Notable changes:
An infrastructure issue caused a non-functioning msi installer for x64 to be promoted.
The patch release is to ensure that all binaries and installers work as expected.
Notable changes:
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the
latest releases for PPC little endian were built using GCC 4.9.X
instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are
doing this release to ensure that the hosted binaries are adhering to
our platform support contract.
Note that Node.js versions 10.X and later will be built with version
4.9.X or later of the GCC compiler, and it is possible that Node.js
version 9.X may be built on the 4.9.X compiler at a later time as the
stated minimum compiler requirement for Node.js version 9.X is 4.9.4.
Refs: https://github.com/nodejs/node/blob/v9.x/BUILDING.md
PR-URL: https://github.com/nodejs/node/pull/19678
Notable changes:
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the
latest releases for PPC little endian were built using GCC 4.9.X
instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are
doing this release to ensure that the hosted binaries are adhering to
our platform support contract.
Note that Node.js versions 10.X and later will be built with version
4.9.X or later of the GCC compiler, and it is possible that Node.js
version 8.X may be built on the 4.9.X compiler at a later time as the
stated minimum compiler requirement for Node.js version 8.X is 4.9.4.
Refs: https://github.com/nodejs/node/blob/v8.x/BUILDING.md
PR-URL: https://github.com/nodejs/node/pull/19679
Notable changes:
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the
latest releases for PPC little endian were built using GCC 4.9.X
instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are
doing this release to ensure that the hosted binaries are adhering to
our platform support contract.
PR-URL: https://github.com/nodejs/node/pull/19680
Notable changes:
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the
latest releases for PPC little endian were built using GCC 4.9.X
instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are
doing this release to ensure that the hosted binaries are adhering to
our platform support contract.
PR-URL: https://github.com/nodejs/node/pull/19681
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-7158
* CVE-2018-7159
* CVE-2018-7160
Notable changes:
* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
are known to impact Node.js.
* **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**:
A malicious website could use a DNS rebinding attack to trick a web
browser to bypass same-origin-policy checks and allow HTTP
connections to localhost or to hosts on the local network,
potentially to an open inspector port as a debugger, therefore
gaining full code execution access. The inspector now only allows
connections that have a browser `Host` value of `localhost` or
`localhost6`.
* **Fix for `'path'` module regular expression denial of service
(CVE-2018-7158)**: A regular expression used for parsing POSIX an
Windows paths could be used to cause a denial of service if an
attacker were able to have a specially crafted path string passed
through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
(CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
`Content-Length` header values. Such values now lead to rejected
connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
been added to the Node.js binary and 30 have been removed.
* cluster:
- Add support for `NODE_OPTIONS="--inspect"` (Sameer Srivastava)
https://github.com/nodejs/node/pull/19165
* crypto:
- Expose the public key of a certificate (Hannes Magnusson)
https://github.com/nodejs/node/pull/17690
* n-api:
- Add `napi_fatal_exception` to trigger an `uncaughtException` in
JavaScript (Mathias Buus)
https://github.com/nodejs/node/pull/19337
* path:
- Fix regression in `posix.normalize` (Michaël Zasso)
https://github.com/nodejs/node/pull/19520
* stream:
- Improve stream creation performance (Brian White)
https://github.com/nodejs/node/pull/19401
* Added new collaborators
- [BethGriggs](https://github.com/BethGriggs) Beth Griggs
PR-URL: https://github.com/nodejs-private/node-private/pull/111
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-7158
* CVE-2018-7159
* CVE-2018-7160
Notable changes:
* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
are known to impact Node.js.
* **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**:
A malicious website could use a DNS rebinding attack to trick a web
browser to bypass same-origin-policy checks and allow HTTP
connections to localhost or to hosts on the local network,
potentially to an open inspector port as a debugger, therefore
gaining full code execution access. The inspector now only allows
connections that have a browser `Host` value of `localhost` or
`localhost6`.
* **Fix for `'path'` module regular expression denial of service
(CVE-2018-7158)**: A regular expression used for parsing POSIX an
Windows paths could be used to cause a denial of service if an
attacker were able to have a specially crafted path string passed
through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
(CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
`Content-Length` header values. Such values now lead to rejected
connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
been added to the Node.js binary and 30 have been removed.
PR-URL: https://github.com/nodejs-private/node-private/pull/112
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-7158
* CVE-2018-7159
* CVE-2018-7160
Notable changes:
* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
are known to impact Node.js.
* **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**:
A malicious website could use a DNS rebinding attack to trick a web
browser to bypass same-origin-policy checks and allow HTTP
connections to localhost or to hosts on the local network,
potentially to an open inspector port as a debugger, therefore
gaining full code execution access. The inspector now only allows
connections that have a browser `Host` value of `localhost` or
`localhost6`.
* **Fix for `'path'` module regular expression denial of service
(CVE-2018-7158)**: A regular expression used for parsing POSIX an
Windows paths could be used to cause a denial of service if an
attacker were able to have a specially crafted path string passed
through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
(CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
`Content-Length` header values. Such values now lead to rejected
connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
been added to the Node.js binary and 30 have been removed.
PR-URL: https://github.com/nodejs-private/node-private/pull/113
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-7158
* CVE-2018-7159
Notable Changes:
* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
are known to impact Node.js.
* **Fix for `'path'` module regular expression denial of service
(CVE-2018-7158)**: A regular expression used for parsing POSIX an
Windows paths could be used to cause a denial of service if an
attacker were able to have a specially crafted path string passed
through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
(CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
`Content-Length` header values. Such values now lead to rejected
connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
been added to the Node.js binary and 30 have been removed.
PR-URL: https://github.com/nodejs-private/node-private/pull/110
Notable changes:
* events:
- `events.usingDomains` being set to false by default was removed in
9.6.0 which was a change in behavior compared to 9.5.0. This
behavior change has been reverted and the `events` object now has
`usingDomains` preset to `false`, which is the behavior in 9.x
prior to 9.6.0 (Myles Borins)
https://github.com/nodejs/node/pull/18944
PR-URL: https://github.com/nodejs/node/pull/18946
* Older experimental APIs have been removed.
[[`d731369b1d`](https://github.com/nodejs/node/commit/d731369b1d)]
[#14414](https://github.com/nodejs/node/pull/14414)
* **Errors**
* Improvements have been made to `buffer` module error messages.
* The assignment of static error codes to Node.js error continues:
* `buffer`
* `child_process`
* `console`
* `crypto`
* `dns`
* `events`
* `fs`
* `http`
* `inspector`
* `net`
* `path`
* `process`
* `querystring`
* `readline`
* `repl`
* `streams`
* `string_decoder`
* `timers`
* `tls`
* `url`
* `util`
* `v8`
* `zlib`
* **Child Processes**
* Errors are emitted on process nextTick.
* **Domains**
* The long-deprecated `.dispose()` method has been removed.
* **fs**
* The `fs.ReadStream` and `fs.WriteStream` classes now use `destroy()`.
* `fs` module callbacks are now invoked with an undefined context.
* **HTTP/1**
* A 400 Bad Request response will now be sent when parsing fails.
* Socket timeout will be set when the socket connects.
* A bug causing the request `'error'` event to fire twice was fixed.
* HTTP clients may now use generic `Duplex` streams in addition to `net.Socket`.
* **Intl**
* The deprecated `Intl.v8BreakIterator` has been removed.
* **Modules**
* The `require.resolve()` method now supports using custom lookup paths.
* **OS**
* The `os.EOL` property is now read-only.
* **Timers**
* `setTimeout()` will emit a warning if the timeout is larger that the maximum
32-bit unsigned integer.
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/oct-2017-dos/
for details on patched vulnerabilities.
Notable Changes:
* zlib:
- CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an
error to be raised when a raw deflate stream is initialized with
windowBits set to 8. On some versions this crashes Node and you
cannot recover from it, while on some versions it throws an
exception. Node.js will now gracefully set windowBits to 9
replicating the legacy behavior to avoid a DOS vector.
https://github.com/nodejs-private/node-private/pull/95
PR-URL: https://github.com/nodejs-private/node-private/pull/96
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/oct-2017-dos/
for details on patched vulnerabilities.
Notable Changes:
* zlib:
- CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an
error to be raised when a raw deflate stream is initialized with
windowBits set to 8. On some versions this crashes Node and you
cannot recover from it, while on some versions it throws an
exception. Node.js will now gracefully set windowBits to 9
replicating the legacy behavior to avoid a DOS vector.
https://github.com/nodejs-private/node-private/pull/95
PR-URL: https://github.com/nodejs-private/node-private/pull/97
PR-URL: https://github.com/nodejs/node/pull/15064
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Yuta Hiroto <hello@about-hiroppy.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
