0
0
mirror of https://github.com/nodejs/node.git synced 2024-12-01 16:10:02 +01:00
Commit Graph

395 Commits

Author SHA1 Message Date
Beth Griggs
372c7cc3c2
2020-04-21, Version 14.0.0 (Current)
Deprecations:

- (SEMVER-MAJOR) crypto: move pbkdf2 without digest to EOL
  (James M Snell) [#31166](https://github.com/nodejs/node/pull/31166)
- (SEMVER-MAJOR) fs: deprecate closing FileHandle on garbage collection
  (James M Snell) [#28396](https://github.com/nodejs/node/pull/28396)
- (SEMVER-MAJOR) http: move OutboundMessage.prototype.flush to EOL
  (James M Snell) [#31164](https://github.com/nodejs/node/pull/31164)
- (SEMVER-MAJOR) lib: move GLOBAL and root aliases to EOL
  (James M Snell) [#31167](https://github.com/nodejs/node/pull/31167)
- (SEMVER-MAJOR) os: move tmpDir() to EOL
  (James M Snell)[#31169](https://github.com/nodejs/node/pull/31169)
- (SEMVER-MAJOR) src: remove deprecated wasm type check
  (Clemens Backes) [#32116](https://github.com/nodejs/node/pull/32116)
- (SEMVER-MAJOR) stream: move \_writableState.buffer to EOL
  (James M Snell) [#31165](https://github.com/nodejs/node/pull/31165)
- (SEMVER-MINOR) doc: deprecate process.mainModule
  (Antoine du HAMEL) [#32232](https://github.com/nodejs/node/pull/32232)
- (SEMVER-MINOR) doc: deprecate process.umask() with no arguments
  (Colin Ihrig) [#32499](https://github.com/nodejs/node/pull/32499)

ECMAScript Modules - Experimental Warning Removal:

- module: remove experimental modules warning
  (Guy Bedford) [#31974](https://github.com/nodejs/node/pull/31974)

In Node.js 13 we removed the need to include the --experimental-modules
flag, but when running EcmaScript Modules in Node.js, this would still
result in a warning ExperimentalWarning: The ESM module loader is
experimental.

As of Node.js 14 there is no longer this warning when using ESM in
Node.js. However, the ESM implementation in Node.js remains
experimental. As per our stability index: “The feature is not subject
to Semantic Versioning rules. Non-backward compatible changes or
removal may occur in any future release.” Users should be cautious when
using the feature in production environments.

Please keep in mind that the implementation of ESM in Node.js differs
from the developer experience you might be familiar with. Most
transpilation workflows support features such as optional file
extensions or JSON modules that the Node.js ESM implementation does not
support. It is highly likely that modules from transpiled environments
will require a certain degree of refactoring to work in Node.js. It is
worth mentioning that many of our design decisions were made with two
primary goals. Spec compliance and Web Compatibility. It is our belief
that the current implementation offers a future proof model to
authoring ESM modules that paves the path to Universal JavaScript.
Please read more in our documentation.

The ESM implementation in Node.js is still experimental but we do believe
that we are getting very close to being able to call ESM in Node.js
“stable”. Removing the warning is a huge step in that direction.

New V8 ArrayBuffer API:

* **src**: migrate to new V8 ArrayBuffer API
  (Thang Tran) [#30782](https://github.com/nodejs/node/pull/30782)

Multiple ArrayBuffers pointing to the same base address are no longer
allowed by V8. This may impact native addons.

Toolchain and Compiler Upgrades:

- (SEMVER-MAJOR) build: update macos deployment target to 10.13 for 14.x
  (AshCripps)[#32454](https://github.com/nodejs/node/pull/32454)
- (SEMVER-MAJOR) doc: update cross compiler machine for Linux armv7
  (Richard Lau) [#32812](https://github.com/nodejs/node/pull/32812)
- (SEMVER-MAJOR) doc: update Centos/RHEL releases use devtoolset-8
  (Richard Lau) [#32812](https://github.com/nodejs/node/pull/32812)
- (SEMVER-MAJOR) doc: remove SmartOS from official binaries
  (Richard Lau) [#32812](https://github.com/nodejs/node/pull/32812)
- (SEMVER-MAJOR) win: block running on EOL Windows versions
  (João Reis) [#31954](https://github.com/nodejs/node/pull/31954)

It is expected that there will be an ABI mismatch on ARM between the
Node.js binary and native addons. Native addons are only broken if they
interact with `std::shared_ptr`. This is expected to be fixed in a
later version of Node.js 14.
- [#30786](https://github.com/nodejs/node/issues/30786)

Update to V8 8.1:

- (SEMVER-MAJOR) deps: update V8 to 8.1.307.20
  (Matheus Marchini) [#32116](https://github.com/nodejs/node/pull/32116)

Other Notable Changes:

- cli, report: move --report-on-fatalerror to stable
  (Colin Ihrig) [#32496](https://github.com/nodejs/node/pull/32496)
- deps: upgrade to libuv 1.37.0
  (Colin Ihrig) [#32866](https://github.com/nodejs/node/pull/32866)
- fs: add fs/promises alias module
  (Gus Caplan) [#31553](https://github.com/nodejs/node/pull/31553)

PR-URL: https://github.com/nodejs/node/pull/32181
2020-04-21 15:50:14 +01:00
Michaël Zasso
cf4c332b7a
2020-04-14, Version 13.13.0 (Current)
Notable changes:

New file system APIs:
* Added a new function, `fs.readv` (with sync and promisified versions).
  This function takes an array of `ArrayBufferView` elements and will
  write the data it reads sequentially to the buffers
  (Sk Sajidul Kadir). https://github.com/nodejs/node/pull/32356
* A new overload is available for `fs.readSync`, which allows to
  optionally pass any of the `offset`, `length` and `position`
  parameters. https://github.com/nodejs/node/pull/32460

Other changes:
* dns:
  * Added the `dns.ALL` flag, that can be passed to `dns.lookup()` with
    `dns.V4MAPPED` to return resolved IPv6 addresses as well as IPv4
    mapped IPv6 addresses (murgatroid99).
    https://github.com/nodejs/node/pull/32183
* http:
  * The default maximum HTTP header size was changed from 8KB to 16KB
    (rosaxny). https://github.com/nodejs/node/pull/32520
* n-api:
  * Calls to `napi_call_threadsafe_function` from the main thread can
    now return the `napi_would_deadlock` status in certain
    circumstances (Gabriel Schulhof).
    https://github.com/nodejs/node/pull/32689
* util:
  * Added a new `maxStrLength` option to `util.inspect`, to control the
    maximum length of printed strings. Its default value is `Infinity`
    (rosaxny). https://github.com/nodejs/node/pull/32392
* worker:
  * Added support for passing a `transferList` along with `workerData`
    to the `Worker` constructor (Juan José Arboleda).
    https://github.com/nodejs/node/pull/32278

New core collaborators:
With this release, we welcome three new Node.js core collaborators:
* himself65. https://github.com/nodejs/node/pull/32734
* flarna (Gerhard Stoebich). https://github.com/nodejs/node/pull/32620
* mildsunrise (Alba Mendez). https://github.com/nodejs/node/pull/32525

PR-URL: https://github.com/nodejs/node/pull/32813
2020-04-14 20:22:41 +02:00
Beth Griggs
8d93df41b0
2020-04-12 Node.js v10.20.1 'Dubnium' (LTS) Release
Notable changes:

Due to release process failures, Node.js v10.20.0 shipped with source
and header tarballs that did not properly match the final release
commit that was used to build the binaries. We recommend that Node.js
v10.20.0 not be used, particularly in any applications using native
add-ons or where compiling Node.js from source is involved.

Node.js v10.20.1 is a clean release with the correct sources and is
strongly recommended in place of v10.20.0.

PR-URL: https://github.com/nodejs/node/pull/32768
2020-04-12 13:55:01 +01:00
Shelley Vohr
6ec0285478
2020-04-08 Version 12.16.2 'Erbium' (LTS)
Notable changes:

doc:
  * add ronag to collaborators (Robert Nagy) [#31498](https://github.com/nodejs/node/pull/31498)
  * add GeoffreyBooth to collaborators (Geoffrey Booth) [#31306](https://github.com/nodejs/node/pull/31306)
deps:
  * upgrade npm to 6.13.6 (Ruy Adorno) [#31304](https://github.com/nodejs/node/pull/31304)
  * update openssl to 1.1.1e (Hassaan Pasha) [#32328](https://github.com/nodejs/node/pull/32328)
2020-04-08 11:10:14 -07:00
Beth Griggs
9b46e3f7cc
2020-04-08, Version 10.20.0 'Dubnium' (LTS)
macOS package notarization and a change in builder configuration

The macOS binaries for this release, and future 10.x releases, are now
being compiled on macOS 10.15 (Catalina) with Xcode 11 to support
package notarization, a requirement for installing .pkg files on macOS
10.15 and later. Previous builds of Node.js 10.x were compiled on macOS
10.10 (Yosemite) with a minimum deployment target of macOS 10.7 (Lion).
As binaries are still being compiled to support a minimum of macOS 10.7
(Lion) we do not anticipate this having a negative impact on Node.js
10.x users with older versions of macOS.

Notable changes:

- buffer: add {read|write}Big\[U\]Int64{BE|LE} methods (garygsc)
  [#19691](https://github.com/nodejs/node/pull/19691)
- build: macOS package notarization (Rod Vagg)
  [#31459](https://github.com/nodejs/node/pull/31459)
- deps:
  - update npm to 6.14.3 (Myles Borins)
    [#32368](https://github.com/nodejs/node/pull/32368)
  - upgrade openssl sources to 1.1.1e (Hassaan Pasha)
    [#32328](https://github.com/nodejs/node/pull/32328)
  - upgrade to libuv 1.34.2 (cjihrig)
    [#31477](https://github.com/nodejs/node/pull/31477)
- n-api:
  - add napi\_get\_all\_property\_names (himself65)
    [#30006](https://github.com/nodejs/node/pull/30006)
  - add APIs for per-instance state management (Gabriel Schulhof)
    [#28682](https://github.com/nodejs/node/pull/28682)
  - define release 6
    [#32058](https://github.com/nodejs/node/pull/32058)
  - turn NAPI\_CALL\_INTO\_MODULE into a function (Anna Henningsen)
    [#26128](https://github.com/nodejs/node/pull/26128)
- tls:
  - expose keylog event on TLSSocket (Alba Mendez)
    [#27654](https://github.com/nodejs/node/pull/27654)
  - support TLS min/max protocol defaults in CLI (Sam Roberts)
    [#27946](https://github.com/nodejs/node/pull/27946)
- url: handle quasi-WHATWG URLs in urlToOptions() (cjihrig)
  [#26226](https://github.com/nodejs/node/pull/26226)

PR-URL: https://github.com/nodejs/node/pull/31984
2020-04-08 16:50:11 +01:00
Myles Borins
113c04c524
2020-03-26 Version 13.12.0 (Current)
macOS package notarization and a change in builder configuration:

The macOS binaries for this release, and future 13.x releases, are now
being compiled on macOS 10.15 (Catalina) with Xcode 11 to support
package notarization, a requirement for installing on .pkg files on
macOS 10.15 and later. Previous builds of Node.js 13.x were compiled on
macOS 10.11 (El Capitan) with Xcode 10. As binaries are still being
compiled to support a minimum of macOS 10.10 (Yosemite) we do not
anticipate this having a negative impact on Node.js 13.x users with
older versions of macOS.

Notable changes:

* build:
  * macOS package notarization (Rod Vagg)
    https://github.com/nodejs/node/pull/31459
* deps:
  * upgrade npm to 6.14.4 (Ruy Adorno)
    https://github.com/nodejs/node/pull/32495
  * update to uvwasi 0.0.6 (Colin Ihrig)
    https://github.com/nodejs/node/pull/32309
  * upgrade to libuv 1.35.0 (Colin Ihrig)
    https://github.com/nodejs/node/pull/32204
* lib:
  * add --disable-proto option to cli (Gus Caplan)
    https://github.com/nodejs/node/pull/32279
* node_report:
  * move diagnostic reports to stable (Colin Ihrig)
    https://github.com/nodejs/node/pull/32242
* worker:
  * allow URL in Worker constructor (Antoine du HAMEL)
    https://github.com/nodejs/node/pull/31664
* util:
  * use a global symbol for `util.promisify.custom` (ExE Boss)
    https://github.com/nodejs/node/pull/31672

PR-URL: https://github.com/nodejs/node/pull/32376
2020-03-26 18:49:28 -04:00
Myles Borins
5bfbd75e47
2020-03-11 Version 13.11.0 (Current)
Notable changes:

* async_hooks:
  - add sync enterWith to ALS (Stephen Belanger)
    https://github.com/nodejs/node/pull/31945
* cli:
  - allow --jitless V8 flag in NODE\_OPTIONS (Andrew Neitsch)
    https://github.com/nodejs/node/pull/32100
* fs:
  - return first folder made by mkdir recursive (Benjamin Coe)
    https://github.com/nodejs/node/pull/31530
* n-api:
  - define release 6 (Gabriel Schulhof)
    https://github.com/nodejs/node/pull/32058
* src:
  - create a getter for kernel version (Juan José Arboleda)
    https://github.com/nodejs/node/pull/31732
* wasi:
  - add returnOnExit option (Colin Ihrig)
    https://github.com/nodejs/node/pull/32101

PR-URL: https://github.com/nodejs/node/pull/32185
2020-03-11 23:54:53 -04:00
Rich Trott
b6cd2155c3 doc: remove em dashes
Our documentation uses em dashes inconsistently. They are treated
inconsistently typographically too. (For example, they are sometimes
surrounded by spaces and sometimes not.) They are also often confused
with ordinary hyphens such as in the CHANGELOG, where they are
inadvertently mixed together in a single list. The difference is
not obvious in the raw markdown but is very noticeable when rendered,
appearing to be a typographical error (which it in fact is).

The em dash is never needed. There are always alternatives. Remove em
dashes entirely.

PR-URL: https://github.com/nodejs/node/pull/32080
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
2020-03-05 22:25:42 -08:00
Myles Borins
67d45fb298
2020-03-04 Version 13.10.1 (Current)
Notable changes:

In Node.js 13.9.0 deps/zlib was switched to the chromium maintained
implementation. This change had the unforseen consequence of breaking
building from the tarballs we release as we were too aggressively
removing `unneccessary files` from the `deps/zlib` folder. This release
includes a patch that ensures that individuals will once again be able
to build Node.js from source.

PR-URL: https://github.com/nodejs/node/pull/32099
2020-03-04 20:37:29 -05:00
Shelley Vohr
75466869fb
2020-03-04 Version 13.10.0 (Current)
Notable changes:

* async_hooks
  * introduce async-context API (vdeturckheim) #26540
* stream
  * support passing generator functions into pipeline() (Robert Nagy) #31223
* tls
  * expose SSL\_export\_keying\_material (simon) #31814
* vm
  * implement vm.measureMemory() for per-context memory measurement (Joyee Cheung) #31824

PR-URL: https://github.com/nodejs/node/pull/32027
2020-03-04 09:53:11 -08:00
Shelley Vohr
0c3c0e7184
2020-02-18, Version 13.9.0 (Current)
Notable changes:

* async_hooks
  * add executionAsyncResource (Matteo Collina) #30959
* crypto
  * add crypto.diffieHellman (Tobias Nießen) #31178
  * add DH support to generateKeyPair (Tobias Nießen) #31178
  * simplify DH groups (Tobias Nießen) #31178
  * add key type 'dh' (Tobias Nießen) #31178
* test
  * skip keygen tests on arm systems (Tobias Nießen) #31178
* perf_hooks
  * add property flags to GCPerformanceEntry (Kirill Fomichev) #29547
* process
  * report ArrayBuffer memory in `memoryUsage()` (Anna Henningsen) #31550
* readline
  * make tab size configurable (Ruben Bridgewater) #31318
* report
  * add support for Workers (Anna Henningsen) #31386
* worker
  * add ability to take heap snapshot from parent thread (Anna Henningsen) #31569
* added new collaborators
  * add ronag to collaborators (Robert Nagy) #31498

PR-URL: https://github.com/nodejs/node/pull/31837
2020-02-18 12:40:21 -08:00
Myles Borins
1c2d77d3d9
2020-02-18, Version 12.16.1 'Erbium' (LTS)
Notable changes:

Node.js 12.16.0 included 6 regressions that are being fixed in this
release

**Accidental Unflagging of Self Resolving Modules**:

12.16.0 included a large update to the ESM implementation. One of the
new features, Self Referential Modules, was accidentally released
without requiring the `--experimental-modules` flag. This release is
being made to appropriately flag the feature.

**Process Cleanup Changed Introduced WASM-Related Assertion**:

A change during Node.js process cleanup led to a crash in combination
with specific usage of WASM. This has been fixed by partially reverted
said change. A regression test and a full fix are being worked on and
will likely be included in future 12.x and 13.x releases.

**Use Largepages Runtime Option Introduced Linking Failure**:

A Semver-Minor change to introduce `--use-largepages` as a runtime
option introduced a linking failure. This had been fixed in master but
regressed as the fix has not yet gone out in a Current release. The
feature has been reverted, but will be able to reland with a fix in a
future Semver-Minor release.

**Async Hooks was Causing an Exception When Handling Errors**:

Changes in async hooks internals introduced a case where an internal
api call could be called with undefined causing a process to crash. The
change to async hooks was reverted. A regression test and fix has been
proposed and the change could re land in a future Semver-Patch release
if the regression is reliably fixed.

**New Enumerable Read-Only Property on EventEmitter breaks @types/extend**

A new property for enumerating events was added to the EventEmitter
class. This broke existing code that was using the `@types/extend`
module for extending classses as `@types/extend` was attemping to write
over the existing field which the new change made read-only. As this is
the first property on EventEmitter that is read-only this feature could
be considered Semver-Major. The new feature has been reverted but could
re land in a future Semver-Minor release if a non breaking way of
applying it is found.

**Exceptions in the HTTP parser were not emitting an uncaughtException**

A refactoring to Node.js interanls resulted in a bug where errors in
the HTTP parser were not being emitted by
`process.on('uncaughtException')`. The fix to this bug has been
included in this release.

PR-URL: https://github.com/nodejs/node/pull/31781
2020-02-18 14:46:29 -05:00
Myles Borins
1c11ea4388
2020-02-11, Version 12.16.0 'Erbium' (LTS)
Notable changes:

New assert APIs

The `assert` module now provides experimental `assert.match()` and
`assert.doesNotMatch()` methods. They will validate that the first argument is a
string and matches (or does not match) the provided regular expression

This is an experimental feature.

Ruben Bridgewater [#30929](https://github.com/nodejs/node/pull/30929).

Advanced serialization for IPC

The `child_process` and `cluster` modules now support a `serialization` option
to change the serialization mechanism used for IPC. The option can have one of
two values:

* `'json'` (default): `JSON.stringify()` and `JSON.parse()` are used. This is
  how message serialization was done before.
* `'advanced'`: The serialization API of the `v8` module is used. It is based on
  the HTML structured clone algorithm.
  and is able to serialize more built-in JavaScript object types, such as
  `BigInt`, `Map`, `Set` etc. as well as circular data structures.

Anna Henningsen [#30162](https://github.com/nodejs/node/pull/30162).

CLI flags

The new `--trace-exit` CLI flag makes Node.js print a stack trace whenever the
Node.js environment is exited proactively (i.e. by invoking the `process.exit()`
function or pressing Ctrl+C).

legendecas [#30516](https://github.com/nodejs/node/pull/30516).

___

The new `--trace-uncaught` CLI flag makes Node.js print a stack trace at the
time of throwing uncaught exceptions, rather than at the creation of the `Error`
object, if there is any.
This option is not enabled by default because it may affect garbage collection
behavior negatively.

Anna Henningsen [#30025](https://github.com/nodejs/node/pull/30025).

___

The `--disallow-code-generation-from-strings` V8 CLI flag is now whitelisted in
the `NODE_OPTIONS` environment variable.

Shelley Vohr [#30094](https://github.com/nodejs/node/pull/30094).

New crypto APIs

For DSA and ECDSA, a new signature encoding is now supported in addition to the
existing one (DER). The `verify` and `sign` methods accept a `dsaEncoding`
option, which can have one of two values:

* `'der'` (default): DER-encoded ASN.1 signature structure encoding `(r, s)`.
* `'ieee-p1363'`: Signature format `r || s` as proposed in IEEE-P1363.

Tobias Nießen [#29292](https://github.com/nodejs/node/pull/29292).

___

A new method was added to `Hash`: `Hash.prototype.copy`. It makes it possible to
clone the internal state of a `Hash` object into a new `Hash` object, allowing
to compute the digest between updates.

Ben Noordhuis [#29910](https://github.com/nodejs/node/pull/29910).

Dependency updates

libuv was updated to 1.34.0. This includes fixes to `uv_fs_copyfile()` and
`uv_interface_addresses()` and adds two new functions: `uv_sleep()` and
`uv_fs_mkstemp()`.

Colin Ihrig [#30783](https://github.com/nodejs/node/pull/30783).

___

V8 was updated to 7.8.279.23. This includes performance improvements to object
destructuring, RegExp match failures and WebAssembly startup time.
The official release notes are available at https://v8.dev/blog/v8-release-78.

Michaël Zasso [#30109](https://github.com/nodejs/node/pull/30109).

New EventEmitter APIs

The new `EventEmitter.on` static method allows to async iterate over events.

Matteo Collina [#27994](https://github.com/nodejs/node/pull/27994).

___

It is now possible to monitor `'error'` events on an `EventEmitter` without
consuming the emitted error by installing a listener using the symbol
`EventEmitter.errorMonitor`.

Gerhard Stoebich [#30932](https://github.com/nodejs/node/pull/30932).

___

Using `async` functions with event handlers is problematic, because it
can lead to an unhandled rejection in case of a thrown exception.

The experimental `captureRejections` option in the `EventEmitter` constructor or
the global setting change this behavior, installing a
`.then(undefined, handler)` handler on the `Promise`. This handler routes the
exception asynchronously to the `Symbol.for('nodejs.rejection')` method if there
is one, or to the `'error'` event handler if there is none.

Setting `EventEmitter.captureRejections = true` will change the default for all
new instances of `EventEmitter`.

This is an experimental feature.

Matteo Collina [#27867](https://github.com/nodejs/node/pull/27867).

Performance Hooks are no longer experimental

The `perf_hooks` module is now considered a stable API.

legendecas [#31101](https://github.com/nodejs/node/pull/31101).

Introduction of experimental WebAssembly System Interface (WASI) support

A new core module, `wasi`, is introduced to provide an implementation of the
[WebAssembly System Interface](https://wasi.dev/) specification.
WASI gives sandboxed WebAssembly applications access to the
underlying operating system via a collection of POSIX-like functions.

This is an experimental feature.

Colin Ihrig [#30258](https://github.com/nodejs/node/pull/30258).

PR-URL: https://github.com/nodejs/node/pull/31691
2020-02-11 19:20:59 +01:00
Beth Griggs
d602e586bf
2020-02-06, Version 10.19.0 'Dubnium' (LTS)
This is a security release.

Vulnerabilities fixed:
* **CVE-2019-15606**:
          HTTP header values do not have trailing OWS trimmed.
* **CVE-2019-15605**:
          HTTP request smuggling using malformed Transfer-Encoding header.
* **CVE-2019-15604**:
          Remotely trigger an assertion on a TLS server with a malformed
          certificate string.

Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.

PR-URL: https://github.com/nodejs-private/node-private/pull/198
2020-02-06 03:05:04 +00:00
Beth Griggs
e65ae42785
2020-02-06, Version 12.15.0 'Erbium' (LTS)
This is a security release.

Vulnerabilities fixed:
* **CVE-2019-15606**:
      HTTP header values do not have trailing OWS trimmed.
* **CVE-2019-15605**:
      HTTP request smuggling using malformed Transfer-Encoding header.
* **CVE-2019-15604**:
      Remotely trigger an assertion on a TLS server with a malformed
      certificate string.

Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.

PR-URL: https://github.com/nodejs-private/node-private/pull/197
2020-02-06 02:55:47 +00:00
Beth Griggs
f0f2583c91
2020-02-06, Version 13.8.0 (Current)
This is a security release.

Vulnerabilities fixed:
* **CVE-2019-15606**:
      HTTP header values do not have trailing OWS trimmed.
* **CVE-2019-15605**:
      HTTP request smuggling using malformed Transfer-Encoding header.
* **CVE-2019-15604**:
      Remotely trigger an assertion on a TLS server with a malformed
      certificate string.

Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.

PR-URL: https://github.com/nodejs-private/node-private/pull/196
2020-02-06 02:39:39 +00:00
Shelley Vohr
a484f1acf3
2020-01-21, Version 13.7.0 (Current)
Notable changes:

* deps:
  * upgrade to libuv 1.34.1 (cjihrig) https://github.com/nodejs/node/pull/31332
  * upgrade npm to 6.13.6 (Ruy Adorno) https://github.com/nodejs/node/pull/31304
* module
  * add API for interacting with source maps (bcoe) https://github.com/nodejs/node/pull/31132
  * loader getSource, getFormat, transform hooks (Geoffrey Booth) https://github.com/nodejs/node/pull/30986
  * logical conditional exports ordering (Guy Bedford) https://github.com/nodejs/node/pull/31008
  * unflag conditional exports (Guy Bedford) https://github.com/nodejs/node/pull/31001
* process:
  * allow monitoring uncaughtException (Gerhard Stoebich) https://github.com/nodejs/node/pull/31257
* Added new collaborators:
  * [GeoffreyBooth](https://github.com/GeoffreyBooth) - Geoffrey Booth. https://github.com/nodejs/node/pull/31306

PR-URL: https://github.com/nodejs/node/pull/31382
2020-01-21 09:58:13 -08:00
Beth Griggs
9d5d4f84e3
2020-01-09, Version 10.18.1 'Dubnium' (LTS)
- http2: fix session memory accounting after pausing (Michael Lehenbauer)
  [#30684](https://github.com/nodejs/node/pull/30684)
- n-api: correct bug in napi_get_last_error (Octavian Soldea)
  [#28702](https://github.com/nodejs/node/pull/28702)
- tools: update tzdata to 2019c (Myles Borins)
  [#30479](https://github.com/nodejs/node/pull/30479)

PR-URL: https://github.com/nodejs/node/pull/31248
2020-01-09 21:48:45 +00:00
Ruben Bridgewater
e908323b7e
2020-01-07, Version v13.6.0 (Current)
Notable changes:

* assert:
  * Implement `assert.match()` and `assert.doesNotMatch()` (Ruben
    Bridgewater) https://github.com/nodejs/node/pull/30929
* events:
  * Add `EventEmitter.on` to async iterate over events (Matteo Collina)
    https://github.com/nodejs/node/pull/27994
  * Allow monitoring error events (Gerhard Stoebich)
    https://github.com/nodejs/node/pull/30932
* fs:
  * Allow overriding `fs` for streams (Robert Nagy)
    https://github.com/nodejs/node/pull/29083
* perf_hooks:
  * Move `perf_hooks` out of experimental (legendecas)
    https://github.com/nodejs/node/pull/31101
* repl:
  * Implement ZSH-like reverse-i-search (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/31006
* tls:
  * Add PSK (pre-shared key) support (Denys Otrishko)
    https://github.com/nodejs/node/pull/23188

PR-URL: https://github.com/nodejs/node/pull/31238
2020-01-08 00:10:43 +01:00
Beth Griggs
f5512ff61e
2020-01-07, Version 12.14.1 'Erbium' (LTS)
Notable changes:

- crypto: fix key requirements in asymmetric cipher (Tobias Nießen)
  https://github.com/nodejs/node/pull/30249
- deps:
    - update llhttp to 2.0.1 (Fedor Indutny)
      https://github.com/nodejs/node/pull/30553
    - update nghttp2 to 1.40.0 (gengjiawen)
      https://github.com/nodejs/node/pull/30493
- v8: mark serdes API as stable (Anna Henningsen)
  https://github.com/nodejs/node/pull/30234

PR-URL: https://github.com/nodejs/node/pull/31069
2020-01-07 17:25:49 +00:00
Beth Griggs
d845915d46 doc: mark Node.js 8 End-of-Life in CHANGELOG
PR-URL: https://github.com/nodejs/node/pull/31152
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
2020-01-03 20:11:54 -08:00
Myles Borins
24263ff718
2019-12-18, Version 13.5.0 (Current)
Notable Changes:

* cli:
  * add --trace-exit cli option (legendecas)
    https://github.com/nodejs/node/pull/30516
* http,https:
  * increase server headers timeout (Tim Costa)
    https://github.com/nodejs/node/pull/30071
* readline:
  * update ansi-regex (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/30907
  * promote \_getCursorPos to public api (Jeremy Albright)
    https://github.com/nodejs/node/pull/30687
* repl:
  * add completion preview (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/30907
* util:
  * add Set and map size to inspect output (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/30225
* wasi:
  * require CLI flag to require() wasi module (Colin Ihrig)
    https://github.com/nodejs/node/pull/30963

PR-URL: https://github.com/nodejs/node/pull/31010
2019-12-18 13:51:03 -05:00
Myles Borins
bef1e87e1c
2019-12-17, Version 13.4.0 (Current)
This is a security release.

For more details about the vulnerability please consult the npm blog:

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Notable Changes:
* deps:
  * update npm to 6.13.4
    https://github.com/nodejs/node/pull/30904
  * update uvwasi (Anna Henningsen)
    https://github.com/nodejs/node/pull/30745
  * upgrade to libuv 1.34.0 (Colin Ihrig)
    https://github.com/nodejs/node/pull/30783
* doc:
  * docs deprecate http finished (Robert Nagy)
    https://github.com/nodejs/node/pull/28679
* events:
  * add captureRejection option (Matteo Collina)
    https://github.com/nodejs/node/pull/27867
* http:
  * add captureRejection support (Matteo Collina)
    https://github.com/nodejs/node/pull/27867
  * llhttp opt-in insecure HTTP header parsing (Sam Roberts)
    https://github.com/nodejs/node/pull/30567
* http2:
  * implement capture rection for 'request' and 'stream' events (Matteo Collina)
    https://github.com/nodejs/node/pull/27867
* net:
  * implement capture rejections for 'connection' event (Matteo Collina)
    https://github.com/nodejs/node/pull/27867
* repl:
  * support previews by eager evaluating input (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/30811
* stream:
  * add support for captureRejection option (Matteo Collina)
    https://github.com/nodejs/node/pull/27867
* tls:
  * implement capture rejections for 'secureConnection' event (Matteo Collina)
    https://github.com/nodejs/node/pull/27867
  * expose IETF name for current cipher suite (Sam Roberts)
    https://github.com/nodejs/node/pull/30637
* worker:
  * add argv constructor option (legendecas)
    https://github.com/nodejs/node/pull/30559

PR-URL: https://github.com/nodejs/node/pull/30937
2019-12-17 17:29:02 -05:00
Myles Borins
75c5de2218
2019-12-17, Version 12.14.0 'Erbium' (LTS)
This is a security release.

For more details about the vulnerability please consult the npm blog:

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Notable Changes:

* deps: update npm to 6.13.4
  https://github.com/nodejs/node/pull/30904

PR-URL: https://github.com/nodejs/node/pull/30938
2019-12-17 17:16:25 -05:00
Myles Borins
178c5d86b0
2019-12-17, Version 10.18.0 'Dubnium' (LTS)
This is a security release.

For more details about the vulnerability please consult the npm blog:

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Notable Changes:

* deps: update npm to 6.13.4
  https://github.com/nodejs/node/pull/30904

PR-URL: https://github.com/nodejs/node/pull/30940
2019-12-17 17:15:40 -05:00
Myles Borins
8bfa4d0480
2019-12-17, Version 8.17.0 'Carbon' (LTS)
This is a security release.

For more details about the vulnerability please consult the npm blog:

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Notable Changes:

* deps: update npm to 6.13.4
  https://github.com/nodejs/node/pull/30904

PR-URL: https://github.com/nodejs/node/pull/30941
2019-12-17 17:15:09 -05:00
Ruben Bridgewater
4091ea90b6
2019-12-03, Version 13.3.0 (Current)
Notable changes:

* fs:
  * Reworked experimental recursive `rmdir()`  (cjihrig)
    https://github.com/nodejs/node/pull/30644
    * The `maxBusyTries` option is renamed to `maxRetries`, and its
      default is set to 0. The `emfileWait` option has been removed,
      and `EMFILE` errors use the same retry logic as other errors.
      The `retryDelay` option is now supported. `ENFILE` errors are
      now retried.
* http:
  * Make maximum header size configurable per-stream or per-server
    (Anna Henningsen) https://github.com/nodejs/node/pull/30570
* http2:
  * Make maximum tolerated rejected streams configurable (Denys
    Otrishko) https://github.com/nodejs/node/pull/30534
  * Allow to configure maximum tolerated invalid frames (Denys
    Otrishko) https://github.com/nodejs/node/pull/30534
* wasi:
  * Introduce initial WASI support (cjihrig)
    https://github.com/nodejs/node/pull/30258

PR-URL: https://github.com/nodejs/node/pull/30774
2019-12-03 22:57:31 +01:00
Myles Borins
b8f8f05002
2019-11-21, Version 13.2.0 (Current)
Notable changes:

* addons:
  * Deprecate one- and two-argument `AtExit()`. Use the three-argument
    variant of `AtExit()` or `AddEnvironmentCleanupHook()` instead
    (Anna Henningsen) https://github.com/nodejs/node/pull/30227
* child_process,cluster:
  * The `serialization` option is added that allows child process
    IPC to use the V8 serialization API (to e.g., pass through data
    types like sets or maps) (Anna Henningsen)
    https://github.com/nodejs/node/pull/30162
* deps:
  * Update V8 to 7.9
  * Update `npm` to 6.13.0 (Ruy Adorno)
    https://github.com/nodejs/node/pull/30271
* embedder:
  * Exposes the ability to pass cli flags / options through an API
    as embedder (Shelley Vohr)
    https://github.com/nodejs/node/pull/30466
  * Allow adding linked bindings to Environment (Anna Henningsen)
    https://github.com/nodejs/node/pull/30274
* esm:
  * Unflag --experimental-modules (Guy Bedford)
    https://github.com/nodejs/node/pull/29866
* stream:
  * Add `writable.writableCorked` property (Robert Nagy)
    https://github.com/nodejs/node/pull/29012
* worker:
  * Allow specifying resource limits (Anna Henningsen)
    https://github.com/nodejs/node/pull/26628
* v8:
  * The Serialization API is now stable (Anna Henningsen)
    https://github.com/nodejs/node/pull/30234

PR-URL: https://github.com/nodejs/node/pull/30547
2019-11-21 17:14:59 -05:00
Michaël Zasso
b351d30701
2019-11-19, Version 12.13.1 'Erbium' (LTS)
Notable changes:

* Experimental support for building Node.js with Python 3 is improved.
* ICU time zone data is updated to version 2019c. This fixes the date
  offset in Brazil.

PR-URL: https://github.com/nodejs/node/issues/30352
2019-11-19 11:50:23 +01:00
Michaël Zasso
309e1eae79
2019-11-05, Version 13.1.0 (Current)
Notable changes:

* cli:
  * Added a new flag (`--trace-uncaught`) that makes Node.js print the
    stack trace at the time of throwing uncaught exceptions, rather than
    at the creation of the `Error` object, if there is any. This is
    disabled by default because it affects GC behavior.
    https://github.com/nodejs/node/pull/30025
* crypto
  * Added `Hash.prototype.copy()` method. It returns a new `Hash` object
    with its internal state cloned from the original one.
    https://github.com/nodejs/node/pull/29910
* dgram
  * Added source-specific multicast support. This adds methods to
    Datagram sockets to support RFC 4607
    (https://tools.ietf.org/html/rfc4607) for IPv4 and IPv6.
    https://github.com/nodejs/node/pull/15735
* fs
  * Added a `bufferSize` option to `fs.opendir()`. It allows to control
    the number of entries that are buffered internally when reading from
    the directory. https://github.com/nodejs/node/pull/30114
* meta
  * Added Chengzhong Wu (https://github.com/legendecas) to
    collaborators. https://github.com/nodejs/node/pull/30115

PR-URL: https://github.com/nodejs/node/pull/30262
2019-11-05 19:39:20 +01:00
Myles Borins
5a042a6b1a
2019-10-23, Version 13.0.1 (Current)
Notable changes:

* deps:
  * Fixed a bug in npm 6.12.0 where warnings are emitted on Node.js
    13.x. https://github.com/nodejs/node/pull/30079
* esm:
  * Changed file extension resolution order of
    `--es-module-specifier-resolution=node`to match that of the CommonJS
    loader. https://github.com/nodejs/node/pull/29974

PR-URL: https://github.com/nodejs/node/pull/30081
2019-10-23 12:34:20 +02:00
Beth Griggs
afbbcb050e
2019-10-22, Version 10.17.0 'Dubnium' (LTS)
Notable changes:

* crypto:
  * add support for chacha20-poly1305 for AEAD (chux0519)
    https://github.com/nodejs/node/pull/24081
  * increase maxmem range from 32 to 53 bits (Tobias Nießen)
    https://github.com/nodejs/node/pull/28799
* deps:
  * update npm to 6.11.3 (claudiahdz)
    https://github.com/nodejs/node/pull/29430
  * upgrade openssl sources to 1.1.1d (Sam Roberts)
    https://github.com/nodejs/node/pull/29921
* dns:
  * remove dns.promises experimental warning (cjihrig)
    https://github.com/nodejs/node/pull/26592
* fs:
  * remove experimental warning for fs.promises (Anna Henningsen)
    https://github.com/nodejs/node/pull/26581
* http:
  * makes response.writeHead return the response (Mark S. Everitt)
    https://github.com/nodejs/node/pull/25974
* http2:
  * makes response.writeHead return the response (Mark S. Everitt)
    https://github.com/nodejs/node/pull/25974
* n-api:
  * make func argument of napi\_create\_threadsafe\_function optional
    (legendecas)
    https://github.com/nodejs/node/pull/27791
  * mark version 5 N-APIs as stable (Gabriel Schulhof)
    https://github.com/nodejs/node/pull/29401
  * implement date object (Jarrod Connolly)
    https://github.com/nodejs/node/pull/25917
* process:
  * add --unhandled-rejections flag (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/26599
* stream:
  * implement Readable.from async iterator utility (Guy Bedford)
    https://github.com/nodejs/node/pull/27660
  * make Symbol.asyncIterator support stable (Matteo Collina)
    https://github.com/nodejs/node/pull/26989

PR-URL: https://github.com/nodejs/node/pull/29875
2019-10-22 20:15:24 +01:00
Beth Griggs
42bf0c8df2
2019-10-22, Version 13.0.0 (Current)
Notable changes:

* assert:
  * If the validation function passed to `assert.throws()` or
    `assert.rejects()` returns a value other than `true`, an assertion
    error will be thrown instead of the original error to highlight the
    programming mistake (Ruben Bridgewater).
    https://github.com/nodejs/node/pull/28263
  * If a constructor function is passed to validate the instance of
    errors thrown in `assert.throws()` or `assert.reject()`, an
    assertion error will be thrown instead of the original error
    (Ruben Bridgewater).
    https://github.com/nodejs/node/pull/28263
* build:
  * Node.js releases are now built with default full-icu support. This
    means that all locales supported by ICU are now included and
    Intl-related APIs may return different values than before
    (Richard Lau).
    https://github.com/nodejs/node/pull/29887
  * The minimum Xcode version supported for macOS was increased to 10.
    It is still possible to build Node.js with Xcode 8 but this may no
    longer be the case in a future v13.x release (Michael Dawson).
    https://github.com/nodejs/node/pull/29622
* child_process:
  * `ChildProcess._channel` (DEP0129) is now a Runtime deprecation
    (cjihrig).
    https://github.com/nodejs/node/pull/27949
* console:
  * The output `console.timeEnd()` and `console.timeLog()` will now
    automatically select a suitable time unit instead of always using
    milliseconds (Xavier Stouder).
    https://github.com/nodejs/node/pull/29251
* deps:
  * The V8 engine was updated to version 7.8. This includes performance
    improvements to object destructuring, memory usage and WebAssembly
    startup time (Myles Borins).
    https://github.com/nodejs/node/pull/29694)
* domain:
  * The domain's error handler is now executed with the active domain
    set to the domain's parent to prevent inner recursion
    (Julien Gilli).
    https://github.com/nodejs/node/pull/26211
* fs:
  * The undocumented method `FSWatcher.prototype.start()` was removed
    (Lucas Holmquist).
    https://github.com/nodejs/node/pull/29905
  * Calling the `open()` method on a `ReadStream` or `WriteStream` now
    emits a runtime deprecation warning. The methods are supposed to be
    internal and should not be called by user code (Robert Nagy).
    https://github.com/nodejs/node/pull/29061
  * `fs.read/write`, `fs.readSync/writeSync` and `fd.read/write` now
    accept any safe integer as their `offset` parameter. The value of
    `offset` is also no longer coerced, so a valid type must be passed
    to the functions (Zach Bjornson).
    https://github.com/nodejs/node/pull/26572
* http:
  * Aborted requests no longer emit the `end` or `error` events after
    `aborted` (Robert Nagy).
    https://github.com/nodejs/node/pull/27984
    https://github.com/nodejs/node/pull/20077
  * Data will no longer be emitted after a socket error (Robert Nagy).
    https://github.com/nodejs/node/pull/28711
  * The legacy HTTP parser (previously available under the
    `--http-parser=legacy` flag) was removed (Anna Henningsen).
    https://github.com/nodejs/node/pull/29589
  * The `host` option for HTTP requests is now validated to be a string
    value (Giorgos Ntemiris).
    https://github.com/nodejs/node/pull/29568
  * The `request.connection` and `response.connection` properties are now
    runtime deprecated. The equivalent `request.socket` and `response.socket`
    should be used instead (Robert Nagy).
    https://github.com/nodejs/node/pull/29015
* http, http2:
  * The default server timeout was removed (Ali Ijaz Sheikh).
    https://github.com/nodejs/node/pull/27558
  * Brought 425 status code name into accordance with RFC 8470. The name
    changed from "Unordered Collection" to "Too Early" (Sergei Osipov).
    https://github.com/nodejs/node/pull/29880
* lib:
  * The `error.errno` property will now always be a number. To get the
    string value, use `error.code` instead (Joyee Cheung).
    https://github.com/nodejs/node/pull/28140
* module:
  * `module.createRequireFromPath()` is deprecated. Use
    `module.createRequire()` instead (cjihrig).
    https://github.com/nodejs/node/pull/27951
* src:
  * Changing the value of `process.env.TZ` will now clear the tz cache.
    This affects the default time zone used by methods such as
    `Date.prototype.toString` (Ben Noordhuis).
    https://github.com/nodejs/node/pull/20026
* stream:
  * The timing and behavior of streams was consolidated for a number of
    edge cases. Please look at the individual commits below for more
    information.

PR-URL: https://github.com/nodejs/node/pull/29504
2019-10-22 17:12:12 +01:00
Michaël Zasso
701933ca8f
2019-10-21, Version 12.13.0 'Erbium' (LTS)
This release marks the transition of Node.js 12.x into Long Term Support
(LTS) with the codename 'Erbium'. The 12.x release line now moves into
"Active LTS" and will remain so until October 2020. After that time, it
will move into "Maintenance" until end of life in April 2022.

Notable changes:

npm was updated to 6.12.0. It now includes a version of `node-gyp` that
supports Python 3 for building native modules.

PR-URL: https://github.com/nodejs/node/pull/29981
2019-10-21 11:12:52 +02:00
Ruben Bridgewater
06f6d662f6
2019-10-11, Version 12.12.0 (Current)
Notable changes:

* build:
  * Add `--force-context-aware` flag to prevent usage of native node
    addons that aren't context aware
    https://github.com/nodejs/node/pull/29631
* deprecations:
  * Add documentation-only deprecation for `process._tickCallback()`
    https://github.com/nodejs/node/pull/29781
* esm:
  * Using JSON modules is experimental again
    https://github.com/nodejs/node/pull/29754
* fs:
  * Introduce `opendir()` and `fs.Dir` to iterate through directories
    https://github.com/nodejs/node/pull/29349
* process:
  * Add source-map support to stack traces by using
    `--source-map-support` https://github.com/nodejs/node/pull/29564
* tls:
  * Honor `pauseOnConnect` option
    https://github.com/nodejs/node/pull/29635
  * Add option for private keys for OpenSSL engines
    https://github.com/nodejs/node/pull/28973

PR-URL: https://github.com/nodejs/node/pull/29919
2019-10-11 21:25:36 +02:00
Beth Griggs
a04b04f4cf
2019-10-09, Version 8.16.2 'Carbon' (LTS)
Node.js 8 is due to go End-of-Life on 31st December 2019.

Notable changes:

- **deps**: upgrade openssl sources to 1.0.2s (Sam Roberts)
  [#28230](https://github.com/nodejs/node/pull/28230)

PR-URL: https://github.com/nodejs/node/pull/29617
2019-10-09 21:25:39 +01:00
Michaël Zasso
d9fd2cd0ff
2019-10-01, Version 12.11.1 (Current)
Notable changes:

* build:
  * This release fixes a regression that prevented from building Node.js
    using the official source tarball.
    https://github.com/nodejs/node/pull/29712
* deps:
  * Updated small-icu data to support "unit" style in the
    `Intl.NumberFormat` API.
    https://github.com/nodejs/node/pull/29735

PR-URL: https://github.com/nodejs/node/pull/29796
2019-10-01 18:44:05 +02:00
Ruben Bridgewater
d36b6f8da3
2019-09-24, Version 12.11.0 (Current)
Notable changes:

* crypto:
  * Add `oaepLabel` option https://github.com/nodejs/node/pull/29489
* deps:
  * Update V8 to 7.7.299.11 https://github.com/nodejs/node/pull/28918
    * More efficient memory handling
    * Stack trace serialization got faster
    * The `Intl.NumberFormat` API gained new functionality
    * For more information: https://v8.dev/blog/v8-release-77
* events:
  * Add support for `EventTarget` in `once`
    https://github.com/nodejs/node/pull/29498
* fs:
  * Expose memory file mapping flag `UV_FS_O_FILEMAP`
    https://github.com/nodejs/node/pull/29260
* inspector:
  * New API - `Session.connectToMainThread`
    https://github.com/nodejs/node/pull/28870
* process:
  * Initial SourceMap support via `env.NODE_V8_COVERAGE`
    https://github.com/nodejs/node/pull/28960
* stream:
  * Make `_write()` optional when `_writev()` is implemented
    https://github.com/nodejs/node/pull/29639
* tls:
  * Add option to override signature algorithms
    https://github.com/nodejs/node/pull/29598
* util:
  * Add `encodeInto` to `TextEncoder`
    https://github.com/nodejs/node/pull/29524
* worker:
  * The `worker_thread` module is now stable
    https://github.com/nodejs/node/pull/29512

PR-URL: https://github.com/nodejs/node/pull/29695
2019-09-26 01:14:24 +02:00
Ruben Bridgewater
02c74e72ea
2019-09-04, Version 12.10.0 (Current)
Notable changes:

* deps:
  * Update npm to 6.10.3 (isaacs)
    https://github.com/nodejs/node/pull/29023
* fs:
  * Add recursive option to rmdir() (cjihrig)
    https://github.com/nodejs/node/pull/29168
  * Allow passing true to emitClose option (Giorgos Ntemiris)
    https://github.com/nodejs/node/pull/29212
  * Add \*timeNs properties to BigInt Stats objects (Joyee Cheung)
    https://github.com/nodejs/node/pull/21387
* net:
  * Allow reading data into a static buffer (Brian White)
    https://github.com/nodejs/node/pull/25436

PR-URL: https://github.com/nodejs/node/pull/29429
2019-09-04 20:10:18 +02:00
Nick Schonning
9e8edb0d79 doc: heading levels should only increment by one
These are flagged by Markdownlint MD001 rule.

PR-URL: https://github.com/nodejs/node/pull/29331
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
2019-08-28 22:47:21 -07:00
Michaël Zasso
d770b8a931
2019-08-26, Version 12.9.1 (Current)
Notable changes:

This release fixes two regressions in the http module:

* Fixes an event listener leak in the HTTP client. This resulted in lots
  of warnings during npm/yarn installs.
  https://github.com/nodejs/node/pull/29245
* Fixes a regression preventing the `'end'` event from being emitted for
  keepalive requests in case the full body was not parsed.
  https://github.com/nodejs/node/pull/29263

PR-URL: https://github.com/nodejs/node/pull/29321
2019-08-26 20:36:17 +02:00
Michaël Zasso
edc83a9203
2019-08-20, Version 12.9.0 (Current)
Notable changes:

* crypto:
  * Added an oaepHash option to asymmetric encryption which allows
    users to specify a hash function when using OAEP padding.
    https://github.com/nodejs/node/pull/28335
* deps:
  * Updated V8 to 7.6.303.29. https://github.com/nodejs/node/pull/28955
    * Improves the performance of various APIs such as `JSON.parse` and
      methods called on frozen arrays.
    * Adds the Promise.allSettled method.
    * Improves support of `BigInt` in `Intl` methods.
    * For more information: https://v8.dev/blog/v8-release-76
  * Updated libuv to 1.31.0. https://github.com/nodejs/node/pull/29070
    * `UV_FS_O_FILEMAP` has been added for faster access to memory
      mapped files on Windows.
    * `uv_fs_mkdir()` now returns `UV_EINVAL` for invalid filenames on
      Windows. It previously returned `UV_ENOENT`.
    * The `uv_fs_statfs()` API has been added.
    * The `uv_os_environ()` and `uv_os_free_environ()` APIs have been
      added.
* fs:
  * Added `fs.writev`, `fs.writevSync` and `filehandle.writev` (promise
    version) methods. They allow to write an array of `ArrayBufferView`s
    to a file descriptor. https://github.com/nodejs/node/pull/25925
    https://github.com/nodejs/node/pull/29186
* http:
  * Added three properties to `OutgoingMessage.prototype`:
    `writableObjectMode`, `writableLength` and `writableHighWaterMark`
    https://github.com/nodejs/node/pull/29018
* stream:
  * Added an new property `readableEnded` to readable streams. Its value
    is set to `true` when the `'end'` event is emitted.
    https://github.com/nodejs/node/pull/28814
  * Added an new property `writableEnded` to writable streams. Its value
    is set to `true` after `writable.end()` has been called.
    https://github.com/nodejs/node/pull/28934

PR-URL: https://github.com/nodejs/node/pull/29210
2019-08-20 21:37:07 +02:00
Beth Griggs
affa23bc88
2019-08-15, Version 8.16.1 'Carbon' (LTS)
This is a security release.

Notable changes:

Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.

Vulnerabilities fixed:

* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
  data from a specified resource over multiple streams. They manipulate
  window size and stream priority to force the server to queue the data
  in 1-byte chunks. Depending on how efficiently this data is queued,
  this can consume excess CPU, memory, or both, potentially leading to a
  denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
  HTTP/2 peer, causing the peer to build an internal queue of responses.
  Depending on how efficiently this data is queued, this can consume
  excess CPU, memory, or both, potentially leading to a denial of
  service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
  streams and continually shuffles the priority of the streams in a way
  that causes substantial churn to the priority tree. This can consume
  excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
  and sends an invalid request over each stream that should solicit a
  stream of RST_STREAM frames from the peer. Depending on how the peer
  queues the RST_STREAM frames, this can consume excess memory, CPU,or
  both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
  SETTINGS frames to the peer. Since the RFC requires that the peer
  reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
  frame is almost equivalent in behavior to a ping. Depending on how
  efficiently this data is queued, this can consume excess CPU, memory,
  or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
  headers with a 0-length header name and 0-length header value,
  optionally Huffman encoded into 1-byte or greater headers. Some
  implementations allocate memory for these headers and keep the
  allocation alive until the session dies. This can consume excess
  memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
  window so the peer can send without constraint; however, they leave
  the TCP window closed so the peer cannot actually write (many of) the
  bytes on the wire. The attacker then sends a stream of requests for a
  large response object. Depending on how the servers queue the
  responses, this can consume excess memory, CPU, or both, potentially
  leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
  frames with an empty payload and without the end-of-stream flag. These
  frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
  peer spends time processing each frame disproportionate to attack
  bandwidth. This can consume excess CPU, potentially leading to a
  denial of service. (Discovered by Piotr Sikora of Google)

PR-URL: https://github.com/nodejs/node/pull/29152
2019-08-15 23:30:22 +01:00
Beth Griggs
004e2b759f
2019-08-15, Version 10.16.3 'Dubnium' (LTS)
This is a security release.

Notable changes:

Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.

Vulnerabilities fixed:

* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
  data from a specified resource over multiple streams. They manipulate
  window size and stream priority to force the server to queue the data
  in 1-byte chunks. Depending on how efficiently this data is queued,
  this can consume excess CPU, memory, or both, potentially leading to a
  denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
  HTTP/2 peer, causing the peer to build an internal queue of responses.
  Depending on how efficiently this data is queued, this can consume
  excess CPU, memory, or both, potentially leading to a denial of
  service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
  streams and continually shuffles the priority of the streams in a way
  that causes substantial churn to the priority tree. This can consume
  excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
  and sends an invalid request over each stream that should solicit a
  stream of RST_STREAM frames from the peer. Depending on how the peer
  queues the RST_STREAM frames, this can consume excess memory, CPU,or
  both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
  SETTINGS frames to the peer. Since the RFC requires that the peer
  reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
  frame is almost equivalent in behavior to a ping. Depending on how
  efficiently this data is queued, this can consume excess CPU, memory,
  or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
  headers with a 0-length header name and 0-length header value,
  optionally Huffman encoded into 1-byte or greater headers. Some
  implementations allocate memory for these headers and keep the
  allocation alive until the session dies. This can consume excess
  memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
  window so the peer can send without constraint; however, they leave
  the TCP window closed so the peer cannot actually write (many of) the
  bytes on the wire. The attacker then sends a stream of requests for a
  large response object. Depending on how the servers queue the
  responses, this can consume excess memory, CPU, or both, potentially
  leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
  frames with an empty payload and without the end-of-stream flag. These
  frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
  peer spends time processing each frame disproportionate to attack
  bandwidth. This can consume excess CPU, potentially leading to a
  denial of service. (Discovered by Piotr Sikora of Google)

PR-URL: https://github.com/nodejs/node/pull/29148
2019-08-15 22:50:53 +01:00
Michaël Zasso
edc2e5be34
2019-08-15, Version 12.8.1 (Current)
This is a security release.

Notable changes:

Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.

Vulnerabilities fixed:

* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
  data from a specified resource over multiple streams. They manipulate
  window size and stream priority to force the server to queue the data
  in 1-byte chunks. Depending on how efficiently this data is queued,
  this can consume excess CPU, memory, or both, potentially leading to a
  denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
  HTTP/2 peer, causing the peer to build an internal queue of responses.
  Depending on how efficiently this data is queued, this can consume
  excess CPU, memory, or both, potentially leading to a denial of
  service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
  streams and continually shuffles the priority of the streams in a way
  that causes substantial churn to the priority tree. This can consume
  excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
  and sends an invalid request over each stream that should solicit a
  stream of RST_STREAM frames from the peer. Depending on how the peer
  queues the RST_STREAM frames, this can consume excess memory, CPU,or
  both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
  SETTINGS frames to the peer. Since the RFC requires that the peer
  reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
  frame is almost equivalent in behavior to a ping. Depending on how
  efficiently this data is queued, this can consume excess CPU, memory,
  or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
  headers with a 0-length header name and 0-length header value,
  optionally Huffman encoded into 1-byte or greater headers. Some
  implementations allocate memory for these headers and keep the
  allocation alive until the session dies. This can consume excess
  memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
  window so the peer can send without constraint; however, they leave
  the TCP window closed so the peer cannot actually write (many of) the
  bytes on the wire. The attacker then sends a stream of requests for a
  large response object. Depending on how the servers queue the
  responses, this can consume excess memory, CPU, or both, potentially
  leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
  frames with an empty payload and without the end-of-stream flag. These
  frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
  peer spends time processing each frame disproportionate to attack
  bandwidth. This can consume excess CPU, potentially leading to a
  denial of service. (Discovered by Piotr Sikora of Google)

PR-URL: https://github.com/nodejs/node/pull/29133
2019-08-15 14:49:36 +02:00
Beth Griggs
f1478e1789
2019-08-06, Version 10.16.2 'Dubnium' (LTS)
Notable changes:

This release patches a regression in the OpenSSL upgrade to 1.1.1c that
 causes intermittent hangs in machines that have low entropy.

Refs: https://github.com/nodejs/node/issues/28932

PR-URL: https://github.com/nodejs/node/pull/29021
2019-08-06 23:29:55 +01:00
Ruben Bridgewater
a9e7441916
2019-08-06, Version 12.8.0 (Current)
Notable changes:

* assert:
  * Legacy mode deprecation (`DEP0089`) is revoked (Colin Ihrig)
    https://github.com/nodejs/node/pull/28892
* crypto:
  * The `outputLength` option is added to `crypto.createHash`
    (Tobias Nießen) https://github.com/nodejs/node/pull/28805
  * The `maxmem` range is increased from 32 to 53 bits (Tobias Nießen)
    https://github.com/nodejs/node/pull/28799
* n-api:
  * Added APIs for per-instance state management (Gabriel Schulhof)
    https://github.com/nodejs/node/pull/28682
* report:
  * Network interfaces get included in the report (cjihrig)
    https://github.com/nodejs/node/pull/28911
* src:
  * `v8.getHeapCodeStatistics()` is now exported
    (Yuriy Vasiyarov) https://github.com/nodejs/node/pull/27978

PR-URL: https://github.com/nodejs/node/pull/29017
2019-08-07 00:25:59 +02:00
Beth Griggs
9d37013ef0
2019-07-31, Version 10.16.1 'Dubnium' (LTS)
Notable changes:

- **deps**: upgrade openssl sources to 1.1.1c (Sam Roberts) [#28212](https://github.com/nodejs/node/pull/28212)
- **stream**: do not unconditionally call `\_read()` on `resume()` (Anna Henningsen) [#26965](https://github.com/nodejs/node/pull/26965)
- **worker**: fix nullptr deref after MessagePort deser failure (Anna Henningsen) [#25076](https://github.com/nodejs/node/pull/25076)

PR-URL: https://github.com/nodejs/node/pull/28731
2019-07-31 20:04:46 +01:00
Michaël Zasso
52c5287aca
2019-07-23, Version 12.7.0 (Current)
Notable changes:

* deps:
  * Updated nghttp2 to 1.39.1. https://github.com/nodejs/node/pull/28448
  * Updated npm to 6.10.0. https://github.com/nodejs/node/pull/28525
* esm:
  * Implemented experimental "pkg-exports" proposal. A new `"exports"`
    field can be added to a module's `package.json` file to provide
    custom subpath aliasing. See
    https://github.com/jkrems/proposal-pkg-exports/ for more
    information. https://github.com/nodejs/node/pull/28568
* http:
  * Added `response.writableFinished`.
    https://github.com/nodejs/node/pull/28681
  * Exposed `headers`, `rawHeaders` and other fields on an
    `http.ClientRequest` `"information"` event.
    https://github.com/nodejs/node/pull/28459
* inspector:
  * Added `inspector.waitForDebugger()`.
    https://github.com/nodejs/node/pull/28453
* policy:
  * Added `--policy-integrity=sri` CLI option to mitigate policy
    tampering. If a policy integrity is specified and the policy does
    not have that integrity, Node.js will error prior to running any
    code. https://github.com/nodejs/node/pull/28734
* readline,tty:
  * Exposed stream API from various methods which write characters.
    https://github.com/nodejs/node/pull/28674
    https://github.com/nodejs/node/pull/28721
* src:
  * Use cgroups to get memory limits. This improves the way we set
    the memory ceiling for a Node.js process. Previously we would use
    the physical memory size to estimate the necessary V8
    heap sizes. The physical memory size is not necessarily the correct
    limit, e.g. if the process is running inside a docker container or
    is otherwise constrained. This change adds the ability to get a
    memory limit set by linux cgroups, which is used by docker
    containers to set resource constraints.
    https://docs.docker.com/config/containers/resource_constraints/
    https://github.com/nodejs/node/pull/27508

PR-URL: https://github.com/nodejs/node/pull/28817
2019-07-23 22:54:24 +02:00
Michaël Zasso
fcf8fe9f1a
2019-07-03, Version 12.6.0 (Current)
Notable changes:

* build:
  * Experimental support for building Node.js on MIPS architecture
    is back. https://github.com/nodejs/node/pull/27992
* child_process:
  * The promisified versions of `child_process.exec` and
    `child_process.execFile` now both return a `Promise` which has the
	child instance attached to their `child` property.
	https://github.com/nodejs/node/pull/28325
* deps:
  * Updated libuv to 1.30.1. https://github.com/nodejs/node/pull/28449,
    https://github.com/nodejs/node/pull/28511
    * Support for the Haiku platform has been added.
    * The maximum `UV_THREADPOOL_SIZE` has been increased from 128 to
	  1024.
    * `uv_fs_copyfile()` now works properly when the source and
	  destination files are the same.
* process:
  * A new method, `process.resourceUsage()` was added. It returns
    resource usage for the current process, such as CPU time.
	https://github.com/nodejs/node/pull/28018
* src:
  * Fixed an issue related to stdio that could lead to a crash of the
    process in some circumstances.
	https://github.com/nodejs/node/pull/28490
* stream:
  * Added a `writableFinished` property to writable streams. It
    indicates that all the data has been flushed to the underlying
	system. https://github.com/nodejs/node/pull/28007
* worker:
  * Fixed an issue that prevented worker threads to listen for data on
    stdin. https://github.com/nodejs/node/pull/28153
* meta:
  * Added Jiawen Geng (https://github.com/gengjiawen) to collaborators.
    https://github.com/nodejs/node/pull/28322

PR-URL: https://github.com/nodejs/node/pull/28508
2019-07-03 15:53:31 +02:00