0
0
mirror of https://github.com/nodejs/node.git synced 2024-12-01 16:10:02 +01:00
Commit Graph

301 Commits

Author SHA1 Message Date
Beth Griggs
d602e586bf
2020-02-06, Version 10.19.0 'Dubnium' (LTS)
This is a security release.

Vulnerabilities fixed:
* **CVE-2019-15606**:
          HTTP header values do not have trailing OWS trimmed.
* **CVE-2019-15605**:
          HTTP request smuggling using malformed Transfer-Encoding header.
* **CVE-2019-15604**:
          Remotely trigger an assertion on a TLS server with a malformed
          certificate string.

Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.

PR-URL: https://github.com/nodejs-private/node-private/pull/198
2020-02-06 03:05:04 +00:00
Beth Griggs
e65ae42785
2020-02-06, Version 12.15.0 'Erbium' (LTS)
This is a security release.

Vulnerabilities fixed:
* **CVE-2019-15606**:
      HTTP header values do not have trailing OWS trimmed.
* **CVE-2019-15605**:
      HTTP request smuggling using malformed Transfer-Encoding header.
* **CVE-2019-15604**:
      Remotely trigger an assertion on a TLS server with a malformed
      certificate string.

Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.

PR-URL: https://github.com/nodejs-private/node-private/pull/197
2020-02-06 02:55:47 +00:00
Beth Griggs
f0f2583c91
2020-02-06, Version 13.8.0 (Current)
This is a security release.

Vulnerabilities fixed:
* **CVE-2019-15606**:
      HTTP header values do not have trailing OWS trimmed.
* **CVE-2019-15605**:
      HTTP request smuggling using malformed Transfer-Encoding header.
* **CVE-2019-15604**:
      Remotely trigger an assertion on a TLS server with a malformed
      certificate string.

Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.

PR-URL: https://github.com/nodejs-private/node-private/pull/196
2020-02-06 02:39:39 +00:00
Shelley Vohr
a484f1acf3
2020-01-21, Version 13.7.0 (Current)
Notable changes:

* deps:
  * upgrade to libuv 1.34.1 (cjihrig) https://github.com/nodejs/node/pull/31332
  * upgrade npm to 6.13.6 (Ruy Adorno) https://github.com/nodejs/node/pull/31304
* module
  * add API for interacting with source maps (bcoe) https://github.com/nodejs/node/pull/31132
  * loader getSource, getFormat, transform hooks (Geoffrey Booth) https://github.com/nodejs/node/pull/30986
  * logical conditional exports ordering (Guy Bedford) https://github.com/nodejs/node/pull/31008
  * unflag conditional exports (Guy Bedford) https://github.com/nodejs/node/pull/31001
* process:
  * allow monitoring uncaughtException (Gerhard Stoebich) https://github.com/nodejs/node/pull/31257
* Added new collaborators:
  * [GeoffreyBooth](https://github.com/GeoffreyBooth) - Geoffrey Booth. https://github.com/nodejs/node/pull/31306

PR-URL: https://github.com/nodejs/node/pull/31382
2020-01-21 09:58:13 -08:00
Andrew Hughes
5170daaca5 doc: fix changelog for v10.18.1
PR-URL: https://github.com/nodejs/node/pull/31358
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
2020-01-16 10:25:18 -08:00
Beth Griggs
9d5d4f84e3
2020-01-09, Version 10.18.1 'Dubnium' (LTS)
- http2: fix session memory accounting after pausing (Michael Lehenbauer)
  [#30684](https://github.com/nodejs/node/pull/30684)
- n-api: correct bug in napi_get_last_error (Octavian Soldea)
  [#28702](https://github.com/nodejs/node/pull/28702)
- tools: update tzdata to 2019c (Myles Borins)
  [#30479](https://github.com/nodejs/node/pull/30479)

PR-URL: https://github.com/nodejs/node/pull/31248
2020-01-09 21:48:45 +00:00
Ruben Bridgewater
e908323b7e
2020-01-07, Version v13.6.0 (Current)
Notable changes:

* assert:
  * Implement `assert.match()` and `assert.doesNotMatch()` (Ruben
    Bridgewater) https://github.com/nodejs/node/pull/30929
* events:
  * Add `EventEmitter.on` to async iterate over events (Matteo Collina)
    https://github.com/nodejs/node/pull/27994
  * Allow monitoring error events (Gerhard Stoebich)
    https://github.com/nodejs/node/pull/30932
* fs:
  * Allow overriding `fs` for streams (Robert Nagy)
    https://github.com/nodejs/node/pull/29083
* perf_hooks:
  * Move `perf_hooks` out of experimental (legendecas)
    https://github.com/nodejs/node/pull/31101
* repl:
  * Implement ZSH-like reverse-i-search (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/31006
* tls:
  * Add PSK (pre-shared key) support (Denys Otrishko)
    https://github.com/nodejs/node/pull/23188

PR-URL: https://github.com/nodejs/node/pull/31238
2020-01-08 00:10:43 +01:00
Beth Griggs
f5512ff61e
2020-01-07, Version 12.14.1 'Erbium' (LTS)
Notable changes:

- crypto: fix key requirements in asymmetric cipher (Tobias Nießen)
  https://github.com/nodejs/node/pull/30249
- deps:
    - update llhttp to 2.0.1 (Fedor Indutny)
      https://github.com/nodejs/node/pull/30553
    - update nghttp2 to 1.40.0 (gengjiawen)
      https://github.com/nodejs/node/pull/30493
- v8: mark serdes API as stable (Anna Henningsen)
  https://github.com/nodejs/node/pull/30234

PR-URL: https://github.com/nodejs/node/pull/31069
2020-01-07 17:25:49 +00:00
Myles Borins
24263ff718
2019-12-18, Version 13.5.0 (Current)
Notable Changes:

* cli:
  * add --trace-exit cli option (legendecas)
    https://github.com/nodejs/node/pull/30516
* http,https:
  * increase server headers timeout (Tim Costa)
    https://github.com/nodejs/node/pull/30071
* readline:
  * update ansi-regex (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/30907
  * promote \_getCursorPos to public api (Jeremy Albright)
    https://github.com/nodejs/node/pull/30687
* repl:
  * add completion preview (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/30907
* util:
  * add Set and map size to inspect output (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/30225
* wasi:
  * require CLI flag to require() wasi module (Colin Ihrig)
    https://github.com/nodejs/node/pull/30963

PR-URL: https://github.com/nodejs/node/pull/31010
2019-12-18 13:51:03 -05:00
Myles Borins
bef1e87e1c
2019-12-17, Version 13.4.0 (Current)
This is a security release.

For more details about the vulnerability please consult the npm blog:

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Notable Changes:
* deps:
  * update npm to 6.13.4
    https://github.com/nodejs/node/pull/30904
  * update uvwasi (Anna Henningsen)
    https://github.com/nodejs/node/pull/30745
  * upgrade to libuv 1.34.0 (Colin Ihrig)
    https://github.com/nodejs/node/pull/30783
* doc:
  * docs deprecate http finished (Robert Nagy)
    https://github.com/nodejs/node/pull/28679
* events:
  * add captureRejection option (Matteo Collina)
    https://github.com/nodejs/node/pull/27867
* http:
  * add captureRejection support (Matteo Collina)
    https://github.com/nodejs/node/pull/27867
  * llhttp opt-in insecure HTTP header parsing (Sam Roberts)
    https://github.com/nodejs/node/pull/30567
* http2:
  * implement capture rection for 'request' and 'stream' events (Matteo Collina)
    https://github.com/nodejs/node/pull/27867
* net:
  * implement capture rejections for 'connection' event (Matteo Collina)
    https://github.com/nodejs/node/pull/27867
* repl:
  * support previews by eager evaluating input (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/30811
* stream:
  * add support for captureRejection option (Matteo Collina)
    https://github.com/nodejs/node/pull/27867
* tls:
  * implement capture rejections for 'secureConnection' event (Matteo Collina)
    https://github.com/nodejs/node/pull/27867
  * expose IETF name for current cipher suite (Sam Roberts)
    https://github.com/nodejs/node/pull/30637
* worker:
  * add argv constructor option (legendecas)
    https://github.com/nodejs/node/pull/30559

PR-URL: https://github.com/nodejs/node/pull/30937
2019-12-17 17:29:02 -05:00
Myles Borins
75c5de2218
2019-12-17, Version 12.14.0 'Erbium' (LTS)
This is a security release.

For more details about the vulnerability please consult the npm blog:

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Notable Changes:

* deps: update npm to 6.13.4
  https://github.com/nodejs/node/pull/30904

PR-URL: https://github.com/nodejs/node/pull/30938
2019-12-17 17:16:25 -05:00
Myles Borins
178c5d86b0
2019-12-17, Version 10.18.0 'Dubnium' (LTS)
This is a security release.

For more details about the vulnerability please consult the npm blog:

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Notable Changes:

* deps: update npm to 6.13.4
  https://github.com/nodejs/node/pull/30904

PR-URL: https://github.com/nodejs/node/pull/30940
2019-12-17 17:15:40 -05:00
Myles Borins
8bfa4d0480
2019-12-17, Version 8.17.0 'Carbon' (LTS)
This is a security release.

For more details about the vulnerability please consult the npm blog:

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Notable Changes:

* deps: update npm to 6.13.4
  https://github.com/nodejs/node/pull/30904

PR-URL: https://github.com/nodejs/node/pull/30941
2019-12-17 17:15:09 -05:00
Ruben Bridgewater
4091ea90b6
2019-12-03, Version 13.3.0 (Current)
Notable changes:

* fs:
  * Reworked experimental recursive `rmdir()`  (cjihrig)
    https://github.com/nodejs/node/pull/30644
    * The `maxBusyTries` option is renamed to `maxRetries`, and its
      default is set to 0. The `emfileWait` option has been removed,
      and `EMFILE` errors use the same retry logic as other errors.
      The `retryDelay` option is now supported. `ENFILE` errors are
      now retried.
* http:
  * Make maximum header size configurable per-stream or per-server
    (Anna Henningsen) https://github.com/nodejs/node/pull/30570
* http2:
  * Make maximum tolerated rejected streams configurable (Denys
    Otrishko) https://github.com/nodejs/node/pull/30534
  * Allow to configure maximum tolerated invalid frames (Denys
    Otrishko) https://github.com/nodejs/node/pull/30534
* wasi:
  * Introduce initial WASI support (cjihrig)
    https://github.com/nodejs/node/pull/30258

PR-URL: https://github.com/nodejs/node/pull/30774
2019-12-03 22:57:31 +01:00
Kirlat
f6de66ee71
doc: fix a typo in a date for version 13.2.0
PR-URL: https://github.com/nodejs/node/pull/30587
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
2019-11-22 14:24:01 +01:00
Myles Borins
b8f8f05002
2019-11-21, Version 13.2.0 (Current)
Notable changes:

* addons:
  * Deprecate one- and two-argument `AtExit()`. Use the three-argument
    variant of `AtExit()` or `AddEnvironmentCleanupHook()` instead
    (Anna Henningsen) https://github.com/nodejs/node/pull/30227
* child_process,cluster:
  * The `serialization` option is added that allows child process
    IPC to use the V8 serialization API (to e.g., pass through data
    types like sets or maps) (Anna Henningsen)
    https://github.com/nodejs/node/pull/30162
* deps:
  * Update V8 to 7.9
  * Update `npm` to 6.13.0 (Ruy Adorno)
    https://github.com/nodejs/node/pull/30271
* embedder:
  * Exposes the ability to pass cli flags / options through an API
    as embedder (Shelley Vohr)
    https://github.com/nodejs/node/pull/30466
  * Allow adding linked bindings to Environment (Anna Henningsen)
    https://github.com/nodejs/node/pull/30274
* esm:
  * Unflag --experimental-modules (Guy Bedford)
    https://github.com/nodejs/node/pull/29866
* stream:
  * Add `writable.writableCorked` property (Robert Nagy)
    https://github.com/nodejs/node/pull/29012
* worker:
  * Allow specifying resource limits (Anna Henningsen)
    https://github.com/nodejs/node/pull/26628
* v8:
  * The Serialization API is now stable (Anna Henningsen)
    https://github.com/nodejs/node/pull/30234

PR-URL: https://github.com/nodejs/node/pull/30547
2019-11-21 17:14:59 -05:00
Michaël Zasso
b351d30701
2019-11-19, Version 12.13.1 'Erbium' (LTS)
Notable changes:

* Experimental support for building Node.js with Python 3 is improved.
* ICU time zone data is updated to version 2019c. This fixes the date
  offset in Brazil.

PR-URL: https://github.com/nodejs/node/issues/30352
2019-11-19 11:50:23 +01:00
Michaël Zasso
309e1eae79
2019-11-05, Version 13.1.0 (Current)
Notable changes:

* cli:
  * Added a new flag (`--trace-uncaught`) that makes Node.js print the
    stack trace at the time of throwing uncaught exceptions, rather than
    at the creation of the `Error` object, if there is any. This is
    disabled by default because it affects GC behavior.
    https://github.com/nodejs/node/pull/30025
* crypto
  * Added `Hash.prototype.copy()` method. It returns a new `Hash` object
    with its internal state cloned from the original one.
    https://github.com/nodejs/node/pull/29910
* dgram
  * Added source-specific multicast support. This adds methods to
    Datagram sockets to support RFC 4607
    (https://tools.ietf.org/html/rfc4607) for IPv4 and IPv6.
    https://github.com/nodejs/node/pull/15735
* fs
  * Added a `bufferSize` option to `fs.opendir()`. It allows to control
    the number of entries that are buffered internally when reading from
    the directory. https://github.com/nodejs/node/pull/30114
* meta
  * Added Chengzhong Wu (https://github.com/legendecas) to
    collaborators. https://github.com/nodejs/node/pull/30115

PR-URL: https://github.com/nodejs/node/pull/30262
2019-11-05 19:39:20 +01:00
Myles Borins
5a042a6b1a
2019-10-23, Version 13.0.1 (Current)
Notable changes:

* deps:
  * Fixed a bug in npm 6.12.0 where warnings are emitted on Node.js
    13.x. https://github.com/nodejs/node/pull/30079
* esm:
  * Changed file extension resolution order of
    `--es-module-specifier-resolution=node`to match that of the CommonJS
    loader. https://github.com/nodejs/node/pull/29974

PR-URL: https://github.com/nodejs/node/pull/30081
2019-10-23 12:34:20 +02:00
Beth Griggs
afbbcb050e
2019-10-22, Version 10.17.0 'Dubnium' (LTS)
Notable changes:

* crypto:
  * add support for chacha20-poly1305 for AEAD (chux0519)
    https://github.com/nodejs/node/pull/24081
  * increase maxmem range from 32 to 53 bits (Tobias Nießen)
    https://github.com/nodejs/node/pull/28799
* deps:
  * update npm to 6.11.3 (claudiahdz)
    https://github.com/nodejs/node/pull/29430
  * upgrade openssl sources to 1.1.1d (Sam Roberts)
    https://github.com/nodejs/node/pull/29921
* dns:
  * remove dns.promises experimental warning (cjihrig)
    https://github.com/nodejs/node/pull/26592
* fs:
  * remove experimental warning for fs.promises (Anna Henningsen)
    https://github.com/nodejs/node/pull/26581
* http:
  * makes response.writeHead return the response (Mark S. Everitt)
    https://github.com/nodejs/node/pull/25974
* http2:
  * makes response.writeHead return the response (Mark S. Everitt)
    https://github.com/nodejs/node/pull/25974
* n-api:
  * make func argument of napi\_create\_threadsafe\_function optional
    (legendecas)
    https://github.com/nodejs/node/pull/27791
  * mark version 5 N-APIs as stable (Gabriel Schulhof)
    https://github.com/nodejs/node/pull/29401
  * implement date object (Jarrod Connolly)
    https://github.com/nodejs/node/pull/25917
* process:
  * add --unhandled-rejections flag (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/26599
* stream:
  * implement Readable.from async iterator utility (Guy Bedford)
    https://github.com/nodejs/node/pull/27660
  * make Symbol.asyncIterator support stable (Matteo Collina)
    https://github.com/nodejs/node/pull/26989

PR-URL: https://github.com/nodejs/node/pull/29875
2019-10-22 20:15:24 +01:00
Beth Griggs
42bf0c8df2
2019-10-22, Version 13.0.0 (Current)
Notable changes:

* assert:
  * If the validation function passed to `assert.throws()` or
    `assert.rejects()` returns a value other than `true`, an assertion
    error will be thrown instead of the original error to highlight the
    programming mistake (Ruben Bridgewater).
    https://github.com/nodejs/node/pull/28263
  * If a constructor function is passed to validate the instance of
    errors thrown in `assert.throws()` or `assert.reject()`, an
    assertion error will be thrown instead of the original error
    (Ruben Bridgewater).
    https://github.com/nodejs/node/pull/28263
* build:
  * Node.js releases are now built with default full-icu support. This
    means that all locales supported by ICU are now included and
    Intl-related APIs may return different values than before
    (Richard Lau).
    https://github.com/nodejs/node/pull/29887
  * The minimum Xcode version supported for macOS was increased to 10.
    It is still possible to build Node.js with Xcode 8 but this may no
    longer be the case in a future v13.x release (Michael Dawson).
    https://github.com/nodejs/node/pull/29622
* child_process:
  * `ChildProcess._channel` (DEP0129) is now a Runtime deprecation
    (cjihrig).
    https://github.com/nodejs/node/pull/27949
* console:
  * The output `console.timeEnd()` and `console.timeLog()` will now
    automatically select a suitable time unit instead of always using
    milliseconds (Xavier Stouder).
    https://github.com/nodejs/node/pull/29251
* deps:
  * The V8 engine was updated to version 7.8. This includes performance
    improvements to object destructuring, memory usage and WebAssembly
    startup time (Myles Borins).
    https://github.com/nodejs/node/pull/29694)
* domain:
  * The domain's error handler is now executed with the active domain
    set to the domain's parent to prevent inner recursion
    (Julien Gilli).
    https://github.com/nodejs/node/pull/26211
* fs:
  * The undocumented method `FSWatcher.prototype.start()` was removed
    (Lucas Holmquist).
    https://github.com/nodejs/node/pull/29905
  * Calling the `open()` method on a `ReadStream` or `WriteStream` now
    emits a runtime deprecation warning. The methods are supposed to be
    internal and should not be called by user code (Robert Nagy).
    https://github.com/nodejs/node/pull/29061
  * `fs.read/write`, `fs.readSync/writeSync` and `fd.read/write` now
    accept any safe integer as their `offset` parameter. The value of
    `offset` is also no longer coerced, so a valid type must be passed
    to the functions (Zach Bjornson).
    https://github.com/nodejs/node/pull/26572
* http:
  * Aborted requests no longer emit the `end` or `error` events after
    `aborted` (Robert Nagy).
    https://github.com/nodejs/node/pull/27984
    https://github.com/nodejs/node/pull/20077
  * Data will no longer be emitted after a socket error (Robert Nagy).
    https://github.com/nodejs/node/pull/28711
  * The legacy HTTP parser (previously available under the
    `--http-parser=legacy` flag) was removed (Anna Henningsen).
    https://github.com/nodejs/node/pull/29589
  * The `host` option for HTTP requests is now validated to be a string
    value (Giorgos Ntemiris).
    https://github.com/nodejs/node/pull/29568
  * The `request.connection` and `response.connection` properties are now
    runtime deprecated. The equivalent `request.socket` and `response.socket`
    should be used instead (Robert Nagy).
    https://github.com/nodejs/node/pull/29015
* http, http2:
  * The default server timeout was removed (Ali Ijaz Sheikh).
    https://github.com/nodejs/node/pull/27558
  * Brought 425 status code name into accordance with RFC 8470. The name
    changed from "Unordered Collection" to "Too Early" (Sergei Osipov).
    https://github.com/nodejs/node/pull/29880
* lib:
  * The `error.errno` property will now always be a number. To get the
    string value, use `error.code` instead (Joyee Cheung).
    https://github.com/nodejs/node/pull/28140
* module:
  * `module.createRequireFromPath()` is deprecated. Use
    `module.createRequire()` instead (cjihrig).
    https://github.com/nodejs/node/pull/27951
* src:
  * Changing the value of `process.env.TZ` will now clear the tz cache.
    This affects the default time zone used by methods such as
    `Date.prototype.toString` (Ben Noordhuis).
    https://github.com/nodejs/node/pull/20026
* stream:
  * The timing and behavior of streams was consolidated for a number of
    edge cases. Please look at the individual commits below for more
    information.

PR-URL: https://github.com/nodejs/node/pull/29504
2019-10-22 17:12:12 +01:00
Michaël Zasso
701933ca8f
2019-10-21, Version 12.13.0 'Erbium' (LTS)
This release marks the transition of Node.js 12.x into Long Term Support
(LTS) with the codename 'Erbium'. The 12.x release line now moves into
"Active LTS" and will remain so until October 2020. After that time, it
will move into "Maintenance" until end of life in April 2022.

Notable changes:

npm was updated to 6.12.0. It now includes a version of `node-gyp` that
supports Python 3 for building native modules.

PR-URL: https://github.com/nodejs/node/pull/29981
2019-10-21 11:12:52 +02:00
Unlocked
c62503994a
doc: fix --enable-source-maps flag in v12.12.0 changelog
Corrects "--source-map-support" to "--enable-source-maps".

Fixes: https://github.com/nodejs/node/issues/29959
PR-URL: https://github.com/nodejs/node/pull/29960
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
2019-10-14 15:00:10 +02:00
Ruben Bridgewater
06f6d662f6
2019-10-11, Version 12.12.0 (Current)
Notable changes:

* build:
  * Add `--force-context-aware` flag to prevent usage of native node
    addons that aren't context aware
    https://github.com/nodejs/node/pull/29631
* deprecations:
  * Add documentation-only deprecation for `process._tickCallback()`
    https://github.com/nodejs/node/pull/29781
* esm:
  * Using JSON modules is experimental again
    https://github.com/nodejs/node/pull/29754
* fs:
  * Introduce `opendir()` and `fs.Dir` to iterate through directories
    https://github.com/nodejs/node/pull/29349
* process:
  * Add source-map support to stack traces by using
    `--source-map-support` https://github.com/nodejs/node/pull/29564
* tls:
  * Honor `pauseOnConnect` option
    https://github.com/nodejs/node/pull/29635
  * Add option for private keys for OpenSSL engines
    https://github.com/nodejs/node/pull/28973

PR-URL: https://github.com/nodejs/node/pull/29919
2019-10-11 21:25:36 +02:00
Nick Schonning
81bc7b3ba5 doc: escape brackets not used as markdown reference links
These can turn into links if reference links are added to the document

PR-URL: https://github.com/nodejs/node/pull/29809
Reviewed-By: Rich Trott <rtrott@gmail.com>
2019-10-10 22:15:58 -07:00
Beth Griggs
a04b04f4cf
2019-10-09, Version 8.16.2 'Carbon' (LTS)
Node.js 8 is due to go End-of-Life on 31st December 2019.

Notable changes:

- **deps**: upgrade openssl sources to 1.0.2s (Sam Roberts)
  [#28230](https://github.com/nodejs/node/pull/28230)

PR-URL: https://github.com/nodejs/node/pull/29617
2019-10-09 21:25:39 +01:00
Nick Schonning
420d4e461d doc: add dash between SHA and PR in changelog
It gets confused as a reference link otherwis

PR-URL: https://github.com/nodejs/node/pull/29558
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
2019-10-02 12:17:40 -07:00
Nick Schonning
4267b88d4f doc: convert old changlogs SHA links to match newer format
PR-URL: https://github.com/nodejs/node/pull/29558
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
2019-10-02 12:17:36 -07:00
Nick Schonning
b01f17bbaa doc: complete cut off links in old changelog
PR-URL: https://github.com/nodejs/node/pull/29558
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
2019-10-02 12:17:34 -07:00
Michaël Zasso
d9fd2cd0ff
2019-10-01, Version 12.11.1 (Current)
Notable changes:

* build:
  * This release fixes a regression that prevented from building Node.js
    using the official source tarball.
    https://github.com/nodejs/node/pull/29712
* deps:
  * Updated small-icu data to support "unit" style in the
    `Intl.NumberFormat` API.
    https://github.com/nodejs/node/pull/29735

PR-URL: https://github.com/nodejs/node/pull/29796
2019-10-01 18:44:05 +02:00
XhmikosR
a8956e4676 doc: remove redundant escape
PR-URL: https://github.com/nodejs/node/pull/29716
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
2019-10-01 08:50:53 -07:00
XhmikosR
f81bef5398 doc: fix 404 links
For `www.cve.mitre.org` they don't seem to redirect www to naked.

PR-URL: https://github.com/nodejs/node/pull/29661
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
2019-09-26 22:32:46 -07:00
Ruben Bridgewater
d36b6f8da3
2019-09-24, Version 12.11.0 (Current)
Notable changes:

* crypto:
  * Add `oaepLabel` option https://github.com/nodejs/node/pull/29489
* deps:
  * Update V8 to 7.7.299.11 https://github.com/nodejs/node/pull/28918
    * More efficient memory handling
    * Stack trace serialization got faster
    * The `Intl.NumberFormat` API gained new functionality
    * For more information: https://v8.dev/blog/v8-release-77
* events:
  * Add support for `EventTarget` in `once`
    https://github.com/nodejs/node/pull/29498
* fs:
  * Expose memory file mapping flag `UV_FS_O_FILEMAP`
    https://github.com/nodejs/node/pull/29260
* inspector:
  * New API - `Session.connectToMainThread`
    https://github.com/nodejs/node/pull/28870
* process:
  * Initial SourceMap support via `env.NODE_V8_COVERAGE`
    https://github.com/nodejs/node/pull/28960
* stream:
  * Make `_write()` optional when `_writev()` is implemented
    https://github.com/nodejs/node/pull/29639
* tls:
  * Add option to override signature algorithms
    https://github.com/nodejs/node/pull/29598
* util:
  * Add `encodeInto` to `TextEncoder`
    https://github.com/nodejs/node/pull/29524
* worker:
  * The `worker_thread` module is now stable
    https://github.com/nodejs/node/pull/29512

PR-URL: https://github.com/nodejs/node/pull/29695
2019-09-26 01:14:24 +02:00
Nick Schonning
e2dcbf1c32 doc: use consistent unordered list style
Convert to asterisks when there are mixed styles in document.
Addresses Markdownlint MD004 rule

PR-URL: https://github.com/nodejs/node/pull/29516
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
2019-09-16 11:24:54 -07:00
Nick Schonning
f6152857f9 doc: indent child list items for remark-lint
Child items not aligned to parent are flagged by list-item-bullet-indent

PR-URL: https://github.com/nodejs/node/pull/29488
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
2019-09-10 01:18:35 -07:00
Nick Schonning
c929b15d1d doc: space around lists
Address markdownlint rule MD032.
Flagged a few mixed list styles.

PR-URL: https://github.com/nodejs/node/pull/29467
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
2019-09-09 16:45:24 -07:00
XhmikosR
ab05d43083 doc: remove wrong escapes
PR-URL: https://github.com/nodejs/node/pull/29452
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
2019-09-08 13:39:29 -07:00
Rich Trott
210b930c74 doc: prepare markdown files for more stringent blank-line linting
PR-URL: https://github.com/nodejs/node/pull/29447
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
2019-09-07 07:07:25 -07:00
Ruben Bridgewater
02c74e72ea
2019-09-04, Version 12.10.0 (Current)
Notable changes:

* deps:
  * Update npm to 6.10.3 (isaacs)
    https://github.com/nodejs/node/pull/29023
* fs:
  * Add recursive option to rmdir() (cjihrig)
    https://github.com/nodejs/node/pull/29168
  * Allow passing true to emitClose option (Giorgos Ntemiris)
    https://github.com/nodejs/node/pull/29212
  * Add \*timeNs properties to BigInt Stats objects (Joyee Cheung)
    https://github.com/nodejs/node/pull/21387
* net:
  * Allow reading data into a static buffer (Brian White)
    https://github.com/nodejs/node/pull/25436

PR-URL: https://github.com/nodejs/node/pull/29429
2019-09-04 20:10:18 +02:00
Nick Schonning
a3307eac0e doc: use consistent indenting for unordered list items
Address Markdownlint MD007 rule.
Default suggestion is 2 space indenting for unordered list items.

PR-URL: https://github.com/nodejs/node/pull/29390
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
2019-09-03 20:55:39 -07:00
Nick Schonning
27a57d3a34 doc: start unorded lists at start of line
Address Markdownlint MD006 rule.
Can flag when list items aren't indented far enough.

PR-URL: https://github.com/nodejs/node/pull/29390
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
2019-09-03 20:55:39 -07:00
Nick Schonning
61d973affb doc: escape elements swallowed as HTML in markdown
Addresses Markdownlint MD033 issues.
Altering changlog should usually be avoided, but they don't render
currently.

PR-URL: https://github.com/nodejs/node/pull/29374
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
2019-09-02 07:46:45 +02:00
Nick Schonning
9a46cfc337 doc: remove multiple consecutive blank lines
These are rendered as single breaks.
Addresses Markdownlint MD012 rule.

PR-URL: https://github.com/nodejs/node/pull/29352
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
2019-08-31 15:27:58 -07:00
Nick Schonning
1d5186e657 doc: inconsistent indentation for list items
Items at same level should have consistent indentation level.
Addresses Markdownlint MD005 errors.

PR-URL: https://github.com/nodejs/node/pull/29330
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
2019-08-28 22:48:12 -07:00
Michaël Zasso
d770b8a931
2019-08-26, Version 12.9.1 (Current)
Notable changes:

This release fixes two regressions in the http module:

* Fixes an event listener leak in the HTTP client. This resulted in lots
  of warnings during npm/yarn installs.
  https://github.com/nodejs/node/pull/29245
* Fixes a regression preventing the `'end'` event from being emitted for
  keepalive requests in case the full body was not parsed.
  https://github.com/nodejs/node/pull/29263

PR-URL: https://github.com/nodejs/node/pull/29321
2019-08-26 20:36:17 +02:00
Michaël Zasso
edc83a9203
2019-08-20, Version 12.9.0 (Current)
Notable changes:

* crypto:
  * Added an oaepHash option to asymmetric encryption which allows
    users to specify a hash function when using OAEP padding.
    https://github.com/nodejs/node/pull/28335
* deps:
  * Updated V8 to 7.6.303.29. https://github.com/nodejs/node/pull/28955
    * Improves the performance of various APIs such as `JSON.parse` and
      methods called on frozen arrays.
    * Adds the Promise.allSettled method.
    * Improves support of `BigInt` in `Intl` methods.
    * For more information: https://v8.dev/blog/v8-release-76
  * Updated libuv to 1.31.0. https://github.com/nodejs/node/pull/29070
    * `UV_FS_O_FILEMAP` has been added for faster access to memory
      mapped files on Windows.
    * `uv_fs_mkdir()` now returns `UV_EINVAL` for invalid filenames on
      Windows. It previously returned `UV_ENOENT`.
    * The `uv_fs_statfs()` API has been added.
    * The `uv_os_environ()` and `uv_os_free_environ()` APIs have been
      added.
* fs:
  * Added `fs.writev`, `fs.writevSync` and `filehandle.writev` (promise
    version) methods. They allow to write an array of `ArrayBufferView`s
    to a file descriptor. https://github.com/nodejs/node/pull/25925
    https://github.com/nodejs/node/pull/29186
* http:
  * Added three properties to `OutgoingMessage.prototype`:
    `writableObjectMode`, `writableLength` and `writableHighWaterMark`
    https://github.com/nodejs/node/pull/29018
* stream:
  * Added an new property `readableEnded` to readable streams. Its value
    is set to `true` when the `'end'` event is emitted.
    https://github.com/nodejs/node/pull/28814
  * Added an new property `writableEnded` to writable streams. Its value
    is set to `true` after `writable.end()` has been called.
    https://github.com/nodejs/node/pull/28934

PR-URL: https://github.com/nodejs/node/pull/29210
2019-08-20 21:37:07 +02:00
Andrew Hughes
791409a9ce
doc: fixup changelog for v10.16.3
Remove (SEMVER-MINOR) label from patch commit. Add link to table.

Refs: https://github.com/nodejs/node/pull/26990

PR-URL: https://github.com/nodejs/node/pull/29159
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
2019-08-16 11:08:03 +01:00
Beth Griggs
affa23bc88
2019-08-15, Version 8.16.1 'Carbon' (LTS)
This is a security release.

Notable changes:

Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.

Vulnerabilities fixed:

* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
  data from a specified resource over multiple streams. They manipulate
  window size and stream priority to force the server to queue the data
  in 1-byte chunks. Depending on how efficiently this data is queued,
  this can consume excess CPU, memory, or both, potentially leading to a
  denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
  HTTP/2 peer, causing the peer to build an internal queue of responses.
  Depending on how efficiently this data is queued, this can consume
  excess CPU, memory, or both, potentially leading to a denial of
  service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
  streams and continually shuffles the priority of the streams in a way
  that causes substantial churn to the priority tree. This can consume
  excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
  and sends an invalid request over each stream that should solicit a
  stream of RST_STREAM frames from the peer. Depending on how the peer
  queues the RST_STREAM frames, this can consume excess memory, CPU,or
  both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
  SETTINGS frames to the peer. Since the RFC requires that the peer
  reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
  frame is almost equivalent in behavior to a ping. Depending on how
  efficiently this data is queued, this can consume excess CPU, memory,
  or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
  headers with a 0-length header name and 0-length header value,
  optionally Huffman encoded into 1-byte or greater headers. Some
  implementations allocate memory for these headers and keep the
  allocation alive until the session dies. This can consume excess
  memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
  window so the peer can send without constraint; however, they leave
  the TCP window closed so the peer cannot actually write (many of) the
  bytes on the wire. The attacker then sends a stream of requests for a
  large response object. Depending on how the servers queue the
  responses, this can consume excess memory, CPU, or both, potentially
  leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
  frames with an empty payload and without the end-of-stream flag. These
  frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
  peer spends time processing each frame disproportionate to attack
  bandwidth. This can consume excess CPU, potentially leading to a
  denial of service. (Discovered by Piotr Sikora of Google)

PR-URL: https://github.com/nodejs/node/pull/29152
2019-08-15 23:30:22 +01:00
Beth Griggs
004e2b759f
2019-08-15, Version 10.16.3 'Dubnium' (LTS)
This is a security release.

Notable changes:

Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.

Vulnerabilities fixed:

* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
  data from a specified resource over multiple streams. They manipulate
  window size and stream priority to force the server to queue the data
  in 1-byte chunks. Depending on how efficiently this data is queued,
  this can consume excess CPU, memory, or both, potentially leading to a
  denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
  HTTP/2 peer, causing the peer to build an internal queue of responses.
  Depending on how efficiently this data is queued, this can consume
  excess CPU, memory, or both, potentially leading to a denial of
  service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
  streams and continually shuffles the priority of the streams in a way
  that causes substantial churn to the priority tree. This can consume
  excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
  and sends an invalid request over each stream that should solicit a
  stream of RST_STREAM frames from the peer. Depending on how the peer
  queues the RST_STREAM frames, this can consume excess memory, CPU,or
  both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
  SETTINGS frames to the peer. Since the RFC requires that the peer
  reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
  frame is almost equivalent in behavior to a ping. Depending on how
  efficiently this data is queued, this can consume excess CPU, memory,
  or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
  headers with a 0-length header name and 0-length header value,
  optionally Huffman encoded into 1-byte or greater headers. Some
  implementations allocate memory for these headers and keep the
  allocation alive until the session dies. This can consume excess
  memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
  window so the peer can send without constraint; however, they leave
  the TCP window closed so the peer cannot actually write (many of) the
  bytes on the wire. The attacker then sends a stream of requests for a
  large response object. Depending on how the servers queue the
  responses, this can consume excess memory, CPU, or both, potentially
  leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
  frames with an empty payload and without the end-of-stream flag. These
  frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
  peer spends time processing each frame disproportionate to attack
  bandwidth. This can consume excess CPU, potentially leading to a
  denial of service. (Discovered by Piotr Sikora of Google)

PR-URL: https://github.com/nodejs/node/pull/29148
2019-08-15 22:50:53 +01:00
Michaël Zasso
edc2e5be34
2019-08-15, Version 12.8.1 (Current)
This is a security release.

Notable changes:

Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.

Vulnerabilities fixed:

* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
  data from a specified resource over multiple streams. They manipulate
  window size and stream priority to force the server to queue the data
  in 1-byte chunks. Depending on how efficiently this data is queued,
  this can consume excess CPU, memory, or both, potentially leading to a
  denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
  HTTP/2 peer, causing the peer to build an internal queue of responses.
  Depending on how efficiently this data is queued, this can consume
  excess CPU, memory, or both, potentially leading to a denial of
  service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
  streams and continually shuffles the priority of the streams in a way
  that causes substantial churn to the priority tree. This can consume
  excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
  and sends an invalid request over each stream that should solicit a
  stream of RST_STREAM frames from the peer. Depending on how the peer
  queues the RST_STREAM frames, this can consume excess memory, CPU,or
  both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
  SETTINGS frames to the peer. Since the RFC requires that the peer
  reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
  frame is almost equivalent in behavior to a ping. Depending on how
  efficiently this data is queued, this can consume excess CPU, memory,
  or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
  headers with a 0-length header name and 0-length header value,
  optionally Huffman encoded into 1-byte or greater headers. Some
  implementations allocate memory for these headers and keep the
  allocation alive until the session dies. This can consume excess
  memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
  window so the peer can send without constraint; however, they leave
  the TCP window closed so the peer cannot actually write (many of) the
  bytes on the wire. The attacker then sends a stream of requests for a
  large response object. Depending on how the servers queue the
  responses, this can consume excess memory, CPU, or both, potentially
  leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
  frames with an empty payload and without the end-of-stream flag. These
  frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
  peer spends time processing each frame disproportionate to attack
  bandwidth. This can consume excess CPU, potentially leading to a
  denial of service. (Discovered by Piotr Sikora of Google)

PR-URL: https://github.com/nodejs/node/pull/29133
2019-08-15 14:49:36 +02:00