August 13th, 2019
The Node.js project will release new versions of all supported release lines on, or shortly after, Thursday, August 15th, 2019 UTC. These releases will incorporate security fixes to HTTP/2 Denial of Service vulnerabilities in Node.js, the highest severity of which is HIGH.
The Denial of Service vulnerabilities to be fixed are common to a broad range of HTTP/2 implementations. Details about them were publicly disclosed on August 13th, 2019. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information.
Releases for all actively supported release lines (Node.js 8, 10, and 12) will be made available to fix the disclosed HTTP/2 vulnerabilities.
Releases will be available at, or shortly after, Thursday, August 15th, 2019 UTC, along with disclosure of the details for the flaws addressed in each release in order to allow for complete impact assessment by users.
Contact and future updates
The current Node.js security policy and information about how to report a vulnerability can be found at https://nodejs.org/en/security/.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.