The Node.js project will be releasing new versions for each of its supported release lines on, or shortly after, the 15th of August, 2018 (UTC). These releases will incorporate a number of security fixes and an upgraded version of OpenSSL.

We consider all of the flaws being addressed in these releases to be low severity. However, users should assess the severity of the impact on their own applications using the information disclosed here and the additional disclosure that will come with the releases.

The OpenSSL team have announced that OpenSSL 1.1.0i and 1.0.2p will be made available on the 14th of August, 2018. There will be three "LOW severity" security fixes in this release that have already been disclosed, and the fixes made available on the OpenSSL git repository. Two of these items are relevant to Node.js users:

We will also be including the following items in these releases for LTS release lines:

The Node.js 10 "Current" release will not be limited to only security-related updates, as per policy for non-LTS release lines.

Releases will be available at, or shortly after, the 15th of August, 2018 (UTC), along with disclosure of details of the flaws addressed in order to allow for complete impact assessment by users.

The current Node.js security policy can be found at https://nodejs.org/en/security/.

Please contact [email protected] if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.