This is a special LTS to fix a number of regressions that were found
on the 6.10.x release line.
This includes:
* a fix for memory leak in the crypto module that
was introduced in 6.10.1
* a fix for a regression introduced to the windows repl in 6.10.0
* a backported fix for V8 to stop a segfault that could occur
when using spread syntax
It also includes an upgrade to zlib 1.2.11 to fix a numberof low
severity CVEs that were present in zlib 1.2.8.
http://seclists.org/oss-sec/2016/q4/602
Notable changes
* crypto:
- fix memory leak if certificate is revoked (Tom Atkinson)
https://github.com/nodejs/node/pull/12089
* deps:
- upgrade zlib to 1.2.11 (Sam Roberts)
https://github.com/nodejs/node/pull/10980
- backport V8 fixes for spread syntax regression causing segfaults
(Michaël Zasso) https://github.com/nodejs/node/pull/12037
* repl:
- Revert commit that broke REPL display on Windows (Myles Borins)
https://github.com/nodejs/node/pull/12123
Notable changes:
Node.js 7.7.0 contains a bug that will prevent all native modules
from building, this patch should fix the issue. Apologies to
everyone who was affected by 7.7.0.
PR-URL: https://github.com/nodejs/node/pull/11638
Notable changes:
* crypto:
* ability to select cert store at runtime (Adam Majer) #8334
* Use system CAs instead of using bundled ones (Adam Majer) #8334
* deps:
* upgrade npm to 4.1.2 (Kat Marchán) #11020
* upgrade openssl sources to 1.0.2k (Shigeki Ohtsu) #11021
* doc: add basic documentation for WHATWG URL API (James M Snell) #10620
* process: add NODE_NO_WARNINGS environment variable (cjihrig) #10842
* url: allow use of URL with http.request and https.request (James M Snell) #10638
PR-URL: https://github.com/nodejs/node/pull/11062
This is a security release of the 'Boron' release line to upgrade
OpenSSL to version 1.0.2k
Although the OpenSSL team have determined a maximum severity rating
of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
and Fedor Indutny) have determined the impact to Node users is "low".
Details on this determination can be found on the Nodejs.org website
https://nodejs.org/en/blog/vulnerability/openssl-january-2017/
Notable Changes:
* deps:
- upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
https://github.com/nodejs/node/pull/11021
PR-URL: https://github.com/nodejs/node/pull/11083
This is a security release of the 'Boron' release line to upgrade
OpenSSL to version 1.0.2k
Although the OpenSSL team have determined a maximum severity rating
of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
and Fedor Indutny) have determined the impact to Node users is "low".
Details on this determination can be found on the Nodejs.org website
https://nodejs.org/en/blog/vulnerability/openssl-january-2017/
Notable Changes:
* deps:
- upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
https://github.com/nodejs/node/pull/11021
PR-URL: https://github.com/nodejs/node/pull/11081
* It had some minor errors in td/th html tags.
* Make it clear that v5, v0.10, and v0.12 are EOL and unsupported.
We probably don't want people seeing 'LTS' badge next to those
in the current Node.js repo and think that those are still supported.
Not everyone is aware of the nodejs/LTS repo.
This also includes the dates for v5, v0.10 and v0.12 EOL:
- 2016-07-01 for v5
- 2016-11-01 for v0.10
- 2017-01-01 for v0.12
* Make v5/v0.10/v0.12 not bold in CHANGELOG
Make v5, v0.10, v0.12 not bold in the CHANGELOG.md, as bold is said to
be an indication of the most recent actively supported release futher
on the same page.
PR-URL: https://github.com/nodejs/node/pull/10743
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
This is a special release that contains 0 commits. While promoting
additional platforms for v6.9.3 after the release, the tarballs on the
release server were overwritten and now have different shasums. In
order to remove any ambiguity around the release we have opted to do a
semver patch release with no changes.
This is a special release that contains 0 commits. While promoting
additional platforms for v4.7.1 after the release, the tarballs on the
release server were overwritten and now have different shasums. In
order to remove any ambiguity around the release we have opted to do a
semver patch release with no changes.
Notable changes:
* npm: upgrade from v2.15.1 to v2.15.11, including accurate updated license (Jeremiah Senkpiel)
* process: `process.versions.ares` now outputs the c-ares version (Johan Bergström)
PR-URL: https://github.com/nodejs/node/pull/10352
This LTS release comes with 108 commits. This includes 30 which are doc
related, 28 which are test related, 16 which are build / tool related,
and 4 commits which are updates to dependencies.
Notable Changes:
The SEMVER-MINOR changes include:
* build:
- export openssl symbols on Windows making it possible to build
addons linked against the bundled version of openssl (Alex Hultman)
https://github.com/nodejs/node/pull/7576
* debugger:
- make listen address configurable in the debugger server
(Ben Noordhuis) https://github.com/nodejs/node/pull/3316
* dgram:
- generalized send queue to handle close fixing a potential throw
when dgram socket is closed in the listening event handler.
(Matteo Collina) https://github.com/nodejs/node/pull/7066
* http:
- Introduce the 451 status code "Unavailable For Legal Reasons"
(Max Barinov) https://github.com/nodejs/node/pull/4377
* tls:
- introduce `secureContext` for `tls.connect` which is useful for
caching client certificates, key, and CA certificates.
(Fedor Indutny) https://github.com/nodejs/node/pull/4246
Notable SEMVER-PATCH changes include:
* build:
- introduce the configure --shared option for embedders (sxa555)
https://github.com/nodejs/node/pull/6994
* gtest:
- the test reporter now outputs tap comments as yamlish
(Johan Bergström) https://github.com/nodejs/node/pull/9262
* src:
- node no longer aborts when c-ares initialization fails
(Ben Noordhuis) https://github.com/nodejs/node/pull/8710
* tls:
- fix memory leak when writing data to TLSWrap instance during
handshake (Fedor Indutny)
https://github.com/nodejs/node/pull/9586
PR-URL: https://github.com/nodejs/node/pull/9736
Notable changes:
* buffer: add buffer.transcode to transcode a buffer's content from one
encoding to another primarily using ICU (James M Snell)
* child_process: add public API for IPC channel (cjihrig)
* icu
* Upgraded to ICU 58 - small icu (Steven R. Loomis)
* Add `cldr`, `tz`, and `unicode` to `process.versions` (Steven R. Loomis)
* lib: make `String(global) === '[object global]'` (Anna Henningsen)
* libuv: Upgraded to 1.10.0 (cjihrig)
* readline: use icu based string width calculation (James M Snell)
* src:
* add NODE_PRESERVE_SYMLINKS environment variable that has the same
effect as the `--preserve-symlinks` flag (Marc Udoff)
* Fix `String#toLocaleUpperCase()` and `String#toLocaleLowerCase()`
(Steven R. Loomis)
PR-URL: https://github.com/nodejs/node/pull/9438
Notable changes:
* streams: Fix a regression introduced in v6.8.0 in readable stream
that caused unpipe to remove the wrong stream (Anna Henningsen)
PR-URL: https://github.com/nodejs/node/pull/9186
This release marks the transition of Node.js v6 into Long Term Support
(LTS) with the codename 'Boron'. The v6 release line now moves in to
"Active LTS" and will remain so until April 2018. After that time it
will move in to "Maintenance" until end of life in April 2019.
This is also a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/
for details on patched vulnerabilities.
Notable changes:
* crypto: Don't automatically attempt to load an OpenSSL configuration
file, from the `OPENSSL_CONF` environment variable or from the
default location for the current platform. Always triggering a
configuration file load attempt may allow an attacker to load
compromised OpenSSL configuration into a Node.js process if they are
able to place a file in a default location. (Fedor Indutny, Rod Vagg)
* node: Introduce the `process.release.lts` property, set to `"Boron"`.
This value is `"Argon"` for v4 LTS releases and `undefined` for all
other releases. (Rod Vagg)
* V8: Backport fix for CVE-2016-5172, an arbitrary memory read.
The parser in V8 mishandled scopes, potentially allowing an attacker
to obtain sensitive information from arbitrary memory locations via
crafted JavaScript code. This vulnerability would require an
attacker to be able to execute arbitrary JavaScript code in a
Node.js process. (Rod Vagg)
* **v8_inspector**: Generate a UUID for each execution of the
inspector. This provides additional security to prevent unauthorized
clients from connecting to the Node.js process via the v8_inspector
port when running with `--inspect`. Since the debugging protocol
allows extensive access to the internals of a running process, and
the execution of arbitrary code, it is important to limit
connections to authorized tools only. Vulnerability originally
reported by Jann Horn. (Eugene Ostroukhov)
PR-URL: https://github.com/nodejs/node-private/pull/81
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.
Notable Changes
Semver Minor:
* openssl:
- Upgrade to 1.0.2i, fixes a number of defects impacting Node.js:
CVE-2016-6304 ("OCSP Status Request extension unbounded memory
growth", high severity), CVE-2016-2183, CVE-2016-2178, and CVE-2016-6306.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8714
- Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in
a crash when using CRLs, CVE-2016-7052.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8786
- Remove support for loading dynamic third-party engine modules.
An attacker may be able to hide malicious code to be inserted
into Node.js at runtime by masquerading as one of the dynamic
engine modules. Originally reported by Ahmed Zaki (Skype).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/73
* http: CVE-2016-5325 - Properly validate for allowable characters in
the `reason` argument in `ServerResponse#writeHead()`. Fixes a
possible response splitting attack vector. This introduces a new
case where `throw` may occur when configuring HTTP responses, users
should already be adopting try/catch here. Originally reported
independently by Evan Lucas and Romain Gaucher.
(Evan Lucas) https://github.com/nodejs/node-private/pull/60
Semver Patch:
* buffer: Zero-fill excess bytes in new `Buffer` objects created with
`Buffer.concat()` while providing a `totalLength` parameter that
exceeds the total length of the original `Buffer` objects being
concatenated.
(Сковорода Никита Андреевич) https://github.com/nodejs/node-private/pull/64
* src: Fix regression where passing an empty password and/or salt to
crypto.pbkdf2() would cause a fatal error
(Rich Trott) https://github.com/nodejs/node/pull/8572
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid wildcard
certificate for its hostname due to improper validation of `*.` in the
wildcard string. Originally reported by Alexander Minozhenko and
James Bunton (Atlassian).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/75
* v8: Fix regression where a regex on a frozen object was broken
(Myles Borins) https://github.com/nodejs/node/pull/8673
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.
Notable Changes
Semver Minor:
* openssl:
- Upgrade to 1.0.2i, fixes a number of defects impacting Node.js:
CVE-2016-6304 ("OCSP Status Request extension unbounded memory
growth", high severity), CVE-2016-2183, CVE-2016-6303,
CVE-2016-2178 and CVE-2016-6306.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8714
- Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in
a crash when using CRLs, CVE-2016-7052.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8786
- Remove support for loading dynamic third-party engine modules.
An attacker may be able to hide malicious code to be inserted into
Node.js at runtime by masquerading as one of the dynamic engine
modules. Originally reported by Ahmed Zaki (Skype).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/70
* http: CVE-2016-5325 - Properly validate for allowable characters in
the `reason` argument in `ServerResponse#writeHead()`. Fixes a
possible response splitting attack vector. This introduces a new
case where `throw` may occur when configuring HTTP responses, users
should already be adopting try/catch here. Originally reported
independently by Evan Lucas and Romain Gaucher.
(Evan Lucas) https://github.com/nodejs/node-private/pull/46
Semver Patch:
* buffer: Zero-fill excess bytes in new `Buffer` objects created with
`Buffer.concat()` while providing a `totalLength` parameter that
exceeds the total length of the original `Buffer` objects being
concatenated.
(Сковорода Никита Андреевич) https://github.com/nodejs/node-private/pull/65
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid wildcard
certificate for its hostname due to improper validation of `*.` in
the wildcard string. Originally reported by Alexander Minozhenko and
James Bunton (Atlassian).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/63
PR-URL: https://github.com/nodejs/node-private/pull/74
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.
Notable changes:
* buffer: Zero-fill excess bytes in new `Buffer` objects created with
`Buffer.concat()` while providing a `totalLength` parameter that
exceeds the total length of the original `Buffer` objects being
concatenated. (Сковорода Никита Андреевич)
* http:
- CVE-2016-5325 - Properly validate for allowable characters in the
`reason` argument in `ServerResponse#writeHead()`. Fixes a
possible response splitting attack vector. This introduces a new
case where `throw` may occur when configuring HTTP responses,
users should already be adopting try/catch here. Originally
reported independently by Evan Lucas and Romain Gaucher.
(Evan Lucas)
- Invalid status codes can no longer be sent. Limited to 3 digit
numbers between 100 - 999. Lack of proper validation may also
serve as a potential response splitting attack vector. Backported
from v4.x. (Brian White)
* openssl:
- Upgrade to 1.0.1u, fixes a number of defects impacting Node.js:
CVE-2016-6304 ("OCSP Status Request extension unbounded memory
growth", high severity), CVE-2016-2183, CVE-2016-6303,
CVE-2016-2178 and CVE-2016-6306.
- Remove support for loading dynamic third-party engine modules.
An attacker may be able to hide malicious code to be inserted
into Node.js at runtime by masquerading as one of the dynamic
engine modules. Originally reported by Ahmed Zaki (Skype).
(Ben Noordhuis, Rod Vagg)
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid wildcard
certificate for its hostname due to improper validation of `*.` in
the wildcard string. Originally reported by Alexander Minozhenko
and James Bunton (Atlassian). (Ben Noordhuis)
PR-URL: https://github.com/nodejs/node-private/pull/72
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.
Notable changes:
* buffer: Zero-fill excess bytes in new `Buffer` objects created with
`Buffer.concat()` while providing a `totalLength` parameter that
exceeds the total length of the original `Buffer` objects being
concatenated. (Сковорода Никита Андреевич)
* http:
- CVE-2016-5325 - Properly validate for allowable characters in the
`reason` argument in `ServerResponse#writeHead()`. Fixes a
possible response splitting attack vector. This introduces a new
case where `throw` may occur when configuring HTTP responses,
users should already be adopting try/catch here. Originally
reported independently by Evan Lucas and Romain Gaucher.
(Evan Lucas)
- Invalid status codes can no longer be sent. Limited to 3 digit
numbers between 100 - 999. Lack of proper validation may also
serve as a potential response splitting attack vector. Backported
from v4.x. (Brian White)
* openssl: Upgrade to 1.0.1u, fixes a number of defects impacting
Node.js: CVE-2016-6304 ("OCSP Status Request extension unbounded
memory growth", high severity), CVE-2016-2183, CVE-2016-6303,
CVE-2016-2178 and CVE-2016-6306.
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid wildcard
certificate for its hostname due to improper validation of `*.` in
the wildcard string. Originally reported by Alexander Minozhenko
and James Bunton (Atlassian). (Ben Noordhuis)
PR-URL: https://github.com/nodejs/node-private/pull/71
This LTS release comes with 89 commits. This includes 46 commits that
are docs related, 11 commits that are test related, 8 commits that are
build related, and 4 commits that are benchmark related.
Notable Changes:
- debugger:
- All properties of an array (aside from length) can now be printed
in the repl (cjihrig)
https://github.com/nodejs/node/pull/6448
- npm:
- Upgrade npm to 2.15.8 (Rebecca Turner)
https://github.com/nodejs/node/pull/7412
- stream:
- Fix for a bug that became more prevalent with the stream changes
that landed in v4.4.5. (Anna Henningsen)
https://github.com/nodejs/node/pull/7160
- V8:
- Fix for a bug in crankshaft that was causing crashes on arm64
(Myles Borins)
https://github.com/nodejs/node/pull/7442
- Add missing classes to postmortem info such as JSMap and JSSet
(evan.lucas)
https://github.com/nodejs/node/pull/3792
The current layout is breaking the release post tool.
This commit also removed erroneous entires in the main CHANGELOG for
v4.4.6 and v5.12.0.
PR-URL: https://github.com/nodejs/node/pull/7394
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
* buffer: Ignore negative lengths in calls to Buffer() and
Buffer.allocUnsafe(). This fixes a possible security concern
(reported by Feross Aboukhadijeh) where user input is passed
unchecked to the Buffer constructor or allocUnsafe() as it can
expose parts of the memory slab used by other Buffers in the
application. Note that negative lengths are not supported by the
Buffer API and user input to the constructor should always be
sanitised and type-checked.
(Anna Henningsen) https://github.com/nodejs/node/pull/7030
* npm: Upgrade npm to 3.9.3
(Kat Marchán) https://github.com/nodejs/node/pull/7030
* tty: Default to blocking mode for stdio on OS X. A bug fix
in libuv 1.9.0, introduced in Node.js v6.0.0, exposed problems with
Node's use of non-blocking stdio, particularly on OS X which has a
small output buffer. This change should fix CLI applications that
have been having problems with output since Node.js v6.0.0 on OS X.
The core team is continuing to address stdio concerns that exist
across supported platforms and progress can be tracked at
https://github.com/nodejs/node/pull/6980.
(Jeremiah Senkpiel) https://github.com/nodejs/node/pull/6895
* V8: Upgrade to V8 5.0.71.52. This includes a fix that addresses
problems experienced by users of node-inspector since Node.js
v6.0.0, see https://github.com/nodejs/node/issues/6980 for details.
(Michaël Zasso) https://github.com/nodejs/node/pull/6928
Some references to a few versions were broken, likely in part
due to the transition to a split changelog format.
PR-URL: https://github.com/nodejs/node/pull/6942
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
The changelog was getting rather huge and difficult
to manage. It also wasn't very useful in terms of
being able to quickly find specific Node.js versions,
or tracking the history for a single major release
stream.
This reorganizes the changelog by versions separated
out over multiple files. An index of the most recent
versions is provided in the main log.
PR-URL: https://github.com/nodejs/node/pull/6503
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Robert Lindstaedt <robert.lindstaedt@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Not quite sure how, but quite a few of the commits were missing
from the original changelog generated for v6 relative to v5.11.0.
This updates the change log.
PR-URL: https://github.com/nodejs/node/pull/6435
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
The unfortunate has happened, our CHANGELOG is now over 1 MB and cannot
be viewed on github. This commit breaks the CHANGELOG into two files
so that we can continue to show our changes rendered in the github UI.
Closes: https://github.com/nodejs/node/issues/5533
PR-URL: https://github.com/nodejs/node/pull/6337
Reviewed-By: Claudio Rodriguez <cjrodr@yahoo.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Roman Reiss <me@silverwind.io>
Also changed alias P.S.V.R to Minqi Pan.
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/6387
PR-URL: https://github.com/nodejs/node/pull/6076
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Roman Klauke <romaaan.git@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Notable changes:
* npm: Upgrade to v2.15.1. IMPORTANT: This is a major upgrade to npm
v2 LTS from the previously deprecated npm v1. (Forrest L Norvell)
* npm: Upgrade to v2.15.1. Fixes a security flaw in the use of
authentication tokens in HTTP requests that would allow an attacker
to set up a server that could collect tokens from users of the
command-line interface. Authentication tokens have previously been
sent with every request made by the CLI for logged-in users,
regardless of the destination of the request. This update fixes this
by only including those tokens for requests made against the
registry or registries used for the current install. IMPORTANT:
This is a major upgrade to npm v2 LTS from the previously deprecated
npm v1. (Forrest L Norvell) https://github.com/nodejs/node/pull/5967
* openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they
are obsolete and not considered safe. This release of Node.js turns
on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers
included in these lists which can be used in SSLv3 and higher. Full
details can be found in our LTS discussion on the matter
(https://github.com/nodejs/LTS/issues/85).
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/5712
PR-URL: https://github.com/nodejs/node/pull/5968
Notable changes:
* npm: Upgrade to v2.15.1. Fixes a security flaw in the use of
authentication tokens in HTTP requests that would allow an attacker
to set up a server that could collect tokens from users of the
command-line interface. Authentication tokens have previously been
sent with every request made by the CLI for logged-in users,
regardless of the destination of the request. This update fixes this
by only including those tokens for requests made against the
registry or registries used for the current install.
(Forrest L Norvell) https://github.com/nodejs/node/pull/5967
* openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they
are obsolete and not considered safe. This release of Node.js turns
on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers
included in these lists which can be used in SSLv3 and higher. Full
details can be found in our LTS discussion on the matter
(https://github.com/nodejs/LTS/issues/85).
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/5712
PR-URL: https://github.com/nodejs/node/pull/5967
Notable Changes
* https:
- Under certain conditions ssl sockets may have been causing a memory
leak when keepalive is enabled. This is no longer the case.
- (Alexander Penev) https://github.com/nodejs/node/pull/5713
* lib:
- The way that we were internally passing arguments was causing a
potential leak. By copying the arguments into an array we can avoid this
- (Nathan Woltman) https://github.com/nodejs/node/pull/4361
* npm:
- Upgrade to v2.15.1. Fixes a security flaw in the use of authentication
tokens in HTTP requests that would allow an attacker to set up a server
that could collect tokens from users of the command-line interface.
Authentication tokens have previously been sent with every request made
by the CLI for logged-in users, regardless of the destination of the
request. This update fixes this by only including those tokens for
requests made against the registry or registries used for the current
install. (Forrest L Norvell)
* repl:
- Previously if you were using the repl in strict mode the column number
would be wrong in a stack trace. This is no longer an issue.
- (Prince J Wesley) https://github.com/nodejs/node/pull/5416
PR-URL: https://github.com/nodejs/node/pull/5961
Notable changes:
* **contextify**: Fixed a memory consumption issue related to heavy use
of `vm.createContext` and `vm.runInNewContext`. (Ali Ijaz Sheikh)
https://github.com/nodejs/node/pull/5392
* **governance**: The following members have been added as
collaborators:
- Andreas Madsen (@AndreasMadsen)
- Benjamin Gruenbaum (@benjamingr)
- Claudio Rodriguez (@claudiorodriguez)
- Glen Keane (@thekemkid)
- Jeremy Whitlock (@whitlockjc)
- Matt Loring (@matthewloring)
- Phillip Johnsen (@phillipj)
* **lib**: copy arguments object instead of leaking it (Nathan Woltman)
https://github.com/nodejs/node/pull/4361
* **src**: allow combination of -i and -e cli flags (Rich Trott)
https://github.com/nodejs/node/pull/5655
* **v8**: backport fb4ccae from v8 upstream (Vladimir Krivosheev) #4231
- breakout events from v8 to offer better support for external
debuggers
* **zlib**: add support for concatenated members (Kári Tristan
Helgason) https://github.com/nodejs/node/pull/5120
PR-URL: https://github.com/nodejs/node/pull/5702
In December we announced that we would be doing a minor release in order to
get a number of voted on SEMVER-MINOR changes into LTS. Our ability to release this
was delayed due to the unforeseen security release v4.3. We are quickly bumping to
v4.4 in order to bring you the features that we had committed to releasing.
This release also includes over 70 fixes to our docs and over 50 fixes to tests.
The SEMVER-MINOR changes include:
* deps:
- An update to v8 that introduces a new flag --perf_basic_prof_only_functions (Ali Ijaz Sheikh) https://github.com/nodejs/node/pull/3609
* http:
- A new feature in http(s) agent that catches errors on *keep alived* connections (José F. Romaniello) https://github.com/nodejs/node/pull/4482
* src:
- Better support for Big-Endian systems (Bryon Leung) https://github.com/nodejs/node/pull/3410
* tls:
- A new feature that allows you to pass common SSL options to `tls.createSecurePair` (Коренберг Марк) https://github.com/nodejs/node/pull/2441
* tools
- a new flag `--prof-process` which will execute the tick processor on the provided isolate files (Matt Loring) https://github.com/nodejs/node/pull/4021
Notable semver patch changes include:
* buld:
- Support python path that includes spaces. This should be of particular interest to our Windows users who may have python living in `c:/Program Files` (Felix Becker) https://github.com/nodejs/node/pull/4841
* https:
- A potential fix for https://github.com/nodejs/node/issues/3692 HTTP/HTTPS client requests throwing EPROTO (Fedor Indutny) https://github.com/nodejs/node/pull/4982
* installer:
- More readable profiling information from isolate tick logs (Matt Loring) https://github.com/nodejs/node/pull/3032
* *npm:
- upgrade to npm 2.14.20 (Kat Marchán) https://github.com/nodejs/node/pull/5510
* process:
- Add support for symbols in event emitters. Symbols didn't exist when it was written ¯\_(ツ)_/¯ (cjihrig) https://github.com/nodejs/node/pull/4798
* querystring:
- querystring.parse() is now 13-22% faster! (Brian White) https://github.com/nodejs/node/pull/4675
* streams:
- performance improvements for moving small buffers that shows a 5% throughput gain. IoT projects have been seen to be as much as 10% faster with this change! (Matteo Collina) https://github.com/nodejs/node/pull/4354
* tools:
- eslint has been updated to version 2.1.0 (Rich Trott) https://github.com/nodejs/node/pull/5214
PR-URL: https://github.com/nodejs/node/pull/5301
Notable changes:
* openssl: Fully remove SSLv2 support, the `--enable-ssl2` command
line argument will now produce an error. The DROWN Attack
(https://drownattack.com/) creates a vulnerability where SSLv2 is
enabled by a server, even if a client connection is not using SSLv2.
The SSLv2 protocol is widely considered unacceptably broken and
should not be supported. More information is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0800
Note that the upgrade to OpenSSL 1.0.1s in Node.js v0.12.11 removed
internal SSLv2 support. The change in this release was originally
intended for v0.12.11. The `--enable-ssl2` command line argument now
produces an error rather than being a no-op.
PR-URL: https://github.com/nodejs/nodejs.org/pull/562
Notable changes:
* http_parser: Update to http-parser 1.2 to fix an unintentionally
strict limitation of allowable header characters.
(James M Snell) https://github.com/nodejs/node/pull/5242
* domains:
- Prevent an exit due to an exception being thrown rather than
emitting an 'uncaughtException' event on the `process` object when
no error handler is set on the domain within which an error is
thrown and an 'uncaughtException' event listener is set on
`process`. (Julien Gilli) https://github.com/nodejs/node/pull/3887
- Fix an issue where the process would not abort in the proper
function call if an error is thrown within a domain with no error
handler and `--abort-on-uncaught-exception` is used.
(Julien Gilli) https://github.com/nodejs/node/pull/3887
* openssl: Upgrade from 1.0.1r to 1.0.1s
(Ben Noordhuis) https://github.com/nodejs/node/pull/5508
- Fix a double-free defect in parsing malformed DSA keys that may
potentially be used for DoS or memory corruption attacks. It is
likely to be very difficult to use this defect for a practical
attack and is therefore considered low severity for Node.js users.
More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0705
- Fix a defect that can cause memory corruption in certain very rare
cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
functions. It is believed that Node.js is not invoking the code
paths that use these functions so practical attacks via Node.js
using this defect are _unlikely_ to be possible. More info is
available at
https://www.openssl.org/news/vulnerabilities.html#2016-0797
- Fix a defect that makes the CacheBleed Attack
(https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible.
This defect enables attackers to execute side-channel attacks
leading to the potential recovery of entire RSA private keys. It
only affects the Intel Sandy Bridge (and possibly older)
microarchitecture when using hyper-threading. Newer
microarchitectures, including Haswell, are unaffected. More info
is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0702
- Remove SSLv2 support, the `--enable-ssl2` command line argument
will now produce an error. The DROWN Attack
(https://drownattack.com/) creates a vulnerability where SSLv2 is
enabled by a server, even if a client connection is not using
SSLv2. The SSLv2 protocol is widely considered unacceptably broken
and should not be supported. More information is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0800
PR-URL: https://github.com/nodejs/node/pull/5404
Notable changes:
* http_parser: Update to http-parser 2.3.2 to fix an unintentionally
strict limitation of allowable header characters.
(James M Snell) https://github.com/nodejs/node/pull/5241
* domains:
- Prevent an exit due to an exception being thrown rather than
emitting an 'uncaughtException' event on the `process` object when
no error handler is set on the domain within which an error is
thrown and an 'uncaughtException' event listener is set on
`process`. (Julien Gilli) https://github.com/nodejs/node/pull/3885
- Fix an issue where the process would not abort in the proper
function call if an error is thrown within a domain with no error
handler and `--abort-on-uncaught-exception` is used.
(Julien Gilli) https://github.com/nodejs/node/pull/3885
* openssl: Upgrade from 1.0.2f to 1.0.2g
(Ben Noordhuis) https://github.com/nodejs/node/pull/5509
- Fix a double-free defect in parsing malformed DSA keys that may
potentially be used for DoS or memory corruption attacks. It is
likely to be very difficult to use this defect for a practical
attack and is therefore considered low severity for Node.js users.
More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0705
- Fix a defect that can cause memory corruption in certain very rare
cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
functions. It is believed that Node.js is not invoking the code
paths that use these functions so practical attacks via Node.js
using this defect are _unlikely_ to be possible. More info is
available at
https://www.openssl.org/news/vulnerabilities.html#2016-0797
- Fix a defect that makes the CacheBleed Attack
(https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This
defect enables attackers to execute side-channel attacks leading
to the potential recovery of entire RSA private keys. It only
affects the Intel Sandy Bridge (and possibly older)
microarchitecture when using hyper-threading. Newer
microarchitectures, including Haswell, are unaffected. More info
is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0702
PR-URL: https://github.com/nodejs/node/pull/5403
Notable changes:
* governance: The Core Technical Committee (CTC) added four new members
to help guide Node.js core development: Evan Lucas, Rich Trott, Ali
Ijaz Sheikh and Сковорода Никита Андреевич (Nikita Skovoroda).
* openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis)
https://github.com/nodejs/node/pull/5507
- Fix a double-free defect in parsing malformed DSA keys that may
potentially be used for DoS or memory corruption attacks. It is likely
to be very difficult to use this defect for a practical attack and is
therefore considered low severity for Node.js users. More info is
available at https://www.openssl.org/news/vulnerabilities.html#2016-0705
- Fix a defect that can cause memory corruption in certain very rare
cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
functions. It is believed that Node.js is not invoking the code paths
that use these functions so practical attacks via Node.js using this
defect are _unlikely_ to be possible. More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0797
- Fix a defect that makes the CacheBleed Attack
(https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This
defect enables attackers to execute side-channel attacks leading to the
potential recovery of entire RSA private keys. It only affects the
Intel Sandy Bridge (and possibly older) microarchitecture when using
hyper-threading. Newer microarchitectures, including Haswell, are
unaffected. More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0702
* Fixed several regressions that appeared in v5.7.0:
- path.relative():
- Output is no longer unnecessarily verbose (Brian White)
https://github.com/nodejs/node/pull/5389
- Resolving UNC paths on Windows now works correctly (Owen Smith)
https://github.com/nodejs/node/pull/5456
- Resolving paths with prefixes now works correctly from the root
directory (Owen Smith) https://github.com/nodejs/node/pull/5490
- url: Fixed an off-by-one error with `parse()` (Brian White)
https://github.com/nodejs/node/pull/5394
- dgram: Now correctly handles a default address case when offset and
length are specified (Matteo Collina)
https://github.com/nodejs/node/pull/5407
PR-URL: https://github.com/nodejs/node/pull/5464
This is a security release with only a single commit, an update to openssl due to a recent security advisory. You can read more about the security advisory on the Node.js website https://nodejs.org/en/blog/vulnerability/openssl-march-2016/
* openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis) https://github.com/nodejs/node/pull/5507
- Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks. It is likely to be very difficult to use this defect for a practical attack and is therefore considered low severity for Node.js users. More info is available at CVE-2016-0705 https://www.openssl.org/news/vulnerabilities.html#2016-0705.
- Fix a defect that can cause memory corruption in certain very rare cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()` functions. It is believed that Node.js is not invoking the code paths that use these functions so practical attacks via Node.js using this defect are _unlikely_ to be possible. More info is available at CVE-2016-0797 https://www.openssl.org/news/vulnerabilities.html#2016-0797.
- Fix a defect that makes the _CacheBleed Atta https://ssrg.nicta.com.au/projects/TS/cachebleed/ _ possible. This defect enables attackers to execute side-channel attacks leading to the potential recovery of entire RSA private keys. It only affects the Intel Sandy Bridge (and possibly older) microarchitecture when using hyper-threading. Newer microarchitectures, including Haswell, are unaffected. More info is available at CVE-2016-0702 https://www.openssl.org/news/vulnerabilities.html#2016-0702.
PR-URL: https://github.com/nodejs/node/pull/5526
* buffer:
- You can now supply an encoding argument when filling a
Buffer Buffer#fill(string[, start[, end]][, encoding]), supplying
an existing Buffer will also work with
Buffer#fill(buffer[, start[, end]]). See the API documentation for
details on how this works. (Trevor Norris) #4935
- Buffer#indexOf() no longer requires a byteOffset argument if you
also wish to specify an encoding:
Buffer#indexOf(val[, byteOffset][, encoding]).
(Trevor Norris) #4803
* child_process: spawn() and spawnSync() now support a 'shell' option
to allow for optional execution of the given command inside a shell.
If set to true, cmd.exe will be used on Windows and /bin/sh
elsewhere. A path to a custom shell can also be passed to override
these defaults. On Windows, this option allows .bat. and .cmd files
to be executed with spawn() and spawnSync(). (Colin Ihrig) #4598
* http_parser: Update to http-parser 2.6.2 to fix an unintentionally
strict limitation of allowable header characters.
(James M Snell) #5237
* dgram: socket.send() now supports accepts an array of Buffers or
Strings as the first argument. See the API docs for details on how
this works. (Matteo Collina) #4374
* http: Fix a bug where handling headers will mistakenly trigger an
'upgrade' event where the server is just advertising its protocols.
This bug can prevent HTTP clients from communicating with HTTP/2
enabled servers. (Fedor Indutny) #4337
* net: Added a listening Boolean property to net and http servers to
indicate whether the server is listening for connections.
(José Moreira) #4743
* node: The C++ node::MakeCallback() API is now reentrant and calling
it from inside another MakeCallback() call no longer causes the
nextTick queue or Promises microtask queue to be processed out of
order. (Trevor Norris) #4507
* tls: Add a new tlsSocket.getProtocol() method to get the negotiated
TLS protocol version of the current connection. (Brian White) #4995
* vm: Introduce new 'produceCachedData' and 'cachedData' options to
new vm.Script() to interact with V8's code cache. When a new
vm.Script object is created with the 'produceCachedData' set to true
a Buffer with V8's code cache data will be produced and stored in
cachedData property of the returned object. This data in turn may be
supplied back to another vm.Script() object with a 'cachedData'
option if the supplied source is the same. Successfully executing a
script from cached data can speed up instantiation time. See the API
docs for details. (Fedor Indutny) #4777
* performance: Improvements in:
- process.nextTick() (Ruben Bridgewater) #5092
- path module (Brian White) #5123
- querystring module (Brian White) #5012
- streams module when processing small chunks (Matteo Collina) #4354
PR-URL: https://github.com/nodejs/node/pull/5295
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Notable changes
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 2.6.0 to 2.6.1
* npm: upgrade npm from 3.3.12 to 3.6.0
(Rebecca Turner) https://github.com/nodejs/node/pull/4958
* openssl: upgrade from 1.0.2e to 1.0.2f. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Note that this release includes a non-backward compatible change to
address a security issue. This change increases the version of the LTS
v4.x line to v4.3.0. There will be *no further updates* to v4.2.x.
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 2.5.0 to 2.5.1
* openssl: upgrade from 1.0.2e to 1.0.2f. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
* src:
- introduce new `--security-revert={cvenum}` command line flag for
selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted using
`--security-revert=CVE-2016-2216`
PR-URL: https://github.com/nodejs/node-private/pull/20
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Notable changes:
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 2.3.0 to 2.3.1
* openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
* src:
- introduce new `--security-revert={cvenum}` command line flag for
selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted using
`--security-revert=CVE-2016-2216`
* build:
- xz compressed tar files will be made available from nodejs.org for
v0.12 builds from v0.12.10 onward
- A headers.tar.gz file will be made available from nodejs.org for
v0.12 builds from v0.12.10 onward, a future change to node-gyp
will be required to make use of these
PR-URL: https://github.com/nodejs/node-private/pull/24
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Notable changes:
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 1.0 to 1.1
* openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
* src:
- introduce new `--security-revert={cvenum}` command line flag for
selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted using
`--security-revert=CVE-2016-2216`
* build:
- xz compressed tar files will be made available from nodejs.org for
v0.10 builds from v0.10.42 onward
- A headers.tar.gz file will be made available from nodejs.org for
v0.10 builds from v0.10.42 onward, a future change to node-gyp
will be required to make use of these
PR-URL: https://github.com/nodejs/node-private/pull/25
Notable changes:
* Fix regression in debugger and profiler functionality
PR-URL: https://github.com/nodejs/node/pull/4788
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
Notable Changes:
* Minor performance improvements:
- module: move unnecessary work for early return (Andres Suarez) https://github.com/nodejs/node/pull/3579
* Various bug fixes
* Various doc fixes
* Various test improvements
PR-URL: https://github.com/nodejs/node/pull/4626
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Maintenance release
Notable Changes:
* v8: Fixed an out-of-band write in utf8 decoder. This is an important
security update as it can be used to cause a denial of service
attack.
* openssl: - Upgrade to 1.0.2b and 1.0.2c, introduces DHE
man-in-the-middle protection (Logjam) and fixes malformed
ECParameters causing infinite loop (CVE-2015-1788). See the
security advisory for full details. (Shigeki Ohtsu) #1950#1958
* build:
- Added support for compiling with Microsoft Visual C++ 2015
- Started building and distributing headers-only tarballs along with
binaries
Notable changes:
* buffer:
- Buffer.prototype.includes() has been added to keep parity
with TypedArrays. (Alexander Martin) #3567.
* domains:
- Fix handling of uncaught exceptions.
(Julien Gilli) #3654.
* https:
- Added support for disabling session caching.
(Fedor Indutny) #4252.
* repl:
- Allow third party modules to be imported using
require(). This corrects a regression from 5.2.0.
(Ben Noordhuis) #4215.
* deps:
- Upgrade libuv to 1.8.0.
(Saúl Ibarra Corretgé) #4276.
PR-URL: https://github.com/nodejs/node/pull/4281
Conflicts:
src/node_version.h
Notable changes:
* build:
- Add support for Intel's VTune JIT profiling when compiled with
--enable-vtune-profiling. For more information about VTune, see
https://software.intel.com/en-us/node/544211. (Chunyang Dai) #3785.
- Properly enable V8 snapshots by default. Due to a configuration
error, snapshots have been kept off by default when the intention
is for the feature to be enabled. (Fedor Indutny) #3962.
* crypto:
- Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects
(created via crypto.createECDH(curve_name)) with private keys that
are not dynamically generated via generateKeys(). The public key
is now computed when explicitly setting a private key. Added
validity checks to reduce the possibility of computing weak or
invalid shared secrets. Also, deprecated the setPublicKey() method
for ECDH objects as its usage is unnecessary and can lead to
inconsistent state. (Michael Ruddy) #3511.
- Update root certificates from the current list stored maintained
by Mozilla NSS. (Ben Noordhuis) #3951.
- Multiple CA certificates can now be passed with the ca option to
TLS methods as an array of strings or in a single new-line
separated string. (Ben Noordhuis) #4099
* tools: Include a tick processor in core, exposed via the
--prof-process command-line argument which can be used to process V8
profiling output files generated when using the --prof command-line
argument. (Matt Loring) #4021.
PR-URL: https://github.com/nodejs/node/pull/4181
Security Update
Notable items:
* **http**: Fix a bug where an HTTP socket may no longer have a socket
but a pipelined request triggers a pause or resume, a potential
denial-of-service vector. (Fedor Indutny)
* **openssl**: Upgrade to 1.0.2e, containing fixes for:
- CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64",
an attack is considered feasible against DH, an attack against RSA
and DSA is considered possible but unlikely, EC algorithms are not
affected. Details are available at
<http://openssl.org/news/secadv/20151203.txt>.
- CVE-2015-3194 "Certificate verify crash with missing PSS parameter",
a potential denial-of-service vector for Node.js TLS servers; TLS
clients are also impacted. Details are available at
<http://openssl.org/news/secadv/20151203.txt>.
(Shigeki Ohtsu) #4134
* v8: Backport fixes for a bug in `JSON.stringify()` that can result
in out-of-bounds reads for arrays. (Ben Noordhuis)
PR-URL: https://github.com/nodejs/node-private/pull/11
Security Update
Notable items:
* http: Fix a bug where an HTTP socket may no longer have a socket
but a pipelined request triggers a pause or resume, a potential
denial-of-service vector. (Fedor Indutny)
* openssl: Upgrade to 1.0.2e, containing fixes for:
- CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64",
an attack is considered feasible against a Node.js TLS server using
DHE key exchange. Details are available at
<http://openssl.org/news/secadv/20151203.txt>.
- CVE-2015-3194 "Certificate verify crash with missing PSS parameter",
a potential denial-of-service vector for Node.js TLS servers; TLS
clients are also impacted. Details are available at
<http://openssl.org/news/secadv/20151203.txt>.
(Shigeki Ohtsu) #4134
* v8: Backport fixes for a bug in `JSON.stringify()` that can result
in out-of-bounds reads for arrays. (Ben Noordhuis)
PR-URL: https://github.com/nodejs/node-private/pull/12
Security Update
Notable items:
* http: Fix a bug where an HTTP socket may no longer have a socket but a
pipelined request triggers a pause or resume, a potential
denial-of-service vector. (Fedor Indutny)
* openssl: Upgrade to 1.0.1q, fixes CVE-2015-3194
"Certificate verify crash with missing PSS parameter", a potential
denial-of-service vector for Node.js TLS servers; TLS clients are also
impacted. Details are available at
<http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) #4133
PR-URL: https://github.com/nodejs/node-private/pull/13
Security Update
Notable items:
* build: Add support for Microsoft Visual Studio 2015
* npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as
part of the strategy to get a version of npm into Node.js v0.10.x that
works with the current registry
(https://github.com/nodejs/LTS/issues/37). This version of npm prints
out a banner each time it is run. The banner warns that the next
standard release of Node.js v0.10.x will ship with a version of npm
v2.
* openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194
"Certificate verify crash with missing PSS parameter", a potential
denial-of-service vector for Node.js TLS servers; TLS clients are also
impacted. Details are available at
<http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis)
#4133
PR-URL: https://github.com/nodejs/node-private/pull/15
* A known issue was resolved but not removed from the list
* The wrong date was documented in the changelog for v4.2.2
PR-URL: https://github.com/nodejs/node/pull/3650
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Notable changes:
* buffer: (Breaking) Removed both 'raw' and 'raws' encoding types from Buffer,
these have been deprecated for a long time (Sakthipriyan Vairamani) #2859.
* console: (Breaking) Values reported by console.time() now have 3 decimals of
accuracy added (Michaël Zasso) #3166.
* fs:
- fs.readFile*(), fs.writeFile*(), and fs.appendFile*() now also accept a file
descriptor as their first argument (Johannes Wüller) #3163.
- (Breaking) In fs.readFile(), if an encoding is specified and the internal
toString() fails the error is no longer thrown but is passed to the callback
(Evan Lucas) #3485.
- (Breaking) In fs.read() (using the fs.read(fd, length, position, encoding,
callback) form), if the internal toString() fails the error is no longer
thrown but is passed to the callback (Evan Lucas) #3503.
* http:
- Fixed a bug where pipelined http requests would stall (Fedor Indutny) #3342.
- (Breaking) When parsing HTTP, don't add duplicates of the following headers:
Retry-After, ETag, Last-Modified, Server, Age, Expires. This is in addition
to the following headers which already block duplicates: Content-Type,
Content-Length, User-Agent, Referer, Host, Authorization,
Proxy-Authorization, If-Modified-Since, If-Unmodified-Since, From, Location,
Max-Forwards (James M Snell) #3090.
- (Breaking) The callback argument to OutgoingMessage#setTimeout() must be a
function or a TypeError is thrown (James M Snell) #3090.
- (Breaking) HTTP methods and header names must now conform to the RFC 2616
"token" rule, a list of allowed characters that excludes control characters
and a number of separator characters. Specifically, methods and header names
must now match /^[a-zA-Z0-9_!#$%&'*+.^`|~-]+$/ or a TypeError will be thrown
(James M Snell) #2526.
* node:
- (Breaking) Deprecated the _linklist module (Rich Trott) #3078.
- (Breaking) Removed require.paths and require.registerExtension(), both had
been previously set to throw Error when accessed
(Sakthipriyan Vairamani) #2922.
* npm: Upgraded to version 3.3.6 from 2.14.7, see
https://github.com/npm/npm/releases/tag/v3.3.6 for more details. This is a
major version bump for npm and it has seen a significant amount of change.
Please see the original npm v3.0.0 release notes for a list of major changes
(Rebecca Turner) #3310.
* src: (Breaking) Bumped NODE_MODULE_VERSION to 47 from 46, this is necessary
due to the V8 upgrade. Native add-ons will need to be recompiled
(Rod Vagg) #3400.
* timers: Attempt to reuse the timer handle for setTimeout().unref(). This fixes
a long-standing known issue where unrefed timers would perviously hold
beforeExit open (Fedor Indutny) #3407.
* tls:
- Added ALPN Support (Shigeki Ohtsu) #2564.
- TLS options can now be passed in an object to createSecurePair()
(Коренберг Марк) #2441.
- (Breaking) The default minimum DH key size for tls.connect() is now 1024
bits and a warning is shown when DH key size is less than 2048 bits. This a security consideration to prevent "logjam" attacks. A new minDHSize TLS
option can be used to override the default. (Shigeki Ohtsu) #1831.
* util:
- (Breaking) util.p() was deprecated for years, and has now been removed
(Wyatt Preul) #3432.
- (Breaking) util.inherits() can now work with ES6 classes. This is considered
a breaking change because of potential subtle side-effects caused by a
change from directly reassigning the prototype of the constructor using
`ctor.prototype = Object.create(superCtor.prototype, { constructor: { ... } })`
to using `Object.setPrototypeOf(ctor.prototype, superCtor.prototype)`
(Michaël Zasso) #3455.
* v8: (Breaking) Upgraded to 4.6.85.25 from 4.5.103.35 (Ali Ijaz Sheikh) #3351.
- Implements the spread operator, see
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Spread_operator
for further information.
- Implements new.target, see
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/new.target
for further information.
* zlib: Decompression now throws on truncated input (e.g. unexpected end of
file) (Yuval Brik) #2595.
PR-URL: https://github.com/nodejs/node/pull/3466
PR-URL: https://github.com/nodejs/node/pull/3360
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
Update the label for v4.2.0 to (LTS) from (Stable)
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/3343
Notable changes
* http:
- Fix out-of-order 'finish' event bug in pipelining that can abort
execution, fixes DoS vulnerability CVE-2015-7384
(Fedor Indutny) #3128
- Account for pending response data instead of just the data on the
current request to decide whether pause the socket or not
(Fedor Indutny) #3128
* libuv: Upgraded from v1.7.4 to v1.7.5, see release notes for details
(Saúl Ibarra Corretgé) #3010
- A better rwlock implementation for all Windows versions
- Improved AIX support
* v8:
- Upgraded from v4.5.103.33 to v4.5.103.35 (Ali Ijaz Sheikh) #3117
- Backported f782159 from v8's upstream to help speed up Promise
introspection (Ben Noordhuis) #3130
- Backported c281c15 from v8's upstream to add JSTypedArray length
in post-mortem metadata (Julien Gilli) #3031
PR-URL: https://github.com/nodejs/node/pull/3128
Notable changes
* buffer: Fixed a bug introduced in v4.1.0 where allocating a new
zero-length buffer can result in the next allocation of a TypedArray
in JavaScript not being zero-filled. In certain circumstances this
could result in data leakage via reuse of memory space in
TypedArrays, breaking the normally safe assumption that TypedArrays
should be always zero-filled. (Trevor Norris) #2931.
* http: Guard against response-splitting of HTTP trailing headers
added via response.addTrailers() by removing new-line ([\r\n])
characters from values. Note that standard header values are already
stripped of new-line characters. The expected security impact is low
because trailing headers are rarely used. (Ben Noordhuis) #2945.
* npm: Upgrade to npm 2.14.4 from 2.14.3, see release notes for full
details (Kat Marchán) #2958
- Upgrades graceful-fs on multiple dependencies to no longer rely on
monkey-patching fs
- Fix npm link for pre-release / RC builds of Node
* v8: Update post-mortem metadata to allow post-mortem debugging tools
to find and inspect:
- JavaScript objects that use dictionary properties
(Julien Gilli) #2959
- ScopeInfo and thus closures (Julien Gilli) #2974
PR-URL: https://github.com/nodejs/node/pull/2995
* buffer: Fixed a minor errors that was causing crashes
(Michaël Zasso) #2635,
* child_process: Fix error that was causing crashes (Evan Lucas) #2727
* crypto: Replace use of rwlocks, unsafe on Windows XP / 2003
(Ben Noordhuis) #2723
* libuv: Upgrade from 1.7.3 to 1.7.4 (Saúl Ibarra Corretgé) #2817
* node: Fix faulty process.release.libUrl on Windows (Rod Vagg) #2699
* node-gyp: Float v3.0.3 which has improved support for Node.js and
io.js v0.10 to v4+ (Rod Vagg) #2700
* npm: Upgrade to version 2.14.3 from 2.13.3, includes a security
update, see https://github.com/npm/npm/releases/tag/v2.14.2 for more
details, (Kat Marchán) #2696.
* timers: Improved timer performance from porting the 0.12
implementation, plus minor fixes (Jeremiah Senkpiel) #2540,
(Julien Gilli) nodejs/node-v0.x-archive#8751nodejs/node-v0.x-archive#8905
PR-URL: https://github.com/nodejs/node/pull/2698
This list of changes is relative to the last io.js v3.x branch
release, v3.3.0. Please see the list of notable changes in the v3.x,
v2.x and v1.x releases for a more complete list of changes from
0.12.x. Note, that some changes in the v3.x series as well as major
breaking changes in this release constitute changes required for full
convergence of the Node.js and io.js projects.
* child_process: ChildProcess.prototype.send() and process.send()
operate asynchronously across all platforms so an optional callback
parameter has been introduced that will be invoked once the message
has been sent, i.e. .send(message[, sendHandle][, callback])
(Ben Noordhuis) #2620.
* node: Rename "io.js" code to "Node.js" (cjihrig) #2367.
* node-gyp: This release bundles an updated version of node-gyp that
works with all versions of Node.js and io.js including nightly and
release candidate builds. From io.js v3 and Node.js v4 onward, it
will only download a headers tarball when building addons rather
than the entire source. (Rod Vagg) #2700.
* npm: Upgrade to version 2.14.2 from 2.13.3, includes a security
update, see https://github.com/npm/npm/releases/tag/v2.14.2 for more
details, (Kat Marchán) #2696.
* timers: Improved timer performance from porting the 0.12
implementation, plus minor fixes (Jeremiah Senkpiel) #2540,
(Julien Gilli) nodejs/node-v0.x-archive#8751nodejs/node-v0.x-archive#8905
* util: The util.is*() functions have been deprecated, beginning with
deprecation warnings in the documentation for this release, users
are encouraged to seek more robust alternatives in the npm registry,
(Sakthipriyan Vairamani) #2447.
* v8: Upgrade to version 4.5.103.30 from 4.4.63.30 (Ali Ijaz Sheikh) #2632.
- Implement new TypedArray prototype methods: copyWithin(), every(),
fill(), filter(), find(), findIndex(), forEach(), indexOf(),
join(), lastIndexOf(), map(), reduce(), reduceRight(), reverse(),
slice(), some(), sort(). See
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray
for further information.
- Implement new TypedArray.from() and TypedArray.of() functions. See
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray
for further information.
- Implement arrow functions. See
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/Arrow_functions
for further information.
- Full ChangeLog available at
https://github.com/v8/v8-git-mirror/blob/4.5.103/ChangeLog
PR-URL: https://github.com/nodejs/node/pull/2742
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Notable changes:
* build: Add a --link-module option to configure that can be used to
bundle additional JavaScript modules into a built binary
(Bradley Meck) #2497
* docs: Merge outstanding doc updates from joyent/node
(James M Snell) #2378
* http_parser: Significant performance improvement by having
http.Server consume all initial data from its net.Socket and parsing
directly without having to enter JavaScript. Any 'data' listeners on
the net.Socket will result in the data being "unconsumed" into
JavaScript, thereby undoing any performance gains.
(Fedor Indutny) #2355
* libuv: Upgrade to 1.7.3 (from 1.6.1), see
https://github.com/libuv/libuv/blob/v1.x/ChangeLog for details
(Saúl Ibarra Corretgé) #2310
* V8: Upgrade to 4.4.63.30 (from 4.4.63.26) (Michaël Zasso) #2482
cherry-picked from v3.x @ 1a6e52db30
PR-URL: https://github.com/nodejs/node/pull/2653
Reviewed-By: cjihrig - Colin Ihrig <cjihrig@gmail.com>
Notable changes:
* events: Added EventEmitter#listenerCount(event) as a replacement for
EventEmitter.listenerCount(emitter, event), which has now been
marked as deprecated in the docs. (Sakthipriyan Vairamani) #2349
* module: Fixed an error with preloaded modules when the current
working directory doesn't exist. (Bradley Meck) #2353
* node: Startup time is now about 5% faster when not passing V8 flags.
(Evan Lucas) #2483
* repl: Tab-completion now works better with arrays.
(James M Snell) #2409
* string_bytes: Fixed an unaligned write in the handling of UCS2
encoding. (Fedor Indutny) #2480
* tls: Added a new --tls-cipher-list flag that can be used to override
the built-in default cipher list. (James M Snell) #2412
PR-URL: https://github.com/nodejs/node/pull/2512
This commit replaces instances of io.js with Node.js, based on the
recent convergence. There are some remaining instances of io.js,
related to build and the installer.
Fixes: https://github.com/nodejs/node/issues/2361
PR-URL: https://github.com/nodejs/node/pull/2367
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: João Reis <reis@janeasystems.com>
Notable changes:
* buffer:
- Due to changes in V8, it has been necessary to reimplement Buffer
on top of V8's Uint8Array. While every effort has been made to
maintain performance, users are likely to experience a different
performance profile depending on how Buffer is used.
(Trevor Norris) #1825.
- Buffer can now take ArrayBuffers as a constructor argument
(Trevor Norris) #2002.
- When a single buffer is passed to Buffer.concat(), a new, copied
Buffer object will be returned; previous behavior was to return
the original Buffer object (Sakthipriyan Vairamani) #1937.
* build: PPC support has been added to core to allow compiling on
pLinux BE and LE (AIX support coming soon) (Michael Dawson) #2124.
* dgram: If an error occurs within socket.send() and a callback has
been provided, the error is only passed as the first argument to the
callback and not emitted on the socket object; previous behavior was
to do both (Matteo Collina & Chris Dickinson) #1796
* freelist: Deprecate the undocumented freelist core module
(Sakthipriyan Vairamani) #2176.
* http:
- Status codes now all use the official IANA names as per RFC7231,
e.g. http.STATUS_CODES[414] now returns 'URI Too Long' rather than
'Request-URI Too Large' (jomo) #1470.
- Calling .getName() on an HTTP agent no longer returns a trailing
colon, HTTPS agents will no longer return an extra colon near the
middle of the string (Brendan Ashworth) #1617.
* node:
- NODE_MODULE_VERSION has been bumped to 45 to reflect the break in
ABI (Rod Vagg) #2096.
- Introduce a new process.release object that contains a name
property set to 'io.js' and sourceUrl, headersUrl and libUrl
(Windows only) properties containing URLs for the relevant
resources; this is intended to be used by node-gyp
(Rod Vagg) #2154.
- The version of node-gyp bundled with io.js now downloads and uses
a tarball of header files from iojs.org rather than the full
source for compiling native add-ons; it is hoped this is a
temporary floating patch and the change will be upstreamed to
node-gyp soon (Rod Vagg) #2066.
* repl: Persistent history is now enabled by default. The history file
is located at ~/.node_repl_history, which can be overridden by the
new environment variable NODE_REPL_HISTORY. This deprecates the
previous NODE_REPL_HISTORY_FILE variable. Additionally, the format
of the file has been changed to plain text to better handle file
corruption. (Jeremiah Senkpiel) #2224.
* smalloc: The smalloc module has been removed as it is no longer
possible to provide the API due to changes in V8
(Ben Noordhuis) #2022.
* tls: Add server.getTicketKeys() and server.setTicketKeys() methods
for TLS session key rotation (Fedor Indutny) #2227.
* v8: Upgraded to 4.4.63.26
- ES6: Enabled computed property names
- ES6: Array can now be subclassed in strict mode
- ES6: Implement rest parameters in staging, use the
--harmony-rest-parameters command line flag
- ES6: Implement the spread operator in staging, use the
--harmony-spreadcalls command line flag
- Removed SetIndexedPropertiesToExternalArrayData and related APIs,
forcing a shift to Buffer to be reimplemented based on Uint8Array
- Introduction of Maybe and MaybeLocal C++ API for objects which may
or may not have a value.
- Added support for PPC
PR-URL: https://github.com/nodejs/io.js/pull/2299
Notable changes
* deps: Fixed an out-of-band write in utf8 decoder.
This is an important security update as it can be used to cause a
denial of service attack.
Notable changes
build:
- Added support for compiling with Microsoft Visual C++ 2015
- Started building and distributing headers-only tarballs along with binaries
PR-URL: https://github.com/nodejs/io.js/pull/1996
Notable changes
* module: The number of syscalls made during a require() have been
significantly reduced again (see #1801 from v2.2.0 for previous
work), which should lead to a performance improvement
(Pierre Inglebert) #1920.
* npm:
- Upgrade to v2.11.2 (Rebecca Turner) #1956.
- Upgrade to v2.11.3 (Forrest L Norvell) #2018.
* zlib: A bug was discovered where the process would abort if the
final part of a zlib decompression results in a buffer that would
exceed the maximum length of 0x3fffffff bytes (~1GiB). This was
likely to only occur during buffered decompression (rather than
streaming). This is now fixed and will instead result in a thrown
RangeError (Michaël Zasso) #1811.
Notable Changes:
* libuv: Upgraded to 1.6.0 and 1.6.1, see full ChangeLog for details.
(Saúl Ibarra Corretgé) #1905#1889. Highlights include:
- Fix TTY becoming blocked on OS X
- Fix UDP send callbacks to not to be synchronous
- Add uv_os_homedir() (exposed as os.homedir(), see below)
* npm: See full release notes for details. (Kat Marchán) #1899. Highlight:
- Use GIT_SSH_COMMAND (available as of Git 2.3)
* openssl:
- Upgrade to 1.0.2b and 1.0.2c, introduces DHE man-in-the-middle protection
(Logjam) and fixes malformed ECParameters causing infinite loop
(CVE-2015-1788). See the security advisory for full details.
(Shigeki Ohtsu) #1950#1958
- Support FIPS mode of OpenSSL, see README for instructions.
(Fedor Indutny) #1890
* os: Add os.homedir() method. (Colin Ihrig) #1791
* smalloc: Deprecate whole module. (Vladimir Kurchatkin) #1822
* Add new collaborators:
- Alex Kocharin (@rlidwka)
- Christopher Monsanto (@monsanto)
- Ali Ijaz Sheikh (@ofrobots)
- Oleg Elifantiev (@Olegas)
- Domenic Denicola (@domenic)
- Rich Trott (@Trott)
PR-URL: https://github.com/nodejs/io.js/pull/1808
Notable Changes:
* node: Speed-up require() by replacing usage of fs.statSync() and
fs.readFileSync() with internal variants that are faster for this use-case
and do not create as many objects for the garbage collector to clean up.
The primary two benefits are: significant increase in application start-up
time on typical applications and better start-up time for the debugger by
eliminating almost all of the thousands of exception events.
(Ben Noordhuis) #1801.
* node: Resolution of pre-load modules (-r or --require) now follows the
standard require() rules rather than just resolving paths, so you can now
pre-load modules in node_modules. (Ali Ijaz Sheikh) #1812.
* npm: Upgraded npm to v2.11.0. New hooks for preversion, version, and
postversion lifecycle events, some SPDX-related license changes and license
file inclusions. See the release notes for full details.
PR-URL: https://github.com/nodejs/io.js/pull/1777
Notable Changes:
* crypto: Diffie-Hellman key exchange (DHE) parameters ('dhparams') must now be
1024 bits or longer or an error will be thrown. A warning will also be printed
to the console if you supply less than 2048 bits. See https://weakdh.org/ for
further context on this security concern. (Shigeki Ohtsu) #1739.
* node: A new --trace-sync-io command line flag will print a warning and a stack
trace whenever a synchronous API is used. This can be used to track down
synchronous calls that may be slowing down an application.
(Trevor Norris) #1707.
* node: To allow for chaining of methods, the setTimeout(), setKeepAlive(),
setNoDelay(), ref() and unref() methods used in 'net', 'dgram', 'http',
'https' and 'tls' now return the current instance instead of undefined
(Roman Reiss & Evan Lucas) #1699#1768#1779.
* npm: Upgraded to v2.10.1, release notes can be found in
https://github.com/npm/npm/releases/tag/v2.10.1 and
https://github.com/npm/npm/releases/tag/v2.10.0.
* util: A significant speed-up (in the order of 35%) for the common-case of a
single string argument to util.format(), used by console.log()
(Сковорода Никита Андреевич) #1749.
PR-URL: https://github.com/iojs/io.js/pull/1679
Notable Changes:
* win,node-gyp: the delay-load hook for windows addons has now been
correctly enabled by default, it had wrongly defaulted to off in the
release version of 2.0.0 (Bert Belder) #1433
* os: tmpdir()'s trailing slash stripping has been refined to fix an
issue when the temp directory is at '/'. Also considers which slash is
used by the operating system. (cjihrig) #1673
* tls: default ciphers have been updated to use gcm and aes128 (Mike
MacCana) #1660
* build: v8 snapshots have been re-enabled by default as suggested by
the v8 team, since prior security issues have been resolved. This
should give some perf improvements to both startup and vm context
creation. (Trevor Norris) #1663
* src: fixed preload modules not working when other flags were used
before --require (Yosuke Furukawa) #1694
* dgram: fixed send()'s callback not being asynchronous (Yosuke
Furukawa) #1313
* readline: emitKeys now keeps buffering data until it has enough to
parse. This fixes an issue with parsing split escapes. (Alex Kocharin)
* cluster: works now properly emit 'disconnect' to cluser.worker (Oleg
Elifantiev) #1386
events: uncaught errors now provide some context (Evan Lucas) #1654
PR-URL: https://github.com/iojs/io.js/pull/1532
Notable Changes:
* crypto: significantly reduced memory usage for TLS (Fedor Indutny & Сковорода
Никита Андреевич) #1529
* net: socket.connect() now accepts a 'lookup' option for a custom DNS
resolution mechanism, defaults to dns.lookup() (Evan Lucas) #1505
* npm: Upgrade npm to 2.9.0. See the v2.8.4 and v2.9.0 release notes for
details. Notable items:
- Add support for default author field to make npm init -y work without
user-input (@othiym23) npm/npm/d8eee6cf9d
- Include local modules in npm outdated and npm update (@ArnaudRinquin)
npm/npm#7426
- The prefix used before the version number on npm version is now configurable
via tag-version-prefix (@kkragenbrink) npm/npm#8014
* os: os.tmpdir() is now cross-platform consistent and will no longer returns a
path with a trailling slash on any platform (Christian Tellnes) #747
* process:
- process.nextTick() performance has been improved by between 2-42% across the
benchmark suite, notable because this is heavily used across core (Brian White) #1548
- New process.geteuid(), process.seteuid(id), process.getegid() and
process.setegid(id) methods allow you to get and set effective UID and GID
of the process (Evan Lucas) #1536
* repl:
- REPL history can be persisted across sessions if the NODE_REPL_HISTORY_FILE
environment variable is set to a user accessible file,
NODE_REPL_HISTORY_SIZE can set the maximum history size and defaults to 1000
(Chris Dickinson) #1513
- The REPL can be placed in to one of three modes using the NODE_REPL_MODE
environment variable: sloppy, strict or magic (default); the new magic mode
will automatically run "strict mode only" statements in strict mode
(Chris Dickinson) #1513
* smalloc: the 'smalloc' module has been deprecated due to changes coming in V8
4.4 that will render it unusable
* util: add Promise, Map and Set inspection support (Christopher Monsanto) #1471
* V8: upgrade to 4.2.77.18, see the ChangeLog for full details. Notable items:
- Classes have moved out of staging; the class keyword is now usable in strict
mode without flags
- Object literal enhancements have moved out of staging; shorthand method and
property syntax is now usable ({ method() { }, property })
- Rest parameters (function(...args) {}) are implemented in staging behind the
--harmony-rest-parameters flag
- Computed property names ({['foo'+'bar']:'bam'}) are implemented in staging
behind the --harmony-computed-property-names flag
- Unicode escapes ('\u{xxxx}') are implemented in staging behind the
--harmony_unicode flag and the --harmony_unicode_regexps flag for use in
regular expressions
* Windows:
- Random process termination on Windows fixed (Fedor Indutny) #1512 / #1563
- The delay-load hook introduced to fix issues with process naming (iojs.exe /
node.exe) has been made opt-out for native add-ons. Native add-ons should
include 'win_delay_load_hook': 'false' in their binding.gyp to disable this
feature if they experience problems . (Bert Belder) #1433
* Governance:
- Rod Vagg (@rvagg) was added to the Technical Committee (TC)
- Jeremiah Senkpiel (@Fishrock123) was added to the Technical Committee (TC)
Notable Changes:
* build: revert vcbuild.bat changes
* changes inherited from v1.8.0:
* build: Support for building io.js as a static
library (Marat Abdullin) #1341
* npm: Upgrade npm to 2.8.3. (Forrest L Norvell) #1448
* deps: upgrade openssl to 1.0.2a (Shigeki Ohtsu) #1389
* src: allow multiple arguments to be passed to
process.nextTick (Trevor Norris) #1077
* module: the interaction of require('.') with NODE_PATH has been
restored and deprecated. This functionality will be removed at
a later point. (Roman Reiss) #1363
Notable Changes:
* build: Support for building io.js as a static
library (Marat Abdullin) #1341
* deps: upgrade openssl to 1.0.2a (Shigeki Ohtsu) #1389
* npm: Upgrade npm to 2.8.3. (Forrest L Norvell) #1448
* src: allow multiple arguments to be passed to
process.nextTick (Trevor Norris) #1077
* module: the interaction of require('.') with NODE_PATH has been
restored and deprecated. This functionality will be removed at
a later point. (Roman Reiss) #1363
Notable changes:
* C++ API: Fedor Indutny contributed a feature to V8 which has been
backported to the V8 bundled in io.js. SealHandleScope allows a C++
add-on author to seal a HandleScope to prevent further, unintended
allocations within it. Currently only enabled for debug builds of
io.js. This feature helped detect the leak in #1075 and is now
activated on the root HandleScope in io.js. (Fedor Indutny) #1395.
* ARM: This release includes significant work to improve the state of
ARM support for builds and tests. The io.js CI cluster's ARMv6,
ARMv7 and ARMv8 build servers are now all (mostly) reporting passing
builds and tests.
- ARMv8 64-bit (AARCH64) is now properly supported, including a
backported fix in libuv that was mistakenly detecting the
existence of `epoll_wait()`. (Ben Noordhuis) #1365.
- ARMv6: #1376 reported a problem with Math.exp() on ARMv6 (incl
Raspberry Pi). The culprit is erroneous codegen for ARMv6 when
using the "fast math" feature of V8. --nofast_math has been turned
on for all ARMv6 variants by default to avoid this, fast math can
be turned back on with --fast_math. (Ben Noordhuis) #1398.
- Tests: timeouts have been tuned specifically for slower platforms,
detected as ARMv6 and ARMv7. (Roman Reiss) #1366.
* npm: Upgrade npm to 2.7.6. See the release notes
(https://github.com/npm/npm/releases/tag/v2.7.6) for details.
Notable changes:
* npm: upgrade npm to 2.7.5. See the npm CHANGELOG.md for details.
Includes two important security fixes.
https://github.com/npm/npm/blob/master/CHANGELOG.md#v275-2015-03-26
* openssl: preliminary work has been done for an upcoming upgrade to
OpenSSL 1.0.2a #1325 (Shigeki Ohtsu). See #589 for additional details.
* timers: a minor memory leak when timers are unreferenced was fixed,
alongside some related timers issues #1330 (Fedor Indutny). This
appears to have fixed the remaining leak reported in #1075.
* android: it is now possible to compile io.js for Android and related
devices #1307 (Giovanny Andres Gongora Granada).
Notable changes:
* fs: corruption can be caused by fs.writeFileSync() and append-mode
fs.writeFile() and fs.writeFileSync() under certain circumstances,
reported in #1058, fixed in #1063 (Olov Lassus).
* iojs: an "internal modules" API has been introduced to allow core
code to share JavaScript modules internally only without having to
expose them as a public API, this feature is for core-only #848
(Vladimir Kurchatkin).
* timers: two minor problems with timers have been fixed:
- Timer#close() is now properly idempotent #1288 (Petka Antonov).
- setTimeout() will only run the callback once now after an
unref() during the callback #1231 (Roman Reiss).
* Windows: a "delay-load hook" has been added for compiled add-ons
on Windows that should alleviate some of the problems that Windows
users may be experiencing with add-ons in io.js #1251
(Bert Belder).
* V8: minor bug-fix upgrade for V8 to 4.1.0.27.
* npm: upgrade npm to 2.7.4. See npm CHANGELOG.md for details.
Notable Changes:
* Windows: The ongoing work in improving the state of Windows support
has resulted in full test suite passes once again. As noted in the
release notes for v1.4.2, CI system and configuration problems
prevented it from properly reporting problems with the Windows
tests, the problems with the CI and the codebase appear to have been
fully resolved.
* FreeBSD: A kernel bug impacting io.js/Node.js was discovered and a
patch has been introduced to prevent it causing problems for io.js
(Fedor Indutny) #1218.
* module: you can now require('.') instead of having to require('./'),
this is considered a bugfix (Michaël Zasso) #1185.
* v8: updated to 4.1.0.25 including patches for --max_old_space_size
values above 4096 and Solaris support, both of which are already
included in io.js.
Notable Changes:
* node: a new -r or --require command-line option can be used to
pre-load modules at start-up (Ali Ijaz Sheikh)
* querystring: parse() and stringify() are now faster (Brian White)
* http: the http.ClientRequest#flush() method has been deprecated and
replaced with http.ClientRequest#flushHeaders() to match the same
change now in Node.js v0.12 as per
https://github.com/joyent/node/pull/9048 (Yosuke Furukawa)
* net: allow server.listen() to accept a String option for port, e.g.
{ port: "1234" }, to match the same option being accepted in
net.connect() as of https://github.com/joyent/node/pull/9268 (Ben
Noordhuis)
* tls: further work on the reported memory leak although there appears
to be a minor leak remaining for the use-case in question, track
progress at https://github.com/iojs/io.js/issues/1075.
* v8: backport a fix for an integer overflow when --max_old_space_size
values above 4096 are used (Ben Noordhuis)
* platforms: the io.js CI system now reports passes on FreeBSD and
SmartOS (_Solaris_).
* npm: upgrade npm to 2.7.1. See the npm CHANGELOG.md for details.
https://github.com/npm/npm/blob/master/CHANGELOG.md#v271-2015-03-05
Notable changes:
* buffer: New `Buffer#indexOf()` method, modelled off `Array#indexOf()`.
Accepts a String, Buffer or a Number. Strings are interpreted as UTF8.
(Trevor Norris) https://github.com/iojs/io.js/pull/561
* fs: `options` object properties in `'fs'` methods no longer perform a
`hasOwnProperty()` check, thereby allowing options objects to have
prototype properties that apply. (Jonathan Ong)
https://github.com/iojs/io.js/pull/635
* tls: A likely TLS memory leak was reported by PayPal. Some of the recent
changes in stream_wrap appear to be to blame. The initial fix is in
https://github.com/iojs/io.js/pull/1078, you can track the progress
toward closing the leak at
https://github.com/iojs/io.js/issues/1075 (Fedor Indutny).
* npm: Upgrade npm to 2.7.0. See npm CHANGELOG.md:
https://github.com/npm/npm/blob/master/CHANGELOG.md#v270-2015-02-26
for details including why this is a semver-minor when it could have
been semver-major.
* TC: Colin Ihrig (@cjihrig) resigned from the TC due to his desire to do
more code and fewer meetings.
Notable changes:
* stream: Fixed problems for platforms without `writev()` support,
particularly Windows. Changes introduced in 1.4.1, via
https://github.com/iojs/io.js/pull/926, broke some
functionality for these platforms, this has now been addressed.
https://github.com/iojs/io.js/pull/1008 (Fedor Indutny)
* arm: We have the very beginnings of ARMv8 / ARM64 / AARCH64
support. An upgrade to OpenSSL 1.0.2 is one requirement for full
support. https://github.com/iojs/io.js/pull/1028
(Ben Noordhuis)
* Add new collaborator: Julian Duque @julianduque
Notable changes:
* process / promises: An'unhandledRejection' event is now emitted on
process whenever a Promise is rejected and no error handler is
attached to the Promise within a turn of the event loop. A
'rejectionHandled' event is now emitted whenever a Promise was
rejected and an error handler was attached to it later than after an
event loop turn. See the process documentation for more detail.
https://github.com/iojs/io.js/pull/758 (Petka Antonov)
* streams: you can now use regular streams as an underlying socket for
tls.connect() https://github.com/iojs/io.js/pull/758 (Fedor Indutny)
* http: A new 'abort' event emitted when a http.ClientRequest is
aborted by the client. https://github.com/iojs/io.js/pull/945
(Evan Lucas)
* V8: Upgrade V8 to 4.1.0.21. Includes an embargoed fix, details
should be available at
https://code.google.com/p/chromium/issues/detail?id=430201
when embargo is lifted. A breaking ABI change has been held back
from this upgrade, possibly to be included when io.js merges V8 4.2.
See https://github.com/iojs/io.js/pull/952 for discussion.
* npm: Upgrade npm to 2.6.0. Includes features to support the new
registry and to prepare for npm@3. See npm CHANGELOG.md
https://github.com/npm/npm/blob/master/CHANGELOG.md#v260-2015-02-12
for details.
* libuv: Upgrade to 1.4.2. See libuv ChangeLog
https://github.com/libuv/libuv/blob/v1.x/ChangeLog for details of
fixes.
This adds more consistency, plus links to commits are particularly useful.
PR-URL: https://github.com/iojs/io.js/pull/967
Reviewed-By: Rod Vagg <rod@vagg.org>
The CHANGELOG referenced PR 847, but should really be 846.
PR-URL: https://github.com/iojs/io.js/pull/903
Reviewed-By: Christian Tellnes <christian@tellnes.no>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Notable changes:
* url: `url.resolve('/path/to/file', '.')` now returns `/path/to/`
with the trailing slash, `url.resolve('/', '.')` returns `/`.
https://github.com/iojs/io.js/issues/278 (Amir Saboury)
* tls: tls (and in turn https) now rely on a stronger default
cipher suite which excludes the RC4 cipher. If you still want to
use RC4, you have to specify your own ciphers suite.
https://github.com/iojs/io.js/issues/826 (Roman Reiss)
Notable changes:
* stream:
- Simpler stream construction, see
https://github.com/iojs/readable-stream/issues/102 for details.
This extends the streams base objects to make their constructors
accept default implementation methods, reducing the boilerplate
required to implement custom streams. An updated version of
readable-stream will eventually be released to match this change
in core. (@sonewman)
* dns:
- `lookup()` now supports an `'all'` boolean option, default to
`false` but when turned on will cause the method to return an
array of *all* resolved names for an address, see,
https://github.com/iojs/io.js/pull/744 (@silverwind)
* assert:
- Remove `prototype` property comparison in `deepEqual()`,
considered a bugfix, see https://github.com/iojs/io.js/pull/636
(@vkurchatkin)
- Introduce a `deepStrictEqual()` method to mirror `deepEqual()`
but performs strict equality checks on primitives, see
https://github.com/iojs/io.js/pull/639 (@vkurchatkin)
* **tracing**:
- Add LTTng (Linux Trace Toolkit Next Generation) when compiled
with the `--with-lttng` option. Trace points match those
available for DTrace and ETW.
https://github.com/iojs/io.js/pull/702 (@thekemkid)
* npm upgrade to 2.5.1
* **libuv** upgrade to 1.4.0
* Add new collaborators:
- Aleksey Smolenchuk (@lxe)
- Shigeki Ohtsu (@shigeki)
Include mention of privateEncrypt and publicDecrypt in changelog.
PR-URL: https://github.com/iojs/io.js/pull/722
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Notable changes:
* debug: fix v8 post-mortem debugging.
* crypto: publicEncrypt now supports password-protected private keys.
* crypto: ~30% speedup on hashing functions.
* errors
- better formatting via util.inspect
- more descriptive errors from fs. This necessitated a
NODE_MODULE_VERSION bump.
- more descriptive errors from http.setHeader
* dep updates:
- npm: upgrade to 2.4.1
- http-parser: rollback to 2.3.0
- libuv: update to 1.3.0
- v8: update to 4.1.0.14
* http.request: inherited properties on options are now respected
* add iterable interface to buffers.
* fs: fix fd leak on `fs.createReadStream`. See 497fd72 for details.
* installer: on Windows, emit WM_SETTINGCHANGE after install to make
other running processes aware of the PATH changes.
* Added new collaborators:
- Vladimir Kurchatkin (@vkurchatkin)
- Micleușanu Nicu (@micnic)
Notable changes:
* npm upgrade to 2.3.0 fixes Windows "uid is undefined" errors
* crypto.pseudoRandomBytes() is now an alias for crypto.randomBytes()
and will block if there is insufficient entropy to produce secure
values. See https://github.com/iojs/io.js/commit/e5e5980 for details.
* Patch for V8 to properly detect ARMv6; binaries now work again on
ARMv6 (Raspberry Pi etc.)
* Minor V8 upgrade from 4.1.0.7 to 4.1.0.12
* 'punycode' core module bumped from stability level 2-Unstable,
to 3-Stable
* Added new collaborators:
- Thorsten Lorenz (@thlorenz)
- Stephen Belanger (@qard)
- Jeremiah Senkpiel (@fishrock123)
- Evan Lucas (@evanlucas)
- Brendan Ashworth (@brendanashworth)
`url.format()` doesn't take a `path` option; the change that
introduced it was reverted in 913addbff5.
PR: https://github.com/iojs/io.js/pull/546
Reviewed-by: Ben Noordhuis <info@bnoordhuis.nl>
Notable changes
* V8 upgrade from 3.31 to 4.1, this is not a major upgrade, the version number "4.1" signifies tracking towards Chrome 41. The 3.31 branch is now not tracking towards a stable release.
* Re-enable Windows XP / 2003 support
* npm upgrade to 2.2.0
* Improved FreeBSD support
Add more consistent verbs to each changelog entry, add missing periods,
trim white-space and fix sorting of entries.
PR-URL: https://github.com/iojs/io.js/pull/360
Reviewed-By: Rod Vagg <rod@vagg.org>