- Wrapped SNICallback in try/catch and added timing‑safe HMAC/KMAC comparisons, null‑prototype header objects, and permission checks for pipe, realpath.native, and fs/promises to address several high‑severity CVEs
- Fixed URL handling crashes, NGHTTP2 flow‑control errors, and added tests for array‑index hash collisions
- Updated dependencies: Undici to 7.24.4, npm to 11.11.1, and V8 depot tools version
No matching updates in this bucket.
Sentry updates in 2026-w13
- Fix multiple high‑ and medium‑severity CVEs (e.g., null‑prototype headers, SNICallback try/catch, array index hash collision, timing‑safe crypto comparisons, NGHTTP2 flow‑control handling, URL format crash, permission checks for fs.promi...
- Update core dependencies: undici to 7.24.4, npm to 11.11.0, and backport several V8 fixes
- Add permission checks in lib/fs/promises and realpath.native to harden file‑system APIs
- Wrap SNICallback invocation in a try/catch to mitigate crashes (CVE‑2026‑21637).
- Use null‑prototype objects for headersDistinct/trailersDistinct and timing‑safe HMAC comparison, and add permission checks to realpath.native and fs/promises (CVE‑2026‑21710, ‑21713, ‑21715, ‑21716).
- Handle NGHTTP2 ERR_FLOW_CONTROL error code and address array index hash collision (CVE‑2026‑21714, ‑21717).
- Fixed multiple CVE‑related vulnerabilities including array index hash collisions, timing‑side‑channel issues in Web Crypto HMAC/KMAC, and unsafe header prototypes
- Added permission checks to lib/fs/promises and realpath.native to harden file‑system APIs
- Improved error handling for NGHTTP2 flow‑control errors and wrapped TLS SNICallback in try/catch