This adds a SECURITY.md file and links to the security document per the
request of @https://github.com/Trott at a recent SF Node meetup.
PR-URL: https://github.com/nodejs/node/pull/24031
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Rather than ponder "node" vs. "Node.js", remove the descriptor so it's
just "command-line options" rather than "node command-line options" or
"Node.js command-line options".
PR-URL: https://github.com/nodejs/node/pull/24029
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Throw an exception instead of crashing when attempting to create
`Buffer` objects from a Context that is not associated with
a Node.js `Environment`.
Possible alternatives for the future might be just returning
a plain `Uint8Array`, or working on providing `Buffer` for all
`Context`s.
PR-URL: https://github.com/nodejs/node/pull/23938
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Low severity timing vulnerability in the DSA signature algorithm
Publicly disclosed but unreleased, pending OpenSSL 1.1.0j, not deemed
severe enough to be assigned a CVE #.
Ref: https://github.com/openssl/openssl/pull/7487
PR-URL: https://github.com/nodejs/node/pull/???
Upstream: https://github.com/openssl/openssl/commit/415c3356
Original commit message:
DSA mod inverse fix
There is a side channel attack against the division used to calculate one of
the modulo inverses in the DSA algorithm. This change takes advantage of the
primality of the modulo and Fermat's little theorem to calculate the inverse
without leaking information.
Thanks to Samuel Weiser for finding and reporting this.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/7487)
PR-URL: https://github.com/nodejs/node/pull/23965
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/23971
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Clarify the behavior of what Boxstarter may do when it runs on a box
to install all the necessary tools so that there are no surprises to
the end user when the script is run.
Currently there is no interface that warns the user that Boxstarter
will reboot the machine possibly multiple times depending on how many
dependencies need to be installed and doesn't mention a need to disable
UAC. For folks who see what may look like a reboot loop, we feel it is
necessary to make them aware that UAC will be disabled and they will
need to take action to re-enable UAC manually if they interfere/stop
the script from finishing.
PR-URL: https://github.com/nodejs/node/pull/23987
Fixes: https://github.com/nodejs/Release/issues/369
Reviewed-By: John-David Dalton <john.david.dalton@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Instead of throwing errors in fs.accessSync and then catching it,
handle the result from the binding directly in fs.existsSync.
Note that the argument validation errors still needs to be caught
until we properly deprecate the don't-thrown-on-invalid-arguments
behavior.
PR-URL: https://github.com/nodejs/node/pull/24015
Fixes: https://github.com/nodejs/node/issues/24008
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
This commit updates the check of the offset argument passed to
CallJSOnreadMethod to avoid doing a cast as this currently generates
the following compiler warning when doing a debug build:
./src/stream_base.cc:295:3:
warning: comparison of integers of different signs:
'int32_t' (aka 'int') and 'size_t' (aka 'unsigned long')
[-Wsign-compare]
CHECK_EQ(static_cast<int32_t>(offset), offset);
^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~
PR-URL: https://github.com/nodejs/node/pull/23994
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Matheus Marchini <mat@mmarchini.me>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Currently, when building with --debug
test-async-wrap-pop-id-during-load fails on macosx with the following
error:
$ out/Debug/node test/parallel/test-async-wrap-pop-id-during-load.js
assert.js:86
throw new AssertionError(obj);
^
AssertionError [ERR_ASSERTION]: EXIT CODE: 1, STDERR:
internal/bootstrap/loaders.js:275
const script = new ContextifyScript(
^
RangeError: Maximum call stack size exceeded
at NativeModule.compile (internal/bootstrap/loaders.js:275:22)
at NativeModule.require (internal/bootstrap/loaders.js:168:18)
at assert.js:31:43
at NativeModule.compile (internal/bootstrap/loaders.js:299:7)
at NativeModule.require (internal/bootstrap/loaders.js:168:18)
at internal/process/main_thread_only.js:23:16
at NativeModule.compile (internal/bootstrap/loaders.js:299:7)
at Function.NativeModule.require
(internal/bootstrap/loaders.js:168:18)
at startup (internal/bootstrap/node.js:58:38)
at bootstrapNodeJSCore (internal/bootstrap/node.js:878:3)
at Object.<anonymous>
(/node/test/parallel/test-async-wrap-pop-id-during-load.js:21:8)
at Module._compile (internal/modules/cjs/loader.js:707:30)
at Object.Module._extensions..js
(internal/modules/cjs/loader.js:718:10)
at Module.load (internal/modules/cjs/loader.js:605:32)
at tryModuleLoad (internal/modules/cjs/loader.js:544:12)
at Function.Module._load (internal/modules/cjs/loader.js:536:3)
at Function.Module.runMain (internal/modules/cjs/loader.js:760:12)
at startup (internal/bootstrap/node.js:308:19)
at bootstrapNodeJSCore (internal/bootstrap/node.js:878:3)
This commit suggests increasing the stack_size to 80.
Refs: https://github.com/nodejs/node/pull/20940
PR-URL: https://github.com/nodejs/node/pull/23996
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Original commit message:
undef min,max macros on windows
This blocks building with official clang-cl and Windows SDK
Refs: https://github.com/nodejs/node/issues/19630
Change-Id: I41fdf934f486c660df7a9e0dd284f6eb3c294dd4
Reviewed-on: https://chromium-review.googlesource.com/c/1297479
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Reviewed-by: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57053}
PR-URL: https://github.com/nodejs/node/pull/23985
Refs: dc704497ee
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/23813
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Refael Ackermann <refack@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/23978
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Simplify text/content.
PR-URL: https://github.com/nodejs/node/pull/23990
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/23989
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Make the text shorter and clearer.
PR-URL: https://github.com/nodejs/node/pull/23988
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
The LTS bit flip did not include the new title heading for LTS in the
changelog. This commit fixes that.
PR-URL: https://github.com/nodejs/node/pull/23973
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Update invalidcmd test case in test-child-process-spawn-typeerror to
assert on specific expected error code.
PR-URL: https://github.com/nodejs/node/pull/23942
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/23968
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Support multi-dot file extensions like '.coffee.md' in Module.load.
PR-URL: https://github.com/nodejs/node/pull/23416
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: John-David Dalton <john.david.dalton@gmail.com>
On some systems the default inotify limits might be too high for the
test to actually fail. Detect and skip the test in such environments.
PR-URL: https://github.com/nodejs/node/pull/23986
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/23976
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
This commit supplements some types and their corresponding return
values in docs, including `AsyncResource`, `DiffieHellman`,
`ECDH`, `https.Server`, `repl.REPLServer`.
PR-URL: https://github.com/nodejs/node/pull/23998
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This commit makes the all prerequisites order-only to prevent this
target's rules to be executed every time which is currently the case as
the all target is a phony target and will be executed every time.
PR-URL: https://github.com/nodejs/node/pull/23951
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Per branding guidelines from the Foundation, use Node.js and not Node.
PR-URL: https://github.com/nodejs/node/pull/23967
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Matheus Marchini <mat@mmarchini.me>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Under the assumption that debugging is more often focused on node core
source. This setting compiles V8 with only partial optimizations,
DCHECKS, and debug symbols, so it is still very much debuggable,
but it is much faster.
It does disable SLOW_DCHECKS, but at the advice of the V8 team, those
are more important for deep V8 debugging.
Override is configurable with `./configure --v8-non-optimized-debug`.
PR-URL: https://github.com/nodejs/node/pull/23704
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
This commit allow passing `TypedArray` and `DataView` to:
- v8.deserialize()
- new v8.Deserializer()
- v8.serializer.writeRawBytes()
PR-URL: https://github.com/nodejs/node/pull/23953
Refs: https://github.com/nodejs/node/issues/1826
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Refael Ackermann <refack@gmail.com>
