chore(deps): update node.js to v16.4.1

This MR contains the following updates:

Package	Type	Update	Change
node	image	minor	16.3.0-alpine3.13 -> 16.4.1-alpine3.13
node	stage	minor	16.3.0-alpine3.13 -> 16.4.1-alpine3.13

---

Release Notes

nodejs/node

v16.4.1

Compare Source

This is a security release.

Notable Changes

Vulnerabilities fixed:

• CVE-2021-22918: libuv upgrade - Out of bounds read (Medium)
  • Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918
• CVE-2021-22921: Windows installer - Node Installer Local Privilege Escalation (Medium)
  • Node.js is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22921

Commits

• [d33aead28b] - deps: uv: cherry-pick 99c29c9 (Ben Noordhuis) nodejs-private/node-private#​267
• [2690907b81] - win,msi: set install directory permission (AkshayK) nodejs-private/node-private#​269

v16.4.0

Compare Source

Notable changes

• async_hooks:
  • stabilize part of AsyncLocalStorage (Vladimir de Turckheim) #​37675
• deps:
  • upgrade npm to 7.18.1 (npm-robot) #​39065
  • update V8 to 9.1.269.36 (Michaël Zasso) #​38273
• dns:
  • allow --dns-result-order to change default dns verbatim (Ouyang Yadong) #​38099

Commits

• [d2b972ee52] - async_hooks: check for empty contexts before removing (Bryan English) #​39095
• [03e75fda4c] - async_hooks: switch between native and context hooks correctly (Stephen Belanger) #​38912
• [8115e6ee6d] - (SEMVER-MINOR) async_hooks: stabilize part of AsyncLocalStorage (Vladimir de Turckheim) #​37675
• [5f51729014] - bootstrap: move event loop handle checking into snapshot builder (Joyee Cheung) #​39007
• [9d100aa269] - bootstrap: split NodeMainInstance::Run() (Joyee Cheung) #​39007
• [2aaf2f231f] - build: reconfigure when gyp files change on Windows (Joyee Cheung) #​39066
• [7f225a05ee] - Revert "build: work around bug in MSBuild v16.10.0" (Michaël Zasso) #​38977
• [1853127dde] - build: reset embedder string to "-node.0" (Michaël Zasso) #​38273
• [c0d236f5ea] - build: make build-addons errors fail the build (Richard Lau) #​38983
• [173292bcf8] - build: fix commit-queue default branch (Mary Marchini) #​38998
• [e939e243bf] - build: don't pass python override to V8 build (Richard Lau) #​38969
• [651c58b412] - build: correct Xcode spelling in .gitignore (bl-ue) #​38895
• [5203c9ced7] - build: fast-track npm MRs and dont-land them on LTS (Michaël Zasso) #​38885
• [7de57d4d33] - build: dont-land gyp-next MRs on LTS branches (Michaël Zasso) #​38887
• [e87cd4542b] - child_process: refactor to use validateBoolean (Qingyu Deng) #​38927
• [69fa9e16e9] - (SEMVER-MINOR) child_process: allow options.cwd receive a URL (Khaidi Chu) #​38862
• [cf9d686c35] - crypto: fix aes crash when tag length too small (Khaidi Chu) #​38914
• [1799ea36f0] - crypto: use compatible version of EVP_CIPHER_name (Shelley Vohr) #​38925
• [6d5dc63ae4] - crypto: fix label cast in EVP_PKEY_CTX_set0_rsa_oaep_label (Shelley Vohr) #​38926
• [6e93c17bf5] - crypto: use EVP_get_cipherbynid directly (Shelley Vohr) #​38901
• [82c293959e] - crypto: add missing rand.h include (Shelley Vohr) #​38864
• [e4f802de9a] - debugger: rename internal library for clarity (Rich Trott) #​39080
• [1e8bdab581] - debugger: use ERR_DEBUGGER_STARTUP_ERROR in _inspect.js (Rich Trott) #​39024
• [b43cb69fbb] - debugger: use error codes in debugger REPL (Rich Trott) #​39024
• [dc9218136b] - debugger: use ERR_DEBUGGER_ERROR in debugger client (Rich Trott) #​39024
• [711916a271] - debugger: remove unnecessary boilerplate copyright comment (Rich Trott) #​38952
• [0f65e41442] - debugger: reduce scope of eslint disable comment (Rich Trott) #​38946
• [1fa724ec5a] - deps: upgrade npm to 7.18.1 (npm-robot) #​39065
• [c6aa68598d] - deps: upgrade npm to 7.17.0 (npm-robot) #​38999
• [864fe9910b] - deps: make V8 9.1 abi-compatible with 9.0 (Michaël Zasso) #​38991
• [c93f3573eb] - deps: V8: cherry-pick fa4cb17 (Michaël Zasso) #​38273
• [3c6c28b0a1] - deps: V8: cherry-pick 4c07451 (Michaël Zasso) #​38273
• [3c37396d5c] - deps: V8: cherry-pick 5f44131 (Michaël Zasso) #​38273
• [3433559a55] - deps: V8: cherry-pick 272445f (Michaël Zasso) #​38273
• [f56c78574e] - deps: V8: cherry-pick c0fceaa (Michaël Zasso) #​38273
• [7197fcec93] - deps: V8: cherry-pick d59db06 (Michaël Zasso) #​38273
• [bf7aa9fef8] - deps: silence irrelevant V8 warnings (Michaël Zasso) #​37587
• [eac377bc15] - deps: V8: backport aaacffa (Michaël Zasso) #​38273
• [1a7c8a12c1] - deps: fix V8 build issue with inline methods (Jiawen Geng) #​35415
• [3c9a75522b] - deps: make v8.h compatible with VS2015 (Joao Reis) #​32116
• [8ed258339a] - deps: V8: forward declaration of Rtl*FunctionTable (Refael Ackermann) #​32116
• [4ef37c83a9] - deps: V8: patch register-arm64.h (Refael Ackermann) #​32116
• [7c61c6ee25] - deps: V8: un-cherry-pick bd019bd (Refael Ackermann) #​32116
• [e82ef4148e] - (SEMVER-MINOR) deps: update V8 to 9.1.269.36 (Michaël Zasso) #​38273
• [70af146745] - deps: upgrade npm to 7.16.0 (npm-robot) #​38920
• [a71df7630e] - (SEMVER-MINOR) dns: allow --dns-result-order to change default dns verbatim (Ouyang Yadong) #​38099
• [dce256b210] - doc: remove references to deleted freenode channels (devsnek) #​39047
• [1afff98805] - doc: fix typos (bl-ue) #​39049
• [858f66e691] - doc: add missing parameter types (Voltrex) #​39013
• [ed91379186] - doc: clearify that http does chunked encoding itself (Mao Wtm) #​28379
• [51561f390a] - doc: add missing changelog links (Antoine du Hamel) #​39016
• [a19170eb9d] - doc: clarify that only one Python version is required to build (bl-ue) #​38894
• [7b219992e0] - doc: fix markup for aesImportParams (Tobias Nießen) #​38898
• [405b50cdba] - doc: use await in filehandle.truncate() snippet (RA80533) #​38939
• [5218fe86d1] - doc: fixed typo in process.md (Derevianchenko Maksym) #​38941
• [f903ad85f2] - doc: add missing semis after classes (Darshan Sen) #​38931
• [0bdeeda3b5] - doc: update write callback documentation (Simone Busoli) #​38959
• [7a7c0588ad] - doc: mark util.inherits as legacy (Voltrex) #​38896
• [f6964dc506] - doc: clarify when readable._read(...) is called (Shaun Keys) #​38726
• [3481b02e77] - doc: mark Node.js v15.x as EOL (Antoine du Hamel) #​38891
• [17a9846920] - doc: fix .mjs syntax in crypto.md (himself65) #​38882
• [8c7b2bab5f] - doc,fs: remove experimental status for WHATWG URL as path (Antoine du Hamel) #​38870
• [eddde6c31a] - errors: don't rekey on primitive type (Benjamin Coe) #​39025
• [3d7892ef39] - errors: add ERR_DEBUGGER_STARTUP_ERROR (Rich Trott) #​39024
• [631856ea32] - errors: add ERR_DEBUGGER_ERROR (Rich Trott) #​39024
• [336571fbdd] - Revert "http: make HEAD method to work with keep-alive" (Michaël Zasso) #​38949
• [c2b4fbba0f] - lib: remove semicolon in preparation for babel/eslint-parser update (Rich Trott) #​39094
• [f17dde81f3] - lib: make internal/options lazy (Joyee Cheung) #​38993
• [551430514b] - lib: add JSDoc typings for child_process (Voltrex) #​38222
• [ded83350a0] - lib: make primordials Promise methods safe (Antoine du Hamel) #​38650
• [637c1fa83c] - lib: refactor debuglog init (Antoine du Hamel) #​38838
• [5b5e07a2cc] - meta: update label-pr-config (Michaël Zasso) #​38950
• [92ed1c6cce] - module: fix legacy node specifier resolution to resolve "main" field (Antoine du Hamel) #​38979
• [4174f139b6] - net: use missing validator (Voltrex) #​38984
• [f7724ab342] - node-api: avoid crashing on passed-in null string (Gabriel Schulhof) #​38923
• [ec3e5b4c15] - node-api: avoid SecondPassCallback crash (Michael Dawson) #​38899
• [74f5e30d69] - node-api: rtn pending excep on napi_new_instance (legendecas) #​38798
• [4c6193fea1] - report: generates report on threads with no isolates (legendecas) #​38994
• [3c7a7d9ee4] - (SEMVER-MINOR) src: allow to negate boolean CLI flags (Michaël Zasso) #​39023
• [284d9c6228] - src: cleanup uv_fs_t regardless of success or not (legendecas) #​38996
• [902bb858d7] - src: refactor to use locale functions (Darshan Sen) #​39014
• [10370c5e8a] - src: fix multiple AddLinkedBinding() calls (Anna Henningsen) #​39012
• [ff8313c3a5] - src: throw error in LoadBuiltinModuleSource when reading fails (Joyee Cheung) #​38904
• [9ba5518f08] - src: skip test_fatal/test_threads for Debug builds (Daniel Bevenius) #​38805
• [06afb8df65] - (SEMVER-MINOR) src: make InitializeOncePerProcess more flexible (Shelley Vohr) #​38888
• [db4b192113] - src: add not-weak DCHECK to PersistentToLocal::Strong (Anna Henningsen) #​38875
• [08b2a4a138] - src,test: raise error for --enable-fips when no FIPS (Daniel Bevenius) #​38859
• [5d92c09bbf] - src,url: separate some tables out of node_url.cc (Khaidi Chu) #​38988
• [c20e28e1a0] - stream: fix pipeline pump (Robert Nagy) #​39006
• [7b026d8a72] - test: move inspector-cli tests to sequential (Rich Trott) #​39079
• [a53911b166] - test: improve buffer coverage (Rongjian Zhang) #​38538
• [5e9175f148] - test: fix name of variable in inspector-cli test (Tobias Nießen) #​38869
• [bd924610ec] - test: fix typo (Houssem Chebab) #​39045
• [d50df5dec1] - test: fix typo in test-http2-invalidheaderfield.js (Ikko Ashimine) #​39021
• [6111671d45] - test: adapt abort tests for new Windows code (Michaël Zasso) #​38273
• [1816d46cef] - test: adapt test-linux-perf to V8 changes (Michaël Zasso) #​38273
• [32961c4781] - test: fix V8 serdes test for V8 9.1 (Michaël Zasso) #​38273
• [f652284b3b] - test: remove obsolete TLS test (Rich Trott) #​39001
• [81bbeab3bd] - test: improve coverage of lib/events.js (Rongjian Zhang) #​38582
• [e82111f890] - test: http outgoing _headers setter null (ycjcl868) #​38881
• [1f10e84939] - test: suppress warning in test_environment.cc (Daniel Bevenius) #​38868
• [379b5f79a9] - tls: tweak clientCertEngine argument parsing (Shelley Vohr) #​38900
• [78d2e0ed8e] - tools: update babel-eslint-parser to 7.14.5 (Rich Trott) #​39094
• [fed641127a] - tools: update ESLint to 7.29.0 (Rich Trott) #​39083
• [3ae2a0be48] - tools: fix typo (Houssem Chebab) #​39044
• [a1d0aef60e] - tools: update doctool dependencies, migrate to ESM (Michaël Zasso) #​38966
• [2a292cf574] - tools: update V8 gypfiles for 9.1 (Michaël Zasso) #​38273
• [0c90fd8454] - tools: avoid crashing CQ when git push fails (Antoine du Hamel) #​36861
• [f817c2d3bb] - tools: fix typo in commit-queue.sh (bl-ue) #​39000
• [be5101eb32] - tools: update ESLint to 7.28.0 (Luigi Pinca) #​38955
• [9bf9ddb490] - tools: refactor snapshot builder (Joyee Cheung) #​38902
• [0706565097] - tools: bump remark-preset-lint-node to 2.3.0 (Rich Trott) #​38910
• [7d35fa7938] - tools: update gyp-next to v0.9.1 (Jiawen Geng) #​38867
• [00c20e621f] - tools,doc: forbid CJS globals in ESM code snippets (Antoine du Hamel) #​38889
• [99161b09f6] - url,src: simplify ipv6 logic by using uv_inet_pton (Khaidi Chu) #​38842
• [f40725f2a1] - vm: use missing validator (Voltrex) #​38935
• [f959cb3c68] - worker: do not look up context twice in PostMessage (Anna Henningsen) #​38784

---

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this MR, check this box.

---

This MR has been generated by Renovate Bot.