nodejs:24 security update
エラータID: AXSA:2026-465:01
リリース日:
2026/04/19 Sunday - 15:47
題名:
nodejs:24 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- undici には、重複した Content-Length ヘッダーを許容してしまう
問題があるため、リモートの攻撃者により、HTTP リクエストスマグ
リング攻撃やサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-1525)
- undici の WebSocket クライアントの permessage-deflate 拡張機能
の実装には、リソースの制限を実施していない問題があるため、リモート
の攻撃者により、サービス拒否攻撃 (リソース枯渇) を可能とする脆弱性
が存在します。(CVE-2026-1526)
- undici の client.request() には、upgrade オプションで渡された
値をサニタイズせずに利用している問題があるため、リモートの攻撃者
により、情報の漏洩やデータ破壊を可能とする脆弱性が存在します。
(CVE-2026-1527)
- undici の WebSocket クライアントの ByteParser には、演算処理で
オーバーフローが発生する問題があるため、リモートの攻撃者により、
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2026-1528)
- Node.js の TLS 処理スタックの pskCallback または ALPNCallback
を用いたエラーハンドラには、ファイルディスクリプタをリークさせて
しまう問題があるため、リモートの攻撃者により、サービス拒否攻撃
(TLS サーバーのクラッシュの発生、リソースの枯渇) を可能とする
脆弱性が存在します。(CVE-2026-21637)
- Node.js の HTTP リクエストのハンドリング処理には、"__proto__"
という名前のヘッダーの扱いが不適切である問題があるため、リモート
の攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2026-21710)
- Node.js の Permission Model には、Unix Domain Socket (UDS)
サーバーによる操作に対する権限チェックが不足している問題があるため、
ローカルの攻撃者により、情報の漏洩、およびデータ破壊を可能とする
脆弱性が存在します。(CVE-2026-21711)
- Node.js の url.format() には、無効な文字を含む IDN が渡された
際にアサーションに失敗する問題があるため、リモートの攻撃者により、
サービス拒否攻撃を可能とする脆弱性が存在します。(CVE-2026-21712)
- Node.js の HMAC の検証処理には、リモートの攻撃者により、
タイミング攻撃を可能とする脆弱性が存在します。(CVE-2026-21713)
- Node.js の HTTP/2 サーバーの実装には、メモリ領域の解放処理が
欠落しているため、リモートの攻撃者により、サービス拒否攻撃を可能
とする脆弱性が存在します。(CVE-2026-21714)
- Node.js の Permission Model には、fs.realpathSync.native() に
よる操作に対する権限チェックが不足している問題があるため、ローカル
の攻撃者により、情報の漏洩を可能とする脆弱性が存在します。
(CVE-2026-21715)
- Node.js には、CVE-2024-36137 の修正が不十分な問題があるため、
ローカルの攻撃者により、ファイルのパーミッションや所有者の変更を
可能とする脆弱性が存在します。(CVE-2026-21716)
- V8 エンジンの文字列のハッシュ化処理には、ハッシュの衝突を容易
に引き起こすことができる問題があるため、リモートの攻撃者により、
Node.js プロセスにおけるサービス拒否攻撃 (パフォーマンスの低下)
を可能とする脆弱性が存在します。(CVE-2026-21717)
- undici の WebSocket クライアントの permessage-deflate 拡張機能
の実装には、server_max_window_bits パラメーターの検証が不適切で
ある問題があるため、リモートの攻撃者により、サービス拒否攻撃を
可能とする脆弱性が存在します。(CVE-2026-2229)
- undici の DeduplicationHandler には、リソースの制限を実施して
いない問題があるため、リモートの攻撃者により、サービス拒否攻撃
(リソース枯渇) を可能とする脆弱性が存在します。(CVE-2026-2581)
- minimatch には、正規表現の不備に起因して意図せずリソースを消費
してしまう問題があるため、リモートの攻撃者により、多数の連続した
ワイルドカード文字 (*) などを含むように細工された正規表現の入力
を介して、正規表現サービス拒否攻撃 (CPU リソース枯渇) を可能と
する脆弱性が存在します。(CVE-2026-26996)
- nghttp2 には、内部状態の検証処理が不十分である問題があるため、
リモートの攻撃者により、サービス拒否攻撃を可能とする脆弱性が存在
します。(CVE-2026-27135)
Modularity name: nodejs
Stream name: 24
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2026-1525
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays * Applications that accept user-controlled header names without case-normalization Potential consequences: * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request) * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire. Who is impacted: * Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays * Applications that accept user-controlled header names without case-normalization Potential consequences: * Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request) * HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
CVE-2026-1526
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive. The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive. The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
CVE-2026-1527
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters: // lib/dispatcher/client-h1.js:1121 if (upgrade) { header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` }
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to: * Inject arbitrary HTTP headers * Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch) The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters: // lib/dispatcher/client-h1.js:1121 if (upgrade) { header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n` }
CVE-2026-1528
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process. Patches Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
CVE-2026-21637
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped.
CVE-2026-21710
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`. * This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
CVE-2026-21711
A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary. This vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.
A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary. This vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.
CVE-2026-21712
A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.
A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.
CVE-2026-21713
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values. Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
CVE-2026-21714
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.
CVE-2026-21715
A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.
A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.
CVE-2026-21716
An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.
An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions. This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.
CVE-2026-21717
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
CVE-2026-2229
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination. The vulnerability exists because: * The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15 * The createInflateRaw() call is not wrapped in a try-catch block * The resulting exception propagates up through the call stack and crashes the Node.js process
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination. The vulnerability exists because: * The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15 * The createInflateRaw() call is not wrapped in a try-catch block * The resulting exception propagates up through the call stack and crashes the Node.js process
CVE-2026-2581
This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination. Impacted users are applications that use Undici’s deduplication interceptor against endpoints that may produce large or long-lived response bodies. PatchesThe issue has been patched by changing deduplication behavior to stream response chunks to downstream handlers as they arrive (instead of full-body accumulation), and by preventing late deduplication when body streaming has already started. Users should upgrade to the first official Undici (and Node.js, where applicable) releases that include this patch.
This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination. Impacted users are applications that use Undici’s deduplication interceptor against endpoints that may produce large or long-lived response bodies. PatchesThe issue has been patched by changing deduplication behavior to stream response chunks to downstream handlers as they arrive (instead of full-body accumulation), and by preventing late deduplication when body streaming has already started. Users should upgrade to the first official Undici (and Node.js, where applicable) releases that include this patch.
CVE-2026-26996
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
CVE-2026-27135
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. Prior to version 1.68.1, the nghttp2 library stops reading the incoming data when user facing public API `nghttp2_session_terminate_session` or `nghttp2_session_terminate_session2` is called by the application. They might be called internally by the library when it detects the situation that is subject to connection error. Due to the missing internal state validation, the library keeps reading the rest of the data after one of those APIs is called. Then receiving a malformed frame that causes FRAME_SIZE_ERROR causes assertion failure. nghttp2 v1.68.1 adds missing state validation to avoid assertion failure. No known workarounds are available.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-3.0.3-1.module+el8+1972+a41a5887.src.rpm
MD5: 71795171f340547e6281ee0ecc957d5e
SHA-256: 45a9c672642e6a5bc41006e1e2c2be02eab19d7cb1374120950fd45da81fefc4
Size: 857.57 kB - nodejs-packaging-2021.06-6.module+el8+1972+a41a5887.src.rpm
MD5: 5b8b8e2ab668bf310aa8ae8698485f7b
SHA-256: 69721f0111fa03822c71a48df8aab5d8b0da48812f923b1188c0872b7b3b0a98
Size: 30.68 kB - nodejs-24.14.1-2.module+el8+1972+a41a5887.src.rpm
MD5: 93d0c121e05cc50a239e1f82ba0eaa89
SHA-256: 807e47597d7bc5ca50f24d727217ecbd9b1972dfe7877f541c9065ce1f358659
Size: 97.56 MB
Asianux Server 8 for x86_64
- nodejs-24.14.1-2.module+el8+1972+a41a5887.x86_64.rpm
MD5: 58d8f8e9fd43fea16651bd3fe2172e41
SHA-256: 79d688ed752506b7334464be79076c8cbb9dc1188e4f390fba459057b2827640
Size: 67.88 kB - nodejs-debugsource-24.14.1-2.module+el8+1972+a41a5887.x86_64.rpm
MD5: e11fbea3f6e12941bcf9fa380fb793d2
SHA-256: f02b60af09076cd5fc854027493c0d2f260c208ce10103baf0fd9c8ddb283711
Size: 21.27 MB - nodejs-devel-24.14.1-2.module+el8+1972+a41a5887.x86_64.rpm
MD5: 55355e48f983b3b7eac700ded3dc3286
SHA-256: a272371cc6908997aa8750a68f504599a6f1d11778d1e879f35abfe6893ae1d6
Size: 330.11 kB - nodejs-docs-24.14.1-2.module+el8+1972+a41a5887.noarch.rpm
MD5: 99daf0c3b4dd1173ecc95e2b1aa5f949
SHA-256: 465a31ad41bce7af5e14349f6b3eccbe60620c8211e2dea910db2fbba8197473
Size: 6.16 MB - nodejs-full-i18n-24.14.1-2.module+el8+1972+a41a5887.x86_64.rpm
MD5: 73750f1a80a80916a8c64fa4922385d5
SHA-256: de415954a50601d29fe26ea4280af54b81986cf0be4589e79f9b90fcfe4e5b6e
Size: 8.61 MB - nodejs-libs-24.14.1-2.module+el8+1972+a41a5887.x86_64.rpm
MD5: 42a92d46b81fd2d3f402c983b3e44132
SHA-256: 21326275b89027f65b0be362c2e03380d478760c03d4052266363dadba2414e6
Size: 18.57 MB - nodejs-nodemon-3.0.3-1.module+el8+1972+a41a5887.noarch.rpm
MD5: 787cd0a63b9a89d20d61857bc045b1e3
SHA-256: 86d1d76daffa7ec3398b2d75dad60d2ecff492a19ec75dc5bfbae8bab92e8511
Size: 531.37 kB - nodejs-packaging-2021.06-6.module+el8+1972+a41a5887.noarch.rpm
MD5: 496326205a8426b69e03a73e3b29456e
SHA-256: 06dceb8530b8aede578e3059af4bf4dc717a28be063103ee613a26990b2be22e
Size: 24.41 kB - nodejs-packaging-bundler-2021.06-6.module+el8+1972+a41a5887.noarch.rpm
MD5: 8fd1c0426291d185ac911cf4182279a1
SHA-256: 6e5926d3ae906164fd93420db52409f41db59e16bb13885b5fadf992a0041aa8
Size: 13.99 kB - npm-11.11.0-1.24.14.1.2.module+el8+1972+a41a5887.noarch.rpm
MD5: 72a9e9fe1f54eda70fb678d4fa53a83b
SHA-256: 814779129a17c1080175166a8abe7b65beef71f0e1b0ae5350fc25df859569fb
Size: 2.02 MB - v8-13.6-devel-13.6.233.17-1.24.14.1.2.module+el8+1972+a41a5887.x86_64.rpm
MD5: b0ba264a4a21bfc1d118d51fdd6d443c
SHA-256: e2b786094aaa003dcbe87221d19306d198639c9be88f03610ddc6bb5ab598fb6
Size: 33.66 kB
English