← Back to feed
Security patch:
nodejs/node v22.22.2: 2026-03-24, Version 22.22.2 'Jod' (LTS), @RafaelGSS prepared by @aduh95
GitHub·Backend·SecurityFix·3/24/2026
This is a security release. ### Notable Changes * (CVE-2026-21637) wrap `SNICallback` invocation in `try`/`catch` (Matteo Collina) - High * (CVE-2026-21710) use null prototype for `headersDistinct`/`trailersDistinct` (Matteo Collina) - High * (CVE-2026-21713) use timing-safe comparison in Web C
Why it matters → A security vulnerability was patched. Upgrade affected versions to mitigate risk.
Who should care → Anyone running affected versions in production.
nodenode.js
View original source ↗Source payload preview
{
"id": 300880224,
"url": "https://api.github.com/repos/nodejs/node/releases/300880224",
"body": "\n\n\nThis is a security release.\n\n### Notable Changes\n\n* (CVE-2026-21637) wrap `SNICallback` invocation in `try`/`catch` (Matteo Collina) - High\n* (CVE-2026-21710) use null prototype for `headersDistinct`/`trailersDistinct` (Matteo Collina) - High\n* (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) - Medium\n* (CVE-2026-21714) handle `NGHTTP2_ERR_FLOW_CONTROL` error code (RafaelGSS) - Medium\n* (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium\n* (CVE-2026-21715) add permission check to `realpath.native` (RafaelGSS) - Low\n* (CVE-2026-21716) include permission check on `lib/fs/promises` (RafaelGSS) - Low\n\n### Commits\n\n*
…