Update Mar 24, 2026 tracked by Updatify

2026-03-24, Version 20.20.2 'Iron' (LTS), @marco-ippolito

This is a security release.

Notable Changes

  • (CVE-2026-21717) fix array index hash collision (Joyee Cheung)
  • (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan)
  • (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina)
  • (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS)pull/795>
  • (CVE-2026-21715) add permission check to realpath.native (RafaelGSS)
  • (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS)
  • (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina)

Commits