0
0
mirror of https://github.com/nodejs/node.git synced 2024-12-01 16:10:02 +01:00
Commit Graph

232 Commits

Author SHA1 Message Date
Michaël Zasso
2c73868b04
2019-03-28, Version 11.13.0 (Current)
Notable changes:

* crypto
  * Allow deriving public from private keys (Tobias Nießen)
    [#26278](https://github.com/nodejs/node/pull/26278).
* events
  * Added a `once` function to use `EventEmitter` with promises
    (Matteo Collina) [#26078](https://github.com/nodejs/node/pull/26078).
* tty
  * Added a `hasColors` method to `WriteStream` (Ruben Bridgewater)
    [#26247](https://github.com/nodejs/node/pull/26247).
  * Added NO_COLOR and FORCE_COLOR support (Ruben Bridgewater)
    [#26485](https://github.com/nodejs/node/pull/26485).
* v8
  * Added `v8.getHeapSnapshot` and `v8.writeHeapSnapshot` to generate snapshots
    in the format used by tools such as Chrome DevTools (James M Snell)
    [#26501](https://github.com/nodejs/node/pull/26501).
* worker
  * Added `worker.moveMessagePortToContext`. This enables using MessagePorts in
    different vm.Contexts, aiding with the isolation that the vm module seeks to
    provide (Anna Henningsen)
    [#26497](https://github.com/nodejs/node/pull/26497).
* C++ API
  * `AddPromiseHook` is now deprecated. This API was added to fill an use case
    that is served by `async_hooks`, since that has `Promise` support
    (Anna Henningsen) [#26529](https://github.com/nodejs/node/pull/26529).
  * Added a `Stop` API to shut down Node.js while it is running
    (Gireesh Punathil) [#21283](https://github.com/nodejs/node/pull/21283).
* meta
  * [Gireesh Punathil](https://github.com/gireeshpunathil) is now a member of
    the Technical Steering Committee
    [#26657](https://github.com/nodejs/node/pull/26657).
  * Added [Yongsheng Zhang](https://github.com/ZYSzys) to collaborators
    [#26730](https://github.com/nodejs/node/pull/26730).

PR-URL: https://github.com/nodejs/node/pull/26949
2019-03-28 20:23:29 +01:00
Jesse McCarthy
0622ce6e7f doc: fix changelog date typo
PR-URL: https://github.com/nodejs/node/pull/26831
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
2019-03-21 23:36:38 +02:00
Ruben Bridgewater
969c63a0f1
2019-03-15, Version 11.12.0 (Current)
Notable Changes

* bootstrap:
  * Add experimental `--frozen-intrinsics` flag (Guy Bedford)
    https://github.com/nodejs/node/pull/25685
* build:
  * Enable v8's siphash for hash seed creation (Rod Vagg)
    https://github.com/nodejs/node/pull/26367
* deps:
  * Upgrade openssl to 1.1.1b (Sam Roberts)
    https://github.com/nodejs/node/pull/26327
* process:
  * Make `process[Symbol.toStringTag]` writable again
    (Ruben Bridgewater) https://github.com/nodejs/node/pull/26488
* repl:
  * Add `util.inspect.replDefaults` to customize the writer
    (Ruben Bridgewater) https://github.com/nodejs/node/pull/26375
* report:
  * Rename `triggerReport()` to `writeReport()` (Colin Ihrig)
    https://github.com/nodejs/node/pull/26527
2019-03-15 22:03:09 +01:00
Colin Prince
06879aafee doc: fix year in changelog
Most minor, 2018 should be 2019 for 10.15.3

PR-URL: https://github.com/nodejs/node/pull/26584
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
2019-03-11 17:56:59 +02:00
Ruben Bridgewater
b22ee71ef6
2019-03-06, Version 11.11.0 (Current)
Notable Changes

* n-api:
  * Implement date object (Jarrod Connolly)
    https://github.com/nodejs/node/pull/25917
* util:
  * Add compact depth mode for `util.inspect()` (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/26269
* worker:
  * Improve integration with native addons (Anna Henningsen)
    https://github.com/nodejs/node/pull/26175
  * MessagePort.prototype.onmessage takes arguments closer to the Web
    specification now (Anna Henningsen)
    https://github.com/nodejs/node/pull/26082
2019-03-06 20:24:50 +01:00
Beth Griggs
a52c1ead02
2019-03-05, Version 10.15.3 'Dubnium' (LTS)
Notable Changes

* **doc**
  * add antsmartian to collaborators (Anto Aravinth)
    [#24655](https://github.com/nodejs/node/pull/24655)
* **http**
  * fix error check in Execute() (Brian White)
    [#25863](https://github.com/nodejs/node/pull/25863)
* **stream**
  * fix end-of-stream for HTTP/2 (Anna Henningsen)
    [#24926](https://github.com/nodejs/node/pull/24926)

PR-URL: https://github.com/nodejs/node/pull/26063
2019-03-05 17:08:25 +00:00
Rod Vagg
0d64a56012 2019-02-28, Version 6.17.0 'Boron' (LTS)
This is a security release. All Node.js users should consult the security
release summary at:

  https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * Node.js: Denial of Service with keep-alive HTTP connections
    (CVE-2019-5739)
  * Node.js: Slowloris HTTP Denial of Service with keep-alive
    (CVE-2019-5737)
  * OpenSSL: 0-byte record padding oracle (CVE-2019-1559)

Notable Changes:

* deps: OpenSSL has been upgraded to 1.0.2r which contains a fix for
  CVE-2019-1559 (https://www.openssl.org/news/secadv/20190226.txt). Under
  certain circumstances, a TLS server can be forced to respond differently to
  a client if a zero-byte record is received with an invalid padding
  compared to a zero-byte record with an invalid MAC. This can be used as the
  basis of a padding oracle attack to decrypt data.
* http:
  - Backport `server.keepAliveTimeout` to prevent keep-alive HTTP and HTTPS
    connections remaining open and inactive for an extended period of time,
    leading to a potential Denial of Service (DoS).
    (CVE-2019-5739 / Timur Shemsedinov, Matteo Collina)
  - Further prevention of "Slowloris" attacks on HTTP and HTTPS
    connections by consistently applying the receive timeout set by
    `server.headersTimeout` to connections in keep-alive mode. Reported by
    Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)

PR-URL: https://github.com/nodejs-private/node-private/pull/169
2019-02-28 22:36:11 +11:00
Rod Vagg
980cce6d29 2019-02-28, Version 8.15.1 'Carbon' (LTS)
This is a security release. All Node.js users should consult the security
release summary at:

  https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * Node.js: Slowloris HTTP Denial of Service with keep-alive
    (CVE-2019-5737)
  * OpenSSL: 0-byte record padding oracle (CVE-2019-1559)

Notable Changes:

* deps: OpenSSL has been upgraded to 1.0.2r which contains a fix for
  CVE-2019-1559 (https://www.openssl.org/news/secadv/20190226.txt). Under
  certain circumstances, a TLS server can be forced to respond differently to
  a client if a zero-byte record is received with an invalid padding
  compared to a zero-byte record with an invalid MAC. This can be used as the
  basis of a padding oracle attack to decrypt data.
* http: Further prevention of "Slowloris" attacks on HTTP and HTTPS
  connections by consistently applying the receive timeout set by
  `server.headersTimeout` to connections in keep-alive mode. Reported by
  Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)

PR-URL: https://github.com/nodejs-private/node-private/pull/165
2019-02-28 22:31:14 +11:00
Rod Vagg
b974d0dd64 2019-02-28, Version 10.15.2 'Dubnium' (LTS)
This is a security release. All Node.js users should consult the security
release summary at:

  https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

for details on patched vulnerabilities.

A fix for the following CVE is included in this release:

  * Node.js: Slowloris HTTP Denial of Service with keep-alive
    (CVE-2019-5737)

Notable Changes:

* http: Further prevention of "Slowloris" attacks on HTTP and HTTPS
  connections by consistently applying the receive timeout set by
  `server.headersTimeout` to connections in keep-alive mode. Reported by
  Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)

PR-URL: https://github.com/nodejs-private/node-private/pull/164
2019-02-28 22:29:17 +11:00
Rod Vagg
f1cefdca80 2019-02-28, Version 11.10.1 (Current)
This is a security release. All Node.js users should consult the security
release summary at:

  https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

for details on patched vulnerabilities.

A fix for the following CVE is included in this release:

  * Node.js: Slowloris HTTP Denial of Service with keep-alive
    (CVE-2019-5737)

Notable Changes:

* http: Further prevention of "Slowloris" attacks on HTTP and HTTPS
  connections by consistently applying the receive timeout set by
  `server.headersTimeout` to connections in keep-alive mode. Reported by
  Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)

PR-URL: https://github.com/nodejs-private/node-private/pull/163
2019-02-28 22:27:59 +11:00
Michaël Zasso
48491ce405
doc: fix notable changes in v11 changelog 2019-02-17 18:49:36 +01:00
Colin Ihrig
bc72470788
doc: fix changelog entry
PR-URL: https://github.com/nodejs/node/pull/26114
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
2019-02-16 09:04:14 -05:00
Kai
e74019fa8b doc: fix notable changes list format for 11.9.0 & 11.10.0
PR-URL: https://github.com/nodejs/node/pull/26129
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
2019-02-16 11:42:29 +02:00
Michaël Zasso
82ee0ff1b8
2018-02-14, Version 11.10.0 (Current)
Notable changes:

deps:
  * Updated libuv to 1.26.0.
  * Updated npm to 6.7.0.
http, http2:
  * `response.writeHead` now returns the response object.
perf_hooks:
  * Implemented a histogram based API.
process:
  * Exposed `process.features.inspector`.
repl:
  * Added `repl.setupHistory` for programmatic repl.
tls:
  * Introduced client "session" event.

PR-URL: https://github.com/nodejs/node/pull/26098
2019-02-14 23:55:48 +01:00
Michaël Zasso
9e08386e61
2019-01-30, Version 11.9.0 (Current)
Notable changes:

* deps:
  * OpenSSL has been updated to 1.1.1a, which is API/ABI compatible with
    the previous OpenSSL 1.1.0j. Note that while OpenSSL 1.1.1a supports
    TLS1.3, Node.js still does not.
    https://github.com/nodejs/node/pull/25582

PR-URL: https://github.com/nodejs/node/pull/25802
2019-01-30 23:06:17 +01:00
Shelley Vohr
d56212e6ef
2019-01-29, Version 10.15.1 'Dubnium' (LTS)
* doc:
  * add oyyd to collaborators (Ouyang Yadong) [#24300](https://github.com/nodejs/node/pull/24300)
* tls:
  * throw if protocol too long (Andre Jodat-Danbrani) [#23606](https://github.com/nodejs/node/pull/23606)

PR-URL: https://github.com/nodejs/node/pull/25346
2019-01-29 10:17:08 -08:00
Myles Borins
96731fc8d3
doc: fix 11.8.0 changelog
Problem with tool resulted in wrong commits being included

PR-URL: https://github.com/nodejs/node/pull/25705
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
2019-01-25 20:39:13 +01:00
Myles Borins
641de82404
2019-01-24, Version 11.8.0 (Current)
Notable Changes:

* events:
  * For unhandled `error` events with an argument that is not an
    `Error` object, the resulting exeption will have more information
    about the argument.
    https://github.com/nodejs/node/pull/25621
* child_process:
  * When the `maxBuffer` option is passed, `stdout` and `stderr` will
    be truncated rather than unavailable in case of an error.
    https://github.com/nodejs/node/pull/24951
* policy:
  * Experimental support for module integrity checks through a manifest
    file is implemented now.
    https://github.com/nodejs/node/pull/23834
* n-api:
  * The `napi_threadsafe_function` feature is now stable.
    https://github.com/nodejs/node/pull/25556
* report:
  * An experimental diagnostic API for capturing process state is
    available as `process.report` and through command line flags.
    https://github.com/nodejs/node/pull/22712
* tls:
  * `tls.connect()` takes a `timeout` option analogous to the
    `net.connect()` one.
    https://github.com/nodejs/node/pull/25517
* worker:
  * `process.umask()` is available as a read-only function inside Worker
    threads now.
    https://github.com/nodejs/node/pull/25526
  * An `execArgv` option that supports a subset of Node.js command line
    options is supported now.
    https://github.com/nodejs/node/pull/25467

PR-URL: https://github.com/nodejs/node/pull/25687
2019-01-24 20:51:40 -05:00
Ruben Bridgewater
d3f8f905b3
2019-01-17, Version 11.7.0 (Current), @BridgeAR
Notable Changes

* compression / zlib:
  * Added brotli support (Anna Henningsen and Zach Vacura)
    https://github.com/nodejs/node/pull/24938
* console:
  * Added `inspectOptions` option (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/24978
* crypto:
  * Always accept private keys as public keys (Tobias Nießen)
    https://github.com/nodejs/node/pull/25217
* deps:
  * Upgrade npm to v6.5.0 (Jordan Harband)
    https://github.com/nodejs/node/pull/25234
* fs:
  * Use internalBinding('fs') internally instead of
    process.binding('fs') (Masashi Hirano)
    https://github.com/nodejs/node/pull/22478
* http(s):
  * Support overriding http\\s.globalAgent (Roy Sommer)
    https://github.com/nodejs/node/pull/25170
* util:
  * Inspect ArrayBuffers contents closely (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/25006
* worker:
  * Expose workers by default and remove `--experimental-worker` flag
    (Anna Henningsen) https://github.com/nodejs/node/pull/25361

PR-URL: https://github.com/nodejs/node/pull/25537
2019-01-18 14:03:19 +01:00
Myles Borins
3614157b78
doc: fix lint in CHANGELOG_V6
introduced in 7b9c9b3dcc

PR-URL: https://github.com/nodejs/node/pull/25233
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
2018-12-26 13:08:36 -05:00
Myles Borins
e01999db14
2018-12-26, Version 11.6.0 (Current)
Notable Changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    https://github.com/nodejs/node/pull/24811
* crypto:
  - always accept certificates as public keys (Tobias Nießen)
    https://github.com/nodejs/node/pull/24234
  - add key object API (Tobias Nießen) [#24234](https://github.com/nodejs/node/pull/24234)
  - update root certificates (Sam Roberts)
    https://github.com/nodejs/node/pull/25113
* deps:
  - upgrade to libuv 1.24.1 (cjihrig)
    https://github.com/nodejs/node/pull/25078
  - upgrade npm to 6.5.0 (Audrey Eschright)
    https://github.com/nodejs/node/pull/24734
* http:
  - add maxHeaderSize property (cjihrig)
    https://github.com/nodejs/node/pull/24860

PR-URL: https://github.com/nodejs/node/pull/25175
2018-12-26 11:24:51 -05:00
Myles Borins
78f2e142c5
2018-12-26, Version 10.15.0 'Dubnium' (LTS)
The 10.14.0 security release introduced some unexpected breakages on
the 10.x release line. This is a special release to fix a regression
in the HTTP binary upgrade response body and add a missing CLI flag
to adjust the max header size of the http parser.

Notable Changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    https://github.com/nodejs/node/pull/24811
* http:
  - add maxHeaderSize property (cjihrig)
    https://github.com/nodejs/node/pull/24860

PR-URL: https://github.com/nodejs/node/pull/25176
2018-12-26 11:24:26 -05:00
Myles Borins
9542324d9e
2018-12-26, Version 8.15.0 'Carbon' (LTS)
The 8.14.0 security release introduced some unexpected breakages on
the 8.x release line. This is a special release to fix a regression
in the HTTP binary upgrade response body and add a missing CLI flag
to adjust the max header size of the http parser.

Notable changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    https://github.com/nodejs/node/pull/24811
* http:
  - add maxHeaderSize property (cjihrig)
    https://github.com/nodejs/node/pull/24860

PR-URL: https://github.com/nodejs/node/pull/25177
2018-12-26 11:23:32 -05:00
Myles Borins
7b9c9b3dcc
2018-12-26, Version 6.16.0 'Boron' (LTS)
The 6.15.0 security release introduced some unexpected breakages on
the 6.x release line. This is a special release to fix a regression
in the HTTP binary upgrade response body and add a missing CLI flag
to adjust the max header size of the http parser.

Notable changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    https://github.com/nodejs/node/pull/24811
* http:
  - add maxHeaderSize property (cjihrig)
    https://github.com/nodejs/node/pull/24860

PR-URL: https://github.com/nodejs/node/pull/25178
2018-12-26 11:22:24 -05:00
Beth Griggs
74a1dfb56e
2018-12-18, Version 11.5.0 (Current)
Notable changes:

* **tls**:
  * support "BEGIN TRUSTED CERTIFICATE" for ca: (Sam Roberts)
    [#24733](https://github.com/nodejs/node/pull/24733)
* **util**:
  * add inspection getter option (Ruben Bridgewater)
    [#24852](https://github.com/nodejs/node/pull/24852)

PR-URL: https://github.com/nodejs/node/pull/25102
2018-12-18 18:36:17 +00:00
Beth Griggs
1cbd377078
2018-12-18, Version 8.14.1 'Carbon' (LTS)
Notable changes:

* **assert**:
  - revert breaking change (Ruben Bridgewater)
    [#24786](https://github.com/nodejs/node/pull/24786)
* **http2**:
  - fix sequence of error/close events (Gerhard Stoebich)
    [#24789](https://github.com/nodejs/node/pull/24789)

PR-URL: https://github.com/nodejs/node/pull/24832
2018-12-18 11:29:17 -05:00
Shelley Vohr
6c6c5630a7
2018-12-11, Version 10.14.2 'Dubnium' (LTS)
Notable changes:

* deps:
  * upgrade to c-ares v1.15.0 (Ben Noordhuis)
    https://github.com/nodejs/node/pull/23854
* Windows:
  * A crashing process will now show the names of stack frames if the node.pdb
    file is available. (Refael Ackermann)
    https://github.com/nodejs/node/pull/23822
* Added new collaborators:
  * Peter Marshall. https://github.com/nodejs/node/pull/24170
  * Masashi Hirano. https://github.com/nodejs/node/pull/24136

PR-URL: https://github.com/nodejs/node/pull/24727
2018-12-11 15:38:17 -05:00
Ruben Bridgewater
bcef949c93
2018-12-07, Version 11.4.0 (Current)
Notable Changes:

* console,util:
  * `console` functions now handle symbols as defined in the spec.
    https://github.com/nodejs/node/pull/23708
  * The inspection `depth` default is now back at 2.
    https://github.com/nodejs/node/pull/24326
* dgram,net:
  * Added ipv6Only option for `net` and `dgram`.
    https://github.com/nodejs/node/pull/23798
* http:
  * Chosing between the http parser is now possible per runtime flag.
    https://github.com/nodejs/node/pull/24739
* readline:
  * The `readline` module now supports async iterators.
    https://github.com/nodejs/node/pull/23916
* repl:
  * The multiline history feature is removed.
    https://github.com/nodejs/node/pull/24804
* tls:
  * Added min/max protocol version options.
    https://github.com/nodejs/node/pull/24405
  * The X.509 public key info now includes the RSA bit size and the
    elliptic curve. https://github.com/nodejs/node/pull/24358
* url:
  * `pathToFileURL()` now supports LF, CR and TAB.
    https://github.com/nodejs/node/pull/23720
* Windows:
  * Tools are not installed using Boxstarter anymore.
    https://github.com/nodejs/node/pull/24677
  * The install-tools scripts or now included in the dist.
    https://github.com/nodejs/node/pull/24233
* Added new collaborator:
  * [antsmartian](https://github.com/antsmartian) - Anto Aravinth.
    https://github.com/nodejs/node/pull/24655

PR-URL: https://github.com/nodejs/node/pull/24854
2018-12-07 18:50:20 +01:00
Rod Vagg
dbdc9081fa 2018-12-03, Version 6.15.1 'Boron' (LTS)
Notable Changes:

This is a patch release to address a bad backport of the fix for "Slowloris
HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers
timeout to an entire keep-alive HTTP session, resulting in prematurely
disconnected sockets.

PR-URL: https://github.com/nodejs/node/pull/24803
Refs: https://github.com/nodejs/node/pull/24796
Refs: https://github.com/nodejs/node/issues/24760
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
2018-12-04 01:06:32 +11:00
Myles Borins
9efcfd313a
2018-11-29, Version 10.14.1 'Dubnium' (LTS)
Notable Changes:

* **win/msi**: Revert changes to installer causing issues on Windows systems.

PR-URL: https://github.com/nodejs/node/pull/24711
2018-11-29 11:43:35 -05:00
Rod Vagg
cc399cf5b2 2018-11-27, Version 11.3.0 (Current)
This is a security release. All Node.js users should consult the security
release summary at:

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
  * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
  * Node.js: Hostname spoofing in URL parser for javascript protocol
    (CVE-2018-12123)
  * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
  * OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)

Notable Changes:

* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* http:
  * Headers received by HTTP servers must not exceed 8192 bytes in total to
    prevent possible Denial of Service attacks. Reported by Trevor Norris.
    (CVE-2018-12121 / Matteo Collina)
  * A timeout of 40 seconds now applies to servers receiving HTTP headers. This
    value can be adjusted with `server.headersTimeout`. Where headers are not
    completely received within this period, the socket is destroyed on the next
    received chunk. In conjunction with `server.setTimeout()`, this aids in
    protecting against excessive resource retention and possible Denial of
    Service. Reported by Jan Maybach (liebdich.com).
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
  with `url.parse()` with the `'javascript:'` protocol. Reported by
  Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)

PR-URL: https://github.com/nodejs-private/node-private/pull/156/
2018-11-28 11:36:34 +11:00
Rod Vagg
9910cc29bc 2018-11-27, Version 10.14.0 'Dubnium' (LTS)
This is a security release. All Node.js users should consult the security
release summary at:

  https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
  * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
  * Node.js: Hostname spoofing in URL parser for javascript protocol
    (CVE-2018-12123)
  * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
  * OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)

Notable Changes:

* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* http:
  * Headers received by HTTP servers must not exceed 8192 bytes in total to
    prevent possible Denial of Service attacks. Reported by Trevor Norris.
    (CVE-2018-12121 / Matteo Collina)
  * A timeout of 40 seconds now applies to servers receiving HTTP headers. This
    value can be adjusted with `server.headersTimeout`. Where headers are not
    completely received within this period, the socket is destroyed on the next
    received chunk. In conjunction with `server.setTimeout()`, this aids in
    protecting against excessive resource retention and possible Denial of
    Service. Reported by Jan Maybach (liebdich.com).
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
  with `url.parse()` with the `'javascript:'` protocol. Reported by
  Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)

PR-URL: https://github.com/nodejs-private/node-private/pull/155/
2018-11-28 11:36:34 +11:00
Rod Vagg
59fdaede52 2018-11-27, Version 8.14.0 'Carbon' (LTS)
This is a security release. All Node.js users should consult the security
release summary at:

  https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
  * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
  * Node.js: Hostname spoofing in URL parser for javascript protocol
    (CVE-2018-12123)
  * Node.js: HTTP request splitting (CVE-2018-12116)
  * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
  * OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication
    (CVE-2018-5407)

Notable Changes:

* deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
* http:
  * Headers received by HTTP servers must not exceed 8192 bytes in total to
    prevent possible Denial of Service attacks. Reported by Trevor Norris.
    (CVE-2018-12121 / Matteo Collina)
  * A timeout of 40 seconds now applies to servers receiving HTTP headers. This
    value can be adjusted with `server.headersTimeout`. Where headers are not
    completely received within this period, the socket is destroyed on the next
    received chunk. In conjunction with `server.setTimeout()`, this aids in
    protecting against excessive resource retention and possible Denial of
    Service. Reported by Jan Maybach (liebdich.com).
  * Two-byte characters are now strictly disallowed for the `path` option in
    HTTP client requests. Paths containing characters outside of the range
    `\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior
    can be reverted if necessary by supplying the
    `--security-revert=CVE-2018-12116` command line argument (this is not
    recommended). Reported as security concern for Node.js 6 and 8 by
    Arkadiy Tetelman (lob.com), fixed by backporting a change by Benno
    Fünfstück applied to Node.js 10 and later.
    (CVE-2018-12116 / Matteo Collina)
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
  with `url.parse()` with the `'javascript:'` protocol. Reported by
  Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)

PR-URL: https://github.com/nodejs-private/node-private/pull/154
2018-11-28 11:36:34 +11:00
Rod Vagg
957aeba352 2018-11-27, Version 6.15.0 'Boron' (LTS)
This is a security release. All Node.js users should consult the security
release summary at:

  https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * Node.js: Debugger port 5858 listens on any interface by default
    (CVE-2018-12120)
  * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
  * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
  * Node.js: Hostname spoofing in URL parser for javascript protocol
    (CVE-2018-12123)
  * Node.js: HTTP request splitting (CVE-2018-12116)
  * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
  * OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication
    (CVE-2018-5407)

Notable Changes:

* debugger: Backport of https://github.com/nodejs/node/pull/8106 to
  prevent the debugger from listening on `0.0.0.0`. It now defaults to
  `127.0.0.1`. Reported by Ben Noordhuis. (CVE-2018-12120 / Ben Noordhuis).
* deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
* http:
  * Headers received by HTTP servers must not exceed 8192 bytes in total to
    prevent possible Denial of Service attacks. Reported by Trevor Norris.
    (CVE-2018-12121 / Matteo Collina)
  * A timeout of 40 seconds now applies to servers receiving HTTP headers. This
    value can be adjusted with `server.headersTimeout`. Where headers are not
    completely received within this period, the socket is destroyed on the next
    received chunk. In conjunction with `server.setTimeout()`, this aids in
    protecting against excessive resource retention and possible Denial of
    Service. Reported by Jan Maybach (liebdich.com).
    (CVE-2018-12122 / Matteo Collina)
  * Two-byte characters are now strictly disallowed for the `path` option in
    HTTP client requests. Paths containing characters outside of the range
    `\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior
    can be reverted if necessary by supplying the
    `--security-revert=CVE-2018-12116` command line argument (this is not
    recommended). Reported as security concern for Node.js 6 and 8 by
    Arkadiy Tetelman (lob.com), fixed by backporting a change by Benno
    Fünfstück applied to Node.js 10 and later.
    (CVE-2018-12116 / Matteo Collina)
* url: Fix a bug that would allow a hostname being spoofed when parsing
  URLs with `url.parse()` with the `'javascript:'` protocol. Reported by
  Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)

PR-URL: https://github.com/nodejs-private/node-private/pull/153
2018-11-28 11:36:34 +11:00
Beth Griggs
2c2e6ec38d
2018-11-20, Version 8.13.0 'Carbon' (LTS)
Notable changes:

* **assert**:
  - backport some assert commits (Ruben Bridgewater)
    [#23223](https://github.com/nodejs/node/pull/23223)
* **deps**:
  - upgrade to libuv 1.23.2 (cjihrig)
    [#23336](https://github.com/nodejs/node/pull/23336)
  - V8: cherry-pick 64-bit hash seed commits (Yang Guo)
    [#23274](https://github.com/nodejs/node/pull/23274)
* **http**:
  - added aborted property to request (Robert Nagy)
    [#20094](https://github.com/nodejs/node/pull/20094)
* **http2**:
  - graduate from experimental (James M Snell)
    [#22466](https://github.com/nodejs/node/pull/22466)

PR-URL: https://github.com/nodejs/node/pull/23974
2018-11-20 13:13:11 -05:00
Rich Trott
b32c5f0408 doc: update 11.0.0 changelog with missing commit
PR-URL: https://github.com/nodejs/node/pull/24404
Fixes: https://github.com/nodejs/node/issues/23846
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
2018-11-20 06:13:40 +01:00
Rich Trott
51494da74b doc: udpate list item spacing in changelogs
Minor formatting adjustments to two changelog files in preparation for a
markdown lint rule.

PR-URL: https://github.com/nodejs/node/pull/24391
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
2018-11-18 23:50:06 -08:00
Ruben Bridgewater
406d9caab5
2018-11-15, Version 11.2.0 (Current)
Notable changes:

* deps:
  * A new experimental HTTP parser (`llhttp`) is now supported.
    https://github.com/nodejs/node/pull/24059
* timers:
  * Fixed an issue that could cause setTimeout to stop working as
    expected. https://github.com/nodejs/node/pull/24322
* Windows
  * A crashing process will now show the names of stack frames if the
    node.pdb file is available.
    https://github.com/nodejs/node/pull/23822
  * Continued effort to improve the installer's new stage that installs
    native build tools.
    https://github.com/nodejs/node/pull/23987,
    https://github.com/nodejs/node/pull/24348
  * child_process:
    * On Windows the `windowsHide` option default was restored to
      `false`. This means `detached` child processes and GUI apps will
      once again start in a new window.
      https://github.com/nodejs/node/pull/24034
* Added new collaborators:
  * [oyyd](https://github.com/oyyd) - Ouyang Yadong.
    https://github.com/nodejs/node/pull/24300
  * [psmarshall](https://github.com/psmarshall) - Peter Marshall.
    https://github.com/nodejs/node/pull/24170
  * [shisama](https://github.com/shisama) - Masashi Hirano.
    https://github.com/nodejs/node/pull/24136

PR-URL: https://github.com/nodejs/node/pull/24350
2018-11-15 22:16:09 +01:00
Michaël Zasso
74ba48294b
2018-11-02, Version 11.1.0 (Current)
Notable changes:

* deps
  * Updated ICU to 63.1. https://github.com/nodejs/node/pull/23715
* repl
  * Top-level for-await-of is now supported in the REPL.
    https://github.com/nodejs/node/pull/23841
* timers
  * Fixed an issue that could cause timers to enter an infinite loop.
    https://github.com/nodejs/node/pull/23870

PR-URL: https://github.com/nodejs/node/pull/23922
2018-11-02 13:34:02 +01:00
Myles Borins
db2ac1dbd9 doc: fix headings for CHANGELOG_v10.md
The LTS bit flip did not include the new title heading for LTS in the
changelog. This commit fixes that.

PR-URL: https://github.com/nodejs/node/pull/23973
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
2018-11-02 05:23:40 +01:00
Myles Borins
cd1193d9ed
2018-10-30 Version 10.13.0 'Dubnium' (LTS)
This release marks the transition of Node.js 10.x into Long Term
Support (LTS) with the codename 'Dubnium'. The 10.x release line
now moves in to "Active LTS" and will remain so until April 2020.
After that time it will move in to "Maintenance" until end of
life in April 2021.

Notable Changes:

This release only includes minimal changes necessary to fix known
regressions prior to LTS.

PR-URL: https://github.com/nodejs/node/pull/23831
2018-10-30 04:45:24 -04:00
James M Snell
3516052bee
2018-10-23, Version 11.0.0 (Current)
Notable changes:

* Build
  * FreeBSD 10 is no longer supported.[#22617](https://github.com/nodejs/node/pull/22617)
* `child_process`
  * The default value of the `windowsHide` option has been changed
    to `true`. [#21316](https://github.com/nodejs/node/pull/21316)
* `console`
  * `console.countReset()` will emit a warning if the timer
    being reset does not exist. [#21649](https://github.com/nodejs/node/pull/21649)
  * `console.time()` will no longer reset a timer if it already
    exists. [#20442](https://github.com/nodejs/node/pull/20442)
* Dependencies
  * V8 has been updated to 7.0.
    [#22754](https://github.com/nodejs/node/pull/22754)
* `fs`
  * The `fs.read()` method now requires a callback.
    [#22146](https://github.com/nodejs/node/pull/22146)
  * The previously deprecated `fs.SyncWriteStream` utility has been
    removed.[#20735](https://github.com/nodejs/node/pull/20735)
* `http`
  * The `http`, `https`, and `tls` modules now use the WHATWG URL parser
    by default. [#20270](https://github.com/nodejs/node/pull/20270)
* General
  * Use of `process.binding()` has been deprecated. Userland code using
    `process.binding()` should re-evaluate that use and begin migrating. If
    there are no supported API alternatives, please open an issue in the
    Node.js GitHub repository so that a suitable alternative may be discussed.
  * An experimental implementation of `queueMicrotask()` has been added.
    [#22951](https://github.com/nodejs/node/pull/22951)
* Internal
  * Windows performance-counter support has been removed.
    [#22485](https://github.com/nodejs/node/pull/22485)
  * The `--expose-http2` command-line option has been removed.
    [#20887](https://github.com/nodejs/node/pull/20887)
* Timers
  * Interval timers will be rescheduled even if previous interval threw
    an error. [#20002](https://github.com/nodejs/node/pull/20002)
* `util`
  * The WHATWG `TextEncoder` and `TextDecoder` are now globals.
    [#22281](https://github.com/nodejs/node/pull/22281)
  * `util.inspect()` output size is limited to 128 MB by default.
    [#22756](https://github.com/nodejs/node/pull/22756)
  * A runtime warning will be emitted when `NODE_DEBUG` is set for
    either `http` or `http2`. [#21914](https://github.com/nodejs/node/pull/21914)
2018-10-23 11:03:02 -07:00
Michaël Zasso
cd8ee2d033
2018-10-10, Version 10.12.0 (Current)
Notable changes:

* assert
  * The diff output is now a tiny bit improved by sorting object
    properties when inspecting the values that are compared with each
    other. https://github.com/nodejs/node/pull/22788
* cli
  * The options parser now normalizes `_` to `-` in all multi-word
    command-line flags, e.g. `--no_warnings` has the same effect as
    `--no-warnings`. https://github.com/nodejs/node/pull/23020
  * Added bash completion for the `node` binary. To generate a bash
    completion script, run `node --completion-bash`. The output can be
    saved to a file which can be sourced to enable completion.
    https://github.com/nodejs/node/pull/20713
* crypto
  * Added support for PEM-level encryption.
    https://github.com/nodejs/node/pull/23151
  * Added an API asymmetric key pair generation. The new methods
    `crypto.generateKeyPair` and `crypto.generateKeyPairSync` can be
    used to generate public and private key pairs. The API supports
    RSA, DSA and EC and a variety of key encodings (both PEM and DER).
    https://github.com/nodejs/node/pull/22660
* fs
  * Added a `recursive` option to `fs.mkdir` and `fs.mkdirSync`. If
    this option is set to true, non-existing parent folders will be
    automatically created. https://github.com/nodejs/node/pull/21875
* http2
  * Added a `'ping'` event to `Http2Session` that is emitted whenever a
    non-ack `PING` is received.
    https://github.com/nodejs/node/pull/23009
  * Added support for the `ORIGIN` frame.
    https://github.com/nodejs/node/pull/22956
  * Updated nghttp2 to 1.34.0. This adds RFC 8441 extended connect
    protocol support to allow use of WebSockets over HTTP/2.
    https://github.com/nodejs/node/pull/23284
* module
  * Added `module.createRequireFromPath(filename)`. This new method can
    be used to create a custom require function that will resolve
    modules relative to the filename path.
    https://github.com/nodejs/node/pull/19360
* process
  * Added a `'multipleResolves'` process event that is emitted whenever
    a `Promise` is attempted to be resolved multiple times, e.g. if the
    `resolve` and `reject` functions are both called in a `Promise`
    executor. https://github.com/nodejs/node/pull/22218
* url
  * Added `url.fileURLToPath(url)` and `url.pathToFileURL(path)`. These
    methods can be used to correctly convert between file: URLs and
    absolute paths. https://github.com/nodejs/node/pull/22506
* util
  * Added the `sorted` option to `util.inspect()`. If set to `true`,
    all properties of an object and Set and Map entries will be sorted
    in the returned string. If set to a function, it is used as a
    compare function. https://github.com/nodejs/node/pull/22788
  * The `util.instpect.custom` symbol is now defined in the global
    symbol registry as `Symbol.for('nodejs.util.inspect.custom')`.
    https://github.com/nodejs/node/pull/20857
  * Added support for `BigInt` numbers in `util.format()`.
    https://github.com/nodejs/node/pull/22097
* V8 API
  * A number of V8 C++ APIs have been marked as deprecated since they
    have been removed in the upstream repository. Replacement APIs
    are added where necessary. https://github.com/nodejs/node/pull/23159
* Windows
  * The Windows msi installer now provides an option to automatically
    install the tools required to build native modules.
    https://github.com/nodejs/node/pull/22645
* Workers
  * Debugging support for Workers using the DevTools protocol has been
    implemented. https://github.com/nodejs/node/pull/21364
  * The public `inspector` module is now enabled in Workers.
    https://github.com/nodejs/node/pull/22769
* Added new collaborators:
  * digitalinfinity - Hitesh Kanwathirtha

PR-URL: https://github.com/nodejs/node/pull/23313
2018-10-10 23:18:55 +02:00
Michaël Zasso
df9abb638d
2018-09-20, Version 10.11.0 (Current)
Notable changes:

* fs
  * Fixed fsPromises.readdir `withFileTypes`.
    https://github.com/nodejs/node/pull/22832
* http2
  * Added `http2stream.endAfterHeaders` property.
    https://github.com/nodejs/node/pull/22843
* util
  * Added `util.types.isBoxedPrimitive(value)`.
    https://github.com/nodejs/node/pull/22620
* Added new collaborators:
  * boneskull (https://github.com/boneskull) - Christopher Hiller
* The Technical Steering Committee has new members:
  * apapirovski (https://github.com/apapirovski) - Anatoli Papirovski
  * gabrielschulhof (https://github.com/gabrielschulhof) - Gabriel Schulhof

PR-URL: https://github.com/nodejs/node/pull/22932
2018-09-20 13:32:38 +02:00
Myles Borins
121439a8ff
2018-09-11, Version 8.12.0 'Carbon' (LTS)
Notable Changes:

* async_hooks:
  - rename PromiseWrap.parentId (Ali Ijaz Sheikh)
    https://github.com/nodejs/node/pull/18633
  - remove runtime deprecation (Ali Ijaz Sheikh)
    https://github.com/nodejs/node/pull/19517
  - deprecate unsafe emit{Before,After} (Ali Ijaz Sheikh)
    https://github.com/nodejs/node/pull/18513
* cluster:
  - add cwd to cluster.settings (cjihrig)
    https://github.com/nodejs/node/pull/18399
  - support windowsHide option for workers (Todd Wong)
    https://github.com/nodejs/node/pull/17412
* crypto:
  - allow passing null as IV unless required (Tobias Nießen)
    https://github.com/nodejs/node/pull/18644
* deps:
  - upgrade npm to 6.2.0 (Kat Marchán)
    https://github.com/nodejs/node/pull/21592
  - upgrade libuv to 1.19.2 (cjihrig)
    https://github.com/nodejs/node/pull/18918
  - Upgrade node-inspect to 1.11.5 (Jan Krems)
    https://github.com/nodejs/node/pull/21055
* fs,net:
  - support as and as+ flags in stringToFlags() (Sarat Addepalli)
    https://github.com/nodejs/node/pull/18801
  - emit 'ready' for fs streams and sockets (Sameer Srivastava)
    https://github.com/nodejs/node/pull/19408
* http, http2:
  - add options to http.createServer() (Peter Marton)
    https://github.com/nodejs/node/pull/15752
  - add 103 Early Hints status code (Yosuke Furukawa)
    https://github.com/nodejs/node/pull/16644
  - add http fallback options to .createServer (Peter Marton)
    https://github.com/nodejs/node/pull/15752
* n-api:
  - take n-api out of experimental (Michael Dawson)
    https://github.com/nodejs/node/pull/19262
* perf_hooks:
  - add warning when too many entries in the timeline (James M Snell)
    https://github.com/nodejs/node/pull/18087
* src:
  - add public API for managing NodePlatform (Cheng Zhao)
    https://github.com/nodejs/node/pull/16981
  - allow --perf-(basic-)?prof in NODE\_OPTIONS (Leko)
    https://github.com/nodejs/node/pull/17600
  - node internals' postmortem metadata (Matheus Marchini)
    https://github.com/nodejs/node/pull/14901
* tls:
  - expose Finished messages in TLSSocket (Anton Salikhmetov)
    https://github.com/nodejs/node/pull/19102
* **trace_events**:
  - add file pattern cli option (Andreas Madsen)
    https://github.com/nodejs/node/pull/18480
* util:
  - implement util.getSystemErrorName() (Joyee Cheung)
    https://github.com/nodejs/node/pull/18186

PR-URL: https://github.com/nodejs/node/pull/21593
2018-09-11 01:33:27 -04:00
Chakravarthy S M
e638bc5f92
doc: fix typo in CHANGELOG_V10.md
Fix typo

PR-URL: https://github.com/nodejs/node/pull/22744
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
2018-09-07 17:08:28 +02:00
Michaël Zasso
ed976d76b0
2018-09-06, Version 10.10.0 (Current)
Notable changes:

* child_process:
  * `TypedArray` and `DataView` values are now accepted as input by
    `execFileSync` and `spawnSync`. https://github.com/nodejs/node/pull/22409
* coverage:
  * Native V8 code coverage information can now be output to disk by setting the
    environment variable `NODE_V8_COVERAGE` to a directory. https://github.com/nodejs/node/pull/22527
* deps:
  * The bundled npm was upgraded to version 6.4.1. https://github.com/nodejs/node/pull/22591
    * Changelogs:
      [6.3.0-next.0](https://github.com/npm/cli/releases/tag/v6.3.0-next.0)
      [6.3.0](https://github.com/npm/cli/releases/tag/v6.3.0)
      [6.4.0](https://github.com/npm/cli/releases/tag/v6.4.0)
      [6.4.1](https://github.com/npm/cli/releases/tag/v6.4.1)
* fs:
  * The methods `fs.read`, `fs.readSync`, `fs.write`, `fs.writeSync`,
    `fs.writeFile` and `fs.writeFileSync` now all accept `TypedArray` and
    `DataView` objects. https://github.com/nodejs/node/pull/22150
  * A new boolean option, `withFileTypes`, can be passed to to `fs.readdir` and
    `fs.readdirSync`. If set to true, the methods return an array of directory
    entries. These are objects that can be used to determine the type of each
    entry and filter them based on that without calling `fs.stat`. https://github.com/nodejs/node/pull/22020
* http2:
  * The `http2` module is no longer experimental. https://github.com/nodejs/node/pull/22466
* os:
  * Added two new methods: `os.getPriority` and `os.setPriority`, allowing to
    manipulate the scheduling priority of processes. https://github.com/nodejs/node/pull/22407
* process:
  * Added `process.allowedNodeEnvironmentFlags`. This object can be used to
    programmatically validate and list flags that are allowed in the
    `NODE_OPTIONS` environment variable. https://github.com/nodejs/node/pull/19335
* src:
  * Deprecated option variables in public C++ API. https://github.com/nodejs/node/pull/22515
  * Refactored options parsing. https://github.com/nodejs/node/pull/22392
* vm:
  * Added `vm.compileFunction`, a method to create new JavaScript functions from
    a source body, with options similar to those of the other `vm` methods. https://github.com/nodejs/node/pull/21571
* Added new collaborators:
  * [lundibundi](https://github.com/lundibundi) - Denys Otrishko

PR-URL: https://github.com/nodejs/node/pull/22716
2018-09-06 23:57:43 +02:00
Rod Vagg
97c1fa3d3b 2018-08-15, Version 10.9.0 (Current)
Notable changes:

* buffer:
  * Fix out-of-bounds (OOB) write in `Buffer.write()` for UCS-2 encoding
    (CVE-2018-12115)
  * Fix unintentional exposure of uninitialized memory in `Buffer.alloc()`
    (CVE-2018-7166)
* deps:
  * Upgrade to OpenSSL 1.1.0i, fixing:
    - Client DoS due to large DH parameter (CVE-2018-0732)
    - ECDSA key extraction via local side-channel (CVE not assigned)
  * Upgrade V8 from 6.7 to 6.8 (Michaël Zasso) #21079
    - Memory reduction and performance improvements, details at:
      https://v8project.blogspot.com/2018/06/v8-release-68.html
* http: `http.get()` and `http.request()` (and `https` variants) can now accept
  three arguments to allow for a `URL` _and_ an `options` object
  (Sam Ruby) #21616
* Added new collaborators
  * Sam Ruby (https://github.com/rubys)
  * George Adams (https://github.com/gdams)
2018-08-16 11:52:38 +10:00
Rod Vagg
1efdc5876d 2018-08-15, Version 8.11.4 'Carbon' (LTS)
This is a security release. All Node.js users should consult the
security release summary at:

  https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * CVE-2018-0732 (OpenSSL)
  * CVE-2018-12115 (Node.js)

Notable changes:

* buffer: Fix out-of-bounds (OOB) write in `Buffer.write()` for UCS-2 encoding
  (CVE-2018-12115)
* deps: Upgrade to OpenSSL 1.0.2p, fixing:
  * Client DoS due to large DH parameter (CVE-2018-0732)
  * ECDSA key extraction via local side-channel (CVE not assigned)
2018-08-16 11:52:38 +10:00
Rod Vagg
82ab9b336d 2018-08-15, Version 6.14.4 'Boron' (LTS)
This is a security release. All Node.js users should consult the
security release summary at:

  https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * CVE-2018-0732 (OpenSSL)
  * CVE-2018-12115 (Node.js)

Notable changes:

* buffer: Fix out-of-bounds (OOB) write in `Buffer.write()` for UCS-2 encoding
  (CVE-2018-12115)
* deps: Upgrade to OpenSSL 1.0.2p, fixing:
  * Client DoS due to large DH parameter (CVE-2018-0732)
  * ECDSA key extraction via local side-channel (CVE not assigned)
2018-08-16 11:52:38 +10:00