Skip to content

chore(deps): update tool versions (mise)#8

Open
NexPB wants to merge 1 commit intomainfrom
renovate/tool-versions-(mise)
Open

chore(deps): update tool versions (mise)#8
NexPB wants to merge 1 commit intomainfrom
renovate/tool-versions-(mise)

Conversation

@NexPB
Copy link
Copy Markdown
Owner

@NexPB NexPB commented Mar 22, 2026
edited
Loading

This PR contains the following updates:

Package Update Change Age Confidence
elixir (source) patch 1.19.5-otp-281.19.5 age confidence
erlang patch 28.428.4.1 age confidence
node (source) patch 24.14.024.14.1 age confidence
pnpm (source) minor 10.32.010.33.0 age confidence

Release Notes

elixir-lang/elixir (elixir)

v1.19.5

Compare Source

1. Enhancements
Elixir
  • [Protocol] Optimize protocol consolidation to no longer load structs
2. Bug fixes
Elixir
  • [Kernel] Fix unnecessary recompilation when dbg_callback is modified at runtime
  • [Kernel] Fix parser crash on missing parentheses on expression following operator not in
  • [Kernel] Support fetching abstract code for modules compiled with Elixir v1.14 and earlier
  • [Protocol] Ensure protocol consolidation no longer stores outdated struct types. As a consequence, protocols types only track struct names at the moment
  • [Stream] Revert optimization which caused nested streams in Stream.flat_map/2 to crash
IEx
  • [IEx] Fix usage of #iex:break as part of multi-line prompts
Logger
  • [Logger.Backends] Do not crash on invalid metadata
erlang/otp (erlang)

v28.4.1: OTP 28.4.1

Compare Source

Patch Package:           OTP 28.4.1
Git Tag:                 OTP-28.4.1
Date:                    2026-03-12
Trouble Report Id:       OTP-20007, OTP-20009, OTP-20011, OTP-20012,
                         OTP-20014, OTP-20018, OTP-20022
Seq num:                 CVE-2026-23941, CVE-2026-23942,
                         CVE-2026-23943, ERIERL-1303, ERIERL-1305,
                         GH-10694, PR-10707, PR-10798, PR-10809,
                         PR-10811, PR-10813, PR-10825, PR-10833
System:                  OTP
Release:                 28
Application:             crypto-5.8.3, inets-9.6.1, kernel-10.6.1,
                         ssh-5.5.1, ssl-11.5.3
Predecessor:             OTP 28.4

Check out the git tag OTP-28.4.1, and build a full OTP system including documentation. Apply one or more applications from this build as patches to your installation using the 'otp_patch_apply' tool. For information on install requirements, see descriptions for each application version below.

crypto-5.8.3

The crypto-5.8.3 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

  • Fix memory leak in crypo:engine_load if called with incorrect commands.

    Own Id: OTP-20014
    Related Id(s): PR-10798

Full runtime dependencies of crypto-5.8.3

erts-9.0, kernel-6.0, stdlib-3.9

inets-9.6.1

The inets-9.6.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

  • The httpd server now rejects HTTP requests containing multiple Content-Length headers with different values, returning a 400 Bad Request response. This prevents potential HTTP request smuggling attacks. Thanks Luigino Camastra at Aisle Research for responsibly disclosing this vulnerability

    Own Id: OTP-20007
    Related Id(s): PR-10833, CVE-2026-23941

Full runtime dependencies of inets-9.6.1

erts-14.0, kernel-9.0, mnesia-4.12, public_key-1.13, runtime_tools-1.8.14, ssl-9.0, stdlib-5.0, stdlib-6.0

kernel-10.6.1

The kernel-10.6.1 application can be applied independently of other applications on a full OTP 28 installation.

Fixed Bugs and Malfunctions

  • A vulnerability has been resolved in the (undocumented, unsupported and unused in OTP) inet_dns_tsig module that leads to a validation bypass.

    If a request contained an error code (forbidden by spec), it was treated as a response and skipped the verification of the MAC. The user of the module would then receive an "all ok" response, depending on the use case, this could lead to such things as AXFR or UPDATE being allowed.

    The code has also been tightening up of the client side to make sure too large (bad) MAC sizes cannot be selected and the limit is the output size of the algorithm chosen.

    Own Id: OTP-20012
    Related Id(s): PR-10825

Full runtime dependencies of kernel-10.6.1

crypto-5.0, erts-15.2.5, sasl-3.0, stdlib-7.0

ssh-5.5.1

Note! The ssh-5.5.1 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependency has to be satisfied:
   -- crypto-5.7 (first satisfied in OTP 28.1)

Fixed Bugs and Malfunctions

  • Fixed path traversal vulnerability in SFTP server's root option allowing authenticated users to access sibling directories with matching name prefixes. The root option used string prefix matching instead of path component validation. With {root, "/home/user1"}, attackers could access /home/user10/ or /home/user123/. Thanks to Luigino Camastra, Aisle Research.

    Own Id: OTP-20009
    Related Id(s): PR-10811, CVE-2026-23942

  • Fixed excessive memory usage vulnerability in SSH compression allowing attackers to consume system resources through decompression bombs. The 'zlib' and 'zlib@openssh.com' algorithms lacked decompression size limits, allowing 256 KB packets to expand to 255 MB (1029:1 ratio). This could lead to crashes on systems with limited memory.

    The fix removes zlib from default compression algorithms and implements decompression size limits for both algorithms. Thanks to Igor Morgenstern at Aisle Research

    Own Id: OTP-20011
    Related Id(s): PR-10813, CVE-2026-23943

Full runtime dependencies of ssh-5.5.1

crypto-5.7, erts-14.0, kernel-10.3, public_key-1.6.1, runtime_tools-1.15.1, stdlib-5.0, stdlib-6.0

ssl-11.5.3

Note! The ssl-11.5.3 application cannot be applied independently of other applications on an arbitrary OTP 28 installation.

   On a full OTP 28 installation, also the following runtime
   dependencies have to be satisfied:
   -- crypto-5.8 (first satisfied in OTP 28.3)
   -- public_key-1.18.3 (first satisfied in OTP 28.1)

Fixed Bugs and Malfunctions

  • TLS-1.3 certificate request now preserves the order of signature algorithms in certificate request extension to be in the servers preferred order, which might affect the choice made by some TLS clients.

    Own Id: OTP-20022
    Related Id(s): ERIERL-1305, GH-10694, PR-10707

Improvements and New Features

  • Document that setting transport protocol specific socket options is not generally expected to work for TLS and if it happens to work it comes with consequences that should be understood an accepted by the user. Also retain some backwards compatibility with such an option that happened to work to buy time for people to come up with better solutions.

    Own Id: OTP-20018
    Related Id(s): ERIERL-1303, PR-10809

Full runtime dependencies of ssl-11.5.3

crypto-5.8, erts-16.0, inets-5.10.7, kernel-10.3, public_key-1.18.3, runtime_tools-1.15.1, stdlib-7.0

Thanks to

Alexander Clouter, Hewwho

nodejs/node (node)

v24.14.1: 2026-03-24, Version 24.14.1 'Krypton' (LTS), @​RafaelGSS prepared by @​juanarbol

Compare Source

This is a security release.

Notable Changes
  • (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
  • (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
  • (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
  • (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
  • (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
  • (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
  • (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low
  • (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low
Commits
pnpm/pnpm (pnpm)

v10.33.0: pnpm 10.33

Compare Source

Minor Changes

  • Added a new dedupePeers setting that reduces peer dependency duplication. When enabled, peer dependency suffixes use version-only identifiers (name@version) instead of full dep paths, eliminating nested suffixes like (foo@1.0.0(bar@2.0.0)). This dramatically reduces the number of package instances in projects with many recursive peer dependencies #​11070.

Patch Changes

  • Fail on incompatible lockfiles in CI when frozen lockfile mode is enabled, while preserving non-frozen CI fallback behavior.

  • When package metadata is malformed or can't be fetched, the error thrown will now show the originating error.

  • Fixed intermittent failures when multiple pnpm dlx calls run concurrently for the same package. When the global virtual store is enabled, the importer now verifies file content before skipping a rename, avoiding destructive swap-renames that break concurrent processes. Also tolerates EPERM during bin creation on Windows and properly propagates enableGlobalVirtualStore through the install pipeline.

  • Fixed handling of non-string version selectors in hoistPeers, preventing invalid peer dependency specifiers.

  • Improve the non-interactive modules purge error hint to include the confirmModulesPurge=false workaround.

    When pnpm needs to recreate node_modules but no TTY is available, the error now suggests either setting CI=true or disabling the purge confirmation prompt via confirmModulesPurge=false.

    Adds a regression test for the non-TTY flow.

  • Fixed false "Command not found" errors on Windows when a command exists in PATH but exits with a non-zero code. Also fixed path resolution for --filter contexts where the command runs in a different package directory.

  • When a pnpm-lock.yaml contains two documents, ignore the first one. pnpm v11 will write two lockfile documents into pnpm-lock.yaml in order to store pnpm version integrities and config dependency resolutions.

  • Fixed a bug preventing the clearCache function returned by createNpmResolver from properly clearing metadata cache.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

v10.32.1: pnpm 10.32.1

Compare Source

Patch Changes

  • Fix a regression where pnpm-workspace.yaml without a packages field caused all directories to be treated as workspace projects. This broke projects that use pnpm-workspace.yaml only for settings (e.g. minimumReleaseAge) without defining workspace packages #​10909.

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

Configuration

📅 Schedule: Branch creation - "before 9am on Monday" in timezone Asia/Tokyo, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@NexPB NexPB added the dependencies Pull requests that update a dependency file label Mar 22, 2026
@NexPB NexPB force-pushed the renovate/tool-versions-(mise) branch from c35c04e to 97db6cb Compare March 29, 2026 23:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@NexPB