This option is not useful in practice, as mentioned in comments and the
documentation, because the overhead of calling into JS makes it
unreasonably expensive.
PR-URL: https://github.com/nodejs/node/pull/29144
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
It was called --security-revert prior to 12.x, but changed in
https://github.com/nodejs/node/pull/22490.
See:
https://github.com/nodejs/nodejs.org/pull/2412#issuecomment-521739752
PR-URL: https://github.com/nodejs/node/pull/29153
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit adds support for closing a readline interface
on Control+D when the terminal is dumb.
PR-URL: https://github.com/nodejs/node/pull/29149
Fixes: https://github.com/nodejs/node/issues/29111
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This commit adds support for closing a readline interface
on Control+C when the terminal is dumb.
PR-URL: https://github.com/nodejs/node/pull/29149
Fixes: https://github.com/nodejs/node/issues/29111
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This is work towards resolving the response.finished confusion and
future deprecation.
Note that implementation-wise, streams have both an ending and ended
state. However, in this case (in order to avoid confusion in user space)
writableEnded is equal to writable.ending. The ending vs ended situation
is internal state required for internal stream logic.
PR-URL: https://github.com/nodejs/node/pull/28934
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Since v10.10.0, 'buf' can be any DataView, meaning the largest
byteLength can be Float64Array.BYTES_PER_ELEMENT * kMaxLength =
17,179,869,176.
'offset' can now be up to 2**53 - 1. This makes it possible to tile
reads into a large buffer.
Breaking: now throws if read offset is not a safe int, is null or
is undefined.
Fixes https://github.com/nodejs/node/issues/26563
PR-URL: https://github.com/nodejs/node/pull/26572
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Make `tls.connect()` support an `allowHalfOpen` option which specifies
whether or not to allow the connection to be half-opened when the
`socket` option is not specified.
PR-URL: https://github.com/nodejs/node/pull/27836
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ouyang Yadong <oyydoibh@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Parameter y in cursorTo() is optional and this is also verified by
tests but docs don't state this. Besides that if the newly added
parameter callback is used with no y, it's quite unhandy. This PR allows
to simply omit y.
PR-URL: https://github.com/nodejs/node/pull/29128
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
This commit adds a target named testclean to allow for cleaning the
temporary files generated during a test run without having to use the
clean target.
PR-URL: https://github.com/nodejs/node/pull/29094
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Before this commit it was using a tagged union to store the one-byte and
two-byte pointers.
From a `sizeof(UnionBytes)` perspective that makes no difference - there
is a hole between the tag and the union - and it makes the code just a
little harder to reason about, IMO.
PR-URL: https://github.com/nodejs/node/pull/29116
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
We've had a few comments that from the doc it might not
be clear that N-API is the recommended approach for Addons.
As a start, mention N-API early in the non N-API section
as the recommended approach unless lower level access
is required.
PR-URL: https://github.com/nodejs/node/pull/28922
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
A benchmark was added but the appropriate settings were not added to
test-benchmark-buffer. These two additions make sure that the new
benchmark file only runs a single benchmark during testing.
PR-URL: https://github.com/nodejs/node/pull/29163
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
The method descriptions mentioned the right version but for some reason
the top-level description did not. Well, now it does.
PR-URL: https://github.com/nodejs/node/pull/29014
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
The exported method can be static as it will never be called directly.
PR-URL: https://github.com/nodejs/node/pull/29102
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Original commit message:
[build] update gen-postmortem-metadata for Python 3
This change makes the code compatible with both Python 2 and Python 3.
Change-Id: I99d68af9c3163607c3a2fdbafac339a98b7471e4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1751331
Commit-Queue: Yang Guo <yangguo@chromium.org>
Reviewed-by: Yang Guo <yangguo@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63207}
Refs: e3d7f8a588
PR-URL: https://github.com/nodejs/node/pull/29105
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
This is a security release.
Notable changes:
Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.
Vulnerabilities fixed:
* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
data from a specified resource over multiple streams. They manipulate
window size and stream priority to force the server to queue the data
in 1-byte chunks. Depending on how efficiently this data is queued,
this can consume excess CPU, memory, or both, potentially leading to a
denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume
excess CPU, memory, or both, potentially leading to a denial of
service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way
that causes substantial churn to the priority tree. This can consume
excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
and sends an invalid request over each stream that should solicit a
stream of RST_STREAM frames from the peer. Depending on how the peer
queues the RST_STREAM frames, this can consume excess memory, CPU,or
both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
SETTINGS frames to the peer. Since the RFC requires that the peer
reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
frame is almost equivalent in behavior to a ping. Depending on how
efficiently this data is queued, this can consume excess CPU, memory,
or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
headers with a 0-length header name and 0-length header value,
optionally Huffman encoded into 1-byte or greater headers. Some
implementations allocate memory for these headers and keep the
allocation alive until the session dies. This can consume excess
memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
window so the peer can send without constraint; however, they leave
the TCP window closed so the peer cannot actually write (many of) the
bytes on the wire. The attacker then sends a stream of requests for a
large response object. Depending on how the servers queue the
responses, this can consume excess memory, CPU, or both, potentially
leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
frames with an empty payload and without the end-of-stream flag. These
frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
peer spends time processing each frame disproportionate to attack
bandwidth. This can consume excess CPU, potentially leading to a
denial of service. (Discovered by Piotr Sikora of Google)
PR-URL: https://github.com/nodejs/node/pull/29152
This is a security release.
Notable changes:
Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.
Vulnerabilities fixed:
* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
data from a specified resource over multiple streams. They manipulate
window size and stream priority to force the server to queue the data
in 1-byte chunks. Depending on how efficiently this data is queued,
this can consume excess CPU, memory, or both, potentially leading to a
denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume
excess CPU, memory, or both, potentially leading to a denial of
service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way
that causes substantial churn to the priority tree. This can consume
excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
and sends an invalid request over each stream that should solicit a
stream of RST_STREAM frames from the peer. Depending on how the peer
queues the RST_STREAM frames, this can consume excess memory, CPU,or
both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
SETTINGS frames to the peer. Since the RFC requires that the peer
reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
frame is almost equivalent in behavior to a ping. Depending on how
efficiently this data is queued, this can consume excess CPU, memory,
or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
headers with a 0-length header name and 0-length header value,
optionally Huffman encoded into 1-byte or greater headers. Some
implementations allocate memory for these headers and keep the
allocation alive until the session dies. This can consume excess
memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
window so the peer can send without constraint; however, they leave
the TCP window closed so the peer cannot actually write (many of) the
bytes on the wire. The attacker then sends a stream of requests for a
large response object. Depending on how the servers queue the
responses, this can consume excess memory, CPU, or both, potentially
leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
frames with an empty payload and without the end-of-stream flag. These
frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
peer spends time processing each frame disproportionate to attack
bandwidth. This can consume excess CPU, potentially leading to a
denial of service. (Discovered by Piotr Sikora of Google)
PR-URL: https://github.com/nodejs/node/pull/29148
This is a security release.
Notable changes:
Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.
Vulnerabilities fixed:
* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
data from a specified resource over multiple streams. They manipulate
window size and stream priority to force the server to queue the data
in 1-byte chunks. Depending on how efficiently this data is queued,
this can consume excess CPU, memory, or both, potentially leading to a
denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume
excess CPU, memory, or both, potentially leading to a denial of
service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way
that causes substantial churn to the priority tree. This can consume
excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
and sends an invalid request over each stream that should solicit a
stream of RST_STREAM frames from the peer. Depending on how the peer
queues the RST_STREAM frames, this can consume excess memory, CPU,or
both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
SETTINGS frames to the peer. Since the RFC requires that the peer
reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
frame is almost equivalent in behavior to a ping. Depending on how
efficiently this data is queued, this can consume excess CPU, memory,
or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
headers with a 0-length header name and 0-length header value,
optionally Huffman encoded into 1-byte or greater headers. Some
implementations allocate memory for these headers and keep the
allocation alive until the session dies. This can consume excess
memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
window so the peer can send without constraint; however, they leave
the TCP window closed so the peer cannot actually write (many of) the
bytes on the wire. The attacker then sends a stream of requests for a
large response object. Depending on how the servers queue the
responses, this can consume excess memory, CPU, or both, potentially
leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
frames with an empty payload and without the end-of-stream flag. These
frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
peer spends time processing each frame disproportionate to attack
bandwidth. This can consume excess CPU, potentially leading to a
denial of service. (Discovered by Piotr Sikora of Google)
PR-URL: https://github.com/nodejs/node/pull/29133
This commit does two things:
- Reverses the boolean value returned by timeLogImpl(). The new
values make more sense semantically (IMO anyway), and save a
a single NOT operation.
- Explicitly check for undefined when calling _times.get()
instead of coercing the value.
PR-URL: https://github.com/nodejs/node/pull/29100
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
nghttp2 has updated its limit for outstanding Ping/Settings ACKs
to 1000. This commit allows reverting to the old default of 10000.
The associated CVEs are CVE-2019-9512/CVE-2019-9515.
PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
If we are waiting for the ability to send more output, we should not
process more input. This commit a) makes us send output earlier,
during processing of input, if we accumulate a lot and b) allows
interrupting the call into nghttp2 that processes input data
and resuming it at a later time, if we do find ourselves in a position
where we are waiting to be able to send more output.
This is part of mitigating CVE-2019-9511/CVE-2019-9517.
PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
If a write to the underlying socket finishes asynchronously, that
means that we cannot write any more data at that point without waiting
for it to finish. If this happens, we should also not be producing any
more input.
This is part of mitigating CVE-2019-9511/CVE-2019-9517.
PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This is intended to mitigate CVE-2019-9518.
PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Allocating memory upfront comes with overhead, and in particular,
`std::vector` implementations do not necessarily return memory
to the system when one might expect that (e.g. after shrinking the
vector).
PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Ignore headers with 0-length names and track memory for headers
the way we track it for other HTTP/2 session memory too.
This is intended to mitigate CVE-2019-9516.
PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Limit the number of invalid input frames, as they may be pointing
towards a misbehaving peer. The limit is currently set to 1000 but
could be changed or made configurable.
This is intended to mitigate CVE-2019-9514.
PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Limit the number of streams that are rejected upon creation. Since
each such rejection is associated with an `NGHTTP2_ENHANCE_YOUR_CALM`
error that should tell the peer to not open any more streams,
continuing to open streams should be read as a sign of a misbehaving
peer. The limit is currently set to 100 but could be changed or made
configurable.
This is intended to mitigate CVE-2019-9514.
PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Lazily allocate `ArrayBuffer`s for the contents of DATA frames.
Creating `ArrayBuffer`s is, sadly, not a cheap operation with V8.
This is part of performance improvements to mitigate CVE-2019-9513.
Together with the previous commit, these changes improve throughput
in the adversarial case by about 100 %, and there is little more
that we can do besides artificially limiting the rate of incoming
metadata frames (i.e. after this patch, CPU usage is virtually
exclusively in libnghttp2).
PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
For some JS events, it only makes sense to call into JS when there
are listeners for the event in question.
The overhead is noticeable if a lot of these events are emitted during
the lifetime of a session. To reduce this overhead, keep track of
whether any/how many JS listeners are present, and if there are none,
skip calls into JS altogether.
This is part of performance improvements to mitigate CVE-2019-9513.
PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
DRY up the `debug()` calls, and in particular, avoid building template
strings before we know whether we need to.
PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This includes mitigations for CVE-2019-9512/CVE-2019-9515.
PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/29104
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/29091
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Currently, if this test is run as the root user the following
failure will occur:
=== release test-fs-access ===
Path: parallel/test-fs-access
(node:46733) internal/test/binding: These APIs are for internal testing
only. Do not use them.
Can't clean tmpdir: /root/node/test/.tmp.522
Files blocking: [ 'read_only_file', 'read_write_file' ]
/root/node/test/common/tmpdir.js:136
throw e;
^
Error: EACCES: permission denied, rmdir '/root/node/test/.tmp.522'
at Object.rmdirSync (fs.js:693:3)
at rmdirSync (/root/node/test/common/tmpdir.js:72:8)
at rimrafSync (/root/node/test/common/tmpdir.js:41:7)
at process.onexit (/root/node/test/common/tmpdir.js:121:5)
at process.emit (events.js:214:15) {
errno: -13,
syscall: 'rmdir',
code: 'EACCES',
path: '/root/node/test/.tmp.522'
}
Command: ./node --expose-internals test/parallel/test-fs-access.js
This commit adds a root user check and skips this test if running as the
user root.
PR-URL: https://github.com/nodejs/node/pull/29092
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
This commit changes the default message used by
ERR_BUFFER_OUT_OF_BOUNDS. Previously, the default
message implied that the problematic was always a
write, which is not accurate.
PR-URL: https://github.com/nodejs/node/pull/29098
Fixes: https://github.com/nodejs/node/issues/29097
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
This will allow users to know how to change their project to support
ES modules.
PR-URL: https://github.com/nodejs/node/pull/28950
Reviewed-By: Bradley Farias <bradley.meck@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Guy Bedford <guybedford@gmail.com>
