61136290667c84f] - deps: update nghttp2 to 1.67.1 (nodejs-github-bot) #59790c9f3da76aa] - deps: update nghttp2 to 1.66.0 (Node.js GitHub Bot) #5878660890be563] - deps: update nghttp2 to 1.65.0 (Node.js GitHub Bot) #572695024c7d5d8] - deps: update archs files for openssl-3.5.7 (Node.js GitHub Bot) #638207f4eb5af2e] - deps: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) #63820ebb4ec78a8] - deps: fix aix implicit declaration in OpenSSL (Abdirahim Musse) #626565763d40826] - deps: update llhttp to 9.4.1 (Node.js GitHub Bot) #63045c551a51d0c] - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) nodejs-private/node-private#8680a22d40180] - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) nodejs-private/node-private#846c79968e108] - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) nodejs-private/node-private#8550c37bff2ff] - http2: fix DEP0194 message (KaKa) #58669ea5dc6b529] - (SEMVER-MAJOR) http2: remove support for priority signaling (Matteo Collina) #582939b6af26132] - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) nodejs-private/node-private#86728dcd38864] - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) nodejs-private/node-private#8732f62693801] - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) nodejs-private/node-private#8701662a3ea09] - test: add session reuse host verification regressions (Matteo Collina) nodejs-private/node-private#854718d5d0e2c] - test: skiptest-fs-utimes-y2K38on armv7 (Richard Lau) #63836041185b61f] - test: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) #62238fd890ba01d] - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) nodejs-private/node-private#85439d1d09684] - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) nodejs-private/node-private#8572197a47144] - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) nodejs-private/node-private#869