Update the docs to provide clearer instructions regarding the exact
scope of the use (and re-use) of an IV, stating the instructions
explicitly with greater clarity.
PR-URL: https://github.com/nodejs/node/pull/19810
Fixes: https://github.com/nodejs/node/issues/19748
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Clarify current behavior of http2server.close() and
http2secureServer.close() w.r.t. perceived differences
when compared with httpServer.close().
Fixes: https://github.com/nodejs/node/issues/19711
PR-URL: https://github.com/nodejs/node/pull/19802
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Added a reference to test coverage doc since its useful to have it here
as well
PR-URL: https://github.com/nodejs/node/pull/19825
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
In UNIX, the domain sockets once created persists until unlinked.
Clarify which ones are persisted and which ones are cleared manually.
In Windows, named pipes are cleared based on reference count,
implemented by the underlying system. Disambiguate this from
Garbage collection of the Node.js runtime.
Refs: https://github.com/nodejs/help/issues/1080
PR-URL: https://github.com/nodejs/node/pull/19471
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
In Streams3 the 'readable' event/.read() method had a lower precedence
than the `'data'` event that made them impossible to use them together.
This make `.resume()` a no-op if there is a listener for the
`'readable'` event, making the stream non-flowing if there is a
`'data'` listener.
Fixes: https://github.com/nodejs/node/issues/18058
PR-URL: https://github.com/nodejs/node/pull/18994
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
This commit adds support for another AEAD algorithm and introduces
required API changes and extensions. Due to the design of CCM itself and
the way OpenSSL implements it, there are some restrictions when using
this mode as outlined in the updated documentation.
PR-URL: https://github.com/nodejs/node/pull/18138
Fixes: https://github.com/nodejs/node/issues/2383
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
* `at which to begin copying to` -> `at which to begin writing`
* `at which to begin copying from` -> `from which to begin copying`
* wrap at 80 chars
PR-URL: https://github.com/nodejs/node/pull/19817
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
The original explanation was overly wordy, contained mildly questionable
punctuation, and did not wrap at 80 characters. This rewording fixes all
of these issues.
PR-URL: https://github.com/nodejs/node/pull/19785
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
this code change updates pull-requests.md to instruct developers to
update their local git config instead of global. This way their global
git config won't be overwritten if they use different email ID for work
or personal or non-Github projects
PR-URL: https://github.com/nodejs/node/pull/19777
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/19776
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Breaking changes wiki is not updated, so removing the paragraph
PR-URL: https://github.com/nodejs/node/pull/19795
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Notable changes:
An infrastructure issue caused a non-functioning msi installer for x64 to be promoted.
The patch release is to ensure that all binaries and installers work as expected.
PR-URL: https://github.com/nodejs/node/pull/19600
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
This commit improves the SystemError messages by allowing user
to combine a custom message and the libuv error message. Also
since we now prefer use subclasses to construct the errors instead
of using `new errors.SystemError()` directly, this removes
the behavior of assigning a default error code `ERR_SYSTEM_ERROR`
to SystemError and requires the user to directly use the
`ERR_SYSTEM_ERROR` class to construct errors instead.
Also merges `makeNodeError` into the SystemError class definition
since that's the only place the function gets used and it seems
unnecessary to introduce another level of inheritance. SystemError
now directly inherits from Error instead of an intermmediate Error
class that inherits from Error.
Class hierarchy before this patch:
ERR_SOCKET_BUFFER_SIZE -> Error (use message formatted by SystemError)
ERR_SYSTEM_ERROR -> NodeError (temp) -> Error
After:
ERR_SOCKET_BUFFER_SIZE -> SystemError -> Error
ERR_TTY_INIT_FAILED -> SystemError -> Error
ERR_SYSTEM_ERROR -> SystemError -> Error
Error messages before this patch:
```
const dgram = require('dgram');
const socket = dgram.createSocket('udp4');
socket.setRecvBufferSize(8192);
// Error [ERR_SOCKET_BUFFER_SIZE]: Could not get or set buffer
// size: Error [ERR_SYSTEM_ERROR]: bad file descriptor:
// EBADF [uv_recv_buffer_size]
// at bufferSize (dgram.js:191:11)
// at Socket.setRecvBufferSize (dgram.js:689:3)
const tty = require('tty');
new tty.WriteStream(1 << 30);
// Error [ERR_SYSTEM_ERROR]: invalid argument: EINVAL [uv_tty_init]
// at new WriteStream (tty.js:84:11)
```
After:
```
const dgram = require('dgram');
const socket = dgram.createSocket('udp4');
socket.setRecvBufferSize(8192);
// SystemError [ERR_SOCKET_BUFFER_SIZE]: Could not get or set buffer
// size: uv_recv_buffer_size returned EBADF (bad file descriptor)
// at bufferSize (dgram.js:191:11)
// at Socket.setRecvBufferSize (dgram.js:689:3)
const tty = require('tty');
new tty.WriteStream(1 << 30);
// SystemError [ERR_TTY_INIT_FAILED]: TTY initialization failed:
// uv_tty_init returned EINVAL (invalid argument)
// at new WriteStream (tty.js:84:11)
```
PR-URL: https://github.com/nodejs/node/pull/19514
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/19724
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
The AssertionError was always exposed but never properly documented.
This explains how it is used and what options it accepts.
PR-URL: https://github.com/nodejs/node/pull/19724
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
* Fixed "cleanup" being misused as a verb
* "Use of Foo should only be used" construction changed to "Foo should
only be used..."
* Otherwise-unmentioned "`Persistent`" changed to more understandable
"persistent"
* remove an instance of unnecessary italics
* wrap at 80 characters
Change all "initialize a...instance to zeroes" to say "with zeroes"
instead. Previously, both formulations appeared.
PR-URL: https://github.com/nodejs/node/pull/19742
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Fixes: https://github.com/nodejs/node/issues/19457
PR-URL: https://github.com/nodejs/node/pull/19502
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Remove the `performance.getEntries()` and `performance.clear*()`
variants and eliminate the accumulation of the global timeline
entries. The design of this particular bit of the API is a memory
leak and performance footgun. The `PerformanceObserver` API is
a better approach to consuming the data in a more transient way.
PR-URL: https://github.com/nodejs/node/pull/19563
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Also introduces stronger type validations for options passed to vm
functions.
PR-URL: https://github.com/nodejs/node/pull/19398
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Updated the doc/api/process.md documentation to reflect that
listening on SIGUSR1 could impact the debugger.
Fixes: https://github.com/nodejs/node/issues/19619
PR-URL: https://github.com/nodejs/node/pull/19709
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Remove "if provided" when discussing arguments that are explicitly
indicated to be optional and have default values.
PR-URL: https://github.com/nodejs/node/pull/19690
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Shingo Inoue <leko.noor@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
A parameter that is explicitly identified as a string does not need to
be further specified in the text as a "JavaScript string". Remove the
type altogether as it is indicated in the argument description.
PR-URL: https://github.com/nodejs/node/pull/19689
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Favor 'utf16le' over its alias 'ucs2' in `buffer.md`.
Ref: https://github.com/nodejs/node/pull/19648#discussion_r178126083
PR-URL: https://github.com/nodejs/node/pull/19688
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
* Replace absolute link with relative link.
* Fix sorting in bottom references.
PR-URL: https://github.com/nodejs/node/pull/19721
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
This fixes trivial invalid quotes mistypes in inline code blocks,
e.g. forgotten quotes or mixed order.
Whether this could be easily automatically checked in lint is a
separate question: e.g. `'` is valid.
PR-URL: https://github.com/nodejs/node/pull/19713
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
As the introduction of ES6 features recedes further into the past, it
is less and less relevant (and more and more distracting) to cite it in
documentation text. Remove mention in buffer.md.
PR-URL: https://github.com/nodejs/node/pull/19685
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Keep the introduction for Buffers and character encodings short and to
the point. The current introduction doesn't provide much in the way of
useful additional information, but it is a bit confusing in its wording.
("such as" seems like it ought to refer to "encoded characters" but it
actually refers to character encodings, which are not mentioned in the
sentence. It may be arguable as to whether "hex-encoded" is in fact a
character encoding, whether it should be stylized as "Hex-encoded" or
not, and whether it should be spelled out as "Hexadecimal-encoded". None
of that information is particularly useful to the end user at this point
in the text. Omitting it simplifies and improves the documentation.)
Additionally, the section is now wrapped to 80 characters.
PR-URL: https://github.com/nodejs/node/pull/19648
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Notable changes:
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the
latest releases for PPC little endian were built using GCC 4.9.X
instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are
doing this release to ensure that the hosted binaries are adhering to
our platform support contract.
Note that Node.js versions 10.X and later will be built with version
4.9.X or later of the GCC compiler, and it is possible that Node.js
version 9.X may be built on the 4.9.X compiler at a later time as the
stated minimum compiler requirement for Node.js version 9.X is 4.9.4.
Refs: https://github.com/nodejs/node/blob/v9.x/BUILDING.md
PR-URL: https://github.com/nodejs/node/pull/19678
Notable changes:
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the
latest releases for PPC little endian were built using GCC 4.9.X
instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are
doing this release to ensure that the hosted binaries are adhering to
our platform support contract.
Note that Node.js versions 10.X and later will be built with version
4.9.X or later of the GCC compiler, and it is possible that Node.js
version 8.X may be built on the 4.9.X compiler at a later time as the
stated minimum compiler requirement for Node.js version 8.X is 4.9.4.
Refs: https://github.com/nodejs/node/blob/v8.x/BUILDING.md
PR-URL: https://github.com/nodejs/node/pull/19679
Notable changes:
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the
latest releases for PPC little endian were built using GCC 4.9.X
instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are
doing this release to ensure that the hosted binaries are adhering to
our platform support contract.
PR-URL: https://github.com/nodejs/node/pull/19680
Notable changes:
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the
latest releases for PPC little endian were built using GCC 4.9.X
instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are
doing this release to ensure that the hosted binaries are adhering to
our platform support contract.
PR-URL: https://github.com/nodejs/node/pull/19681
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-7158
* CVE-2018-7159
* CVE-2018-7160
Notable changes:
* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
are known to impact Node.js.
* **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**:
A malicious website could use a DNS rebinding attack to trick a web
browser to bypass same-origin-policy checks and allow HTTP
connections to localhost or to hosts on the local network,
potentially to an open inspector port as a debugger, therefore
gaining full code execution access. The inspector now only allows
connections that have a browser `Host` value of `localhost` or
`localhost6`.
* **Fix for `'path'` module regular expression denial of service
(CVE-2018-7158)**: A regular expression used for parsing POSIX an
Windows paths could be used to cause a denial of service if an
attacker were able to have a specially crafted path string passed
through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
(CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
`Content-Length` header values. Such values now lead to rejected
connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
been added to the Node.js binary and 30 have been removed.
* cluster:
- Add support for `NODE_OPTIONS="--inspect"` (Sameer Srivastava)
https://github.com/nodejs/node/pull/19165
* crypto:
- Expose the public key of a certificate (Hannes Magnusson)
https://github.com/nodejs/node/pull/17690
* n-api:
- Add `napi_fatal_exception` to trigger an `uncaughtException` in
JavaScript (Mathias Buus)
https://github.com/nodejs/node/pull/19337
* path:
- Fix regression in `posix.normalize` (Michaël Zasso)
https://github.com/nodejs/node/pull/19520
* stream:
- Improve stream creation performance (Brian White)
https://github.com/nodejs/node/pull/19401
* Added new collaborators
- [BethGriggs](https://github.com/BethGriggs) Beth Griggs
PR-URL: https://github.com/nodejs-private/node-private/pull/111
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-7158
* CVE-2018-7159
* CVE-2018-7160
Notable changes:
* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
are known to impact Node.js.
* **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**:
A malicious website could use a DNS rebinding attack to trick a web
browser to bypass same-origin-policy checks and allow HTTP
connections to localhost or to hosts on the local network,
potentially to an open inspector port as a debugger, therefore
gaining full code execution access. The inspector now only allows
connections that have a browser `Host` value of `localhost` or
`localhost6`.
* **Fix for `'path'` module regular expression denial of service
(CVE-2018-7158)**: A regular expression used for parsing POSIX an
Windows paths could be used to cause a denial of service if an
attacker were able to have a specially crafted path string passed
through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
(CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
`Content-Length` header values. Such values now lead to rejected
connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
been added to the Node.js binary and 30 have been removed.
PR-URL: https://github.com/nodejs-private/node-private/pull/112
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-7158
* CVE-2018-7159
* CVE-2018-7160
Notable changes:
* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
are known to impact Node.js.
* **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**:
A malicious website could use a DNS rebinding attack to trick a web
browser to bypass same-origin-policy checks and allow HTTP
connections to localhost or to hosts on the local network,
potentially to an open inspector port as a debugger, therefore
gaining full code execution access. The inspector now only allows
connections that have a browser `Host` value of `localhost` or
`localhost6`.
* **Fix for `'path'` module regular expression denial of service
(CVE-2018-7158)**: A regular expression used for parsing POSIX an
Windows paths could be used to cause a denial of service if an
attacker were able to have a specially crafted path string passed
through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
(CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
`Content-Length` header values. Such values now lead to rejected
connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
been added to the Node.js binary and 30 have been removed.
PR-URL: https://github.com/nodejs-private/node-private/pull/113
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-7158
* CVE-2018-7159
Notable Changes:
* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
are known to impact Node.js.
* **Fix for `'path'` module regular expression denial of service
(CVE-2018-7158)**: A regular expression used for parsing POSIX an
Windows paths could be used to cause a denial of service if an
attacker were able to have a specially crafted path string passed
through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
(CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
`Content-Length` header values. Such values now lead to rejected
connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
been added to the Node.js binary and 30 have been removed.
PR-URL: https://github.com/nodejs-private/node-private/pull/110
* improve text for easier comprehension
* clarify that performance impact is *negative*
* remove superfluous "either" (should only be used when there are 2
options anyway)
* remove superfluous italics
* line wrap at 80 chars
PR-URL: https://github.com/nodejs/node/pull/19623
Reviewed-By: Shingo Inoue <leko.noor@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Tiancheng "Timothy" Gu <timothygu99@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
