0
0
mirror of https://github.com/nodejs/node.git synced 2024-12-01 16:10:02 +01:00
Commit Graph

354 Commits

Author SHA1 Message Date
Myles Borins
9802d466cc
2017-05-02, Version 4.8.3 'Argon' (Maintenance)
Notable Changes:

* module:
  - The module loading global fallback to the Node executable's
    directory now works correctly on Windows.
    (Richard Lau) https://github.com/nodejs/node/pull/9283
* src:
  - fix base64 decoding in rare edgecase
    (Nikolai Vavilov) https://github.com/nodejs/node/pull/11995
* tls:
  - fix rare segmentation faults when using TLS
   * (Trevor Norris) https://github.com/nodejs/node/pull/11947
   * (Ben Noordhuis) https://github.com/nodejs/node/pull/11898
   * (jBarz) https://github.com/nodejs/node/pull/11776

PR-URL: https://github.com/nodejs/node/pull/12499
2017-05-02 19:54:13 +02:00
Gautam krishna.R
b837bd2792 doc: fix typo in CHANGELOG.md
PR-URL: https://github.com/nodejs/node/pull/12434
Fixes: https://github.com/nodejs/node/issues/12430
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Timothy Gu <timothygu99@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
2017-04-16 10:47:47 -07:00
Italo A. Casas
b8f416023d
2017-04-11, Version 7.9.0 (Current)
Notable changes:

* util: console is now closer to what is supported in all major browsers
(Roman Reiss) [#10308](https://github.com/nodejs/node/pull/10308)

PR-URL: https://github.com/nodejs/node/pull/12319
2017-04-11 13:39:32 -04:00
Myles Borins
f7a31180ad
2017-04-04, Version 4.8.2 'Argon' (Maintenance)
This is a maintenance release to fix a memory leak that was
introduced in 4.8.1.

It also includes an upgrade to zlib 1.2.11 to fix a number of low
severity CVEs that were present in zlib 1.2.8.

http://seclists.org/oss-sec/2016/q4/602

Notable changes:

* crypto:
  - fix memory leak if certificate is revoked (Tom Atkinson)
    https://github.com/nodejs/node/pull/12089
* deps:
  - upgrade zlib to 1.2.11 (Sam Roberts)
    https://github.com/nodejs/node/pull/10980
2017-04-04 14:40:28 +02:00
Myles Borins
28f8b17ffb
2017-04-04, Version 6.10.2 'Boron' (LTS)
This is a special LTS to fix a number of regressions that were found
on the 6.10.x release line.

This includes:

 * a fix for memory leak in the crypto module that
   was introduced in 6.10.1
 * a fix for a regression introduced to the windows repl in 6.10.0
 * a backported fix for V8 to stop a segfault that could occur
   when using spread syntax

It also includes an upgrade to zlib 1.2.11 to fix a numberof low
severity CVEs that were present in zlib 1.2.8.

http://seclists.org/oss-sec/2016/q4/602

Notable changes

* crypto:
  - fix memory leak if certificate is revoked (Tom Atkinson)
    https://github.com/nodejs/node/pull/12089
* deps:
  - upgrade zlib to 1.2.11 (Sam Roberts)
    https://github.com/nodejs/node/pull/10980
  - backport V8 fixes for spread syntax regression causing segfaults
    (Michaël Zasso) https://github.com/nodejs/node/pull/12037
* repl:
  - Revert commit that broke REPL display on Windows (Myles Borins)
    https://github.com/nodejs/node/pull/12123
2017-04-04 14:23:35 +02:00
Myles Borins
9b2dd47704 2017-03-28, Version 7.8.0 (Current)
Notable changes:

* buffer:
  - do not segfault on out-of-range index (Timothy Gu)
    https://github.com/nodejs/node/pull/11927
* crypto:
  - Fix memory leak if certificate is revoked (Tom Atkinson)
    https://github.com/nodejs/node/pull/12089
* deps:
  * upgrade npm to 4.2.0 (Kat Marchán)
    https://github.com/nodejs/node/pull/11389
  * fix async await desugaring in V8 (Michaël Zasso)
    https://github.com/nodejs/node/pull/12004
* readline:
  - add option to stop duplicates in history (Danny Nemer)
    https://github.com/nodejs/node/pull/2982
* src:
  - add native URL class (James M Snell)
    https://github.com/nodejs/node/pull/11801

PR-URL: https://github.com/nodejs/node/pull/12104
2017-03-28 23:05:21 -04:00
cjihrig
7e6e7d34f3 2017-03-21, Version 7.7.4 (Current)
Notable changes:

* deps: Add node-inspect 1.10.6 (Jan Krems) https://github.com/nodejs/node/pull/11869
* inspector: proper WS URLs when bound to 0.0.0.0 (Eugene Ostroukhov) https://github.com/nodejs/node/pull/11850
* tls: fix segfault on destroy after partial read. (Ben Noordhuis) https://github.com/nodejs/node/pull/11898

PR-URL: https://github.com/nodejs/node/pull/11941
2017-03-21 17:44:18 -04:00
Myles Borins
2569c909ba
2017-03-21, Version 6.10.1 'Boron' (LTS)
Notable changes

* performance: The performance of several APIs has been improved.
  - `Buffer.compare()` is up to 35% faster on average. (Brian White)
    https://github.com/nodejs/node/pull/10927
  - `buffer.toJSON()` is up to 2859% faster on average. (Brian White)
    https://github.com/nodejs/node/pull/10895
  - `fs.*statSync()` functions are now up to 9.3% faster on average.
    (Brian White) https://github.com/nodejs/node/pull/11522
  - `os.loadavg` is up to 151% faster. (Brian White)
    https://github.com/nodejs/node/pull/11516
  - `process.memoryUsage()` is up to 34% faster. (Brian White)
    https://github.com/nodejs/node/pull/11497
  - `querystring.unescape()` for `Buffer`s is 15% faster on average.
    (Brian White) https://github.com/nodejs/node/pull/10837
  - `querystring.stringify()` is up to 7.8% faster on average.
    (Brian White) https://github.com/nodejs/node/pull/10852
  - `querystring.parse()` is up to 21% faster on average. (Brian White)
    https://github.com/nodejs/node/pull/10874

* IPC:
  - Batched writes have been enabled for process IPC on platforms that
    support Unix Domain Sockets. (Alexey Orlenko)
    https://github.com/nodejs/node/pull/10677
  - Performance gains may be up to 40% for some workloads.

* child_process:
  - `spawnSync` now returns a null `status` when child is terminated by
    a signal. (cjihrig) https://github.com/nodejs/node/pull/11288
  - This fixes the behavior to act like `spawn()` does.

* http:
  - Control characters are now always rejected when using
    `http.request()`. (Ben Noordhuis)
    https://github.com/nodejs/node/pull/8923
  - Debug messages have been added for cases when headers contain
    invalid values. (Evan Lucas)
    https://github.com/nodejs/node/pull/9195

* node:
  - Heap statistics now support values larger than 4GB. (Ben Noordhuis)
    https://github.com/nodejs/node/pull/10186

* timers:
  - Timer callbacks now always maintain order when interacting with
    domain error handling. (John Barboza)
    https://github.com/nodejs/node/pull/10522

PR-URL: https://github.com/nodejs/node/pull/11759
2017-03-21 14:31:07 -07:00
Myles Borins
7738cf22c2
2017-03-21, Version 4.8.1 'Argon' (LTS)
Notable Changes:

* buffer:
  - The performance of `.toJSON()` is now up to 2859% faster on average
    (Brian White) https://github.com/nodejs/node/pull/10895

* IPC:
  - Batched writes have been enabled for process IPC on platforms that
    support Unix Domain Sockets. (Alexey Orlenko)
    https://github.com/nodejs/node/pull/10677
  - Performance gains may be up to 40% for some workloads.

* http:
  - Control characters are now always rejected when using
    `http.request()`. (Ben Noordhuis)
    https://github.com/nodejs/node/pull/8923

* node:
  - Heap statistics now support values larger than 4GB. (Ben Noordhuis)
    https://github.com/nodejs/node/pull/10186

PR-URL: https://github.com/nodejs/node/pull/11760
2017-03-21 14:20:51 -07:00
Italo A. Casas
bc26c62524
2017-03-14, Version 7.7.3 (Current)
Notable changes:

* module: The [module loading global fallback]
(https://nodejs.org/dist/latest-v6.x/docs/api/modules.html#modules_loading_from_the_global_folders)
to the Node executable's directory now works correctly on Windows.
(Richard Lau) [#9283](https://github.com/nodejs/node/pull/9283)

* net: `Socket.prototype.connect` now once again functions without
a callback. (Juwan Yoo) [#11762](https://github.com/nodejs/node/pull/11762)

* url: `URL.prototype.origin` now properly specified an opaque return of
`'null'` for `file://` URLs. (Brian White)
[#11691](https://github.com/nodejs/node/pull/11691)

PR-URL: https://github.com/nodejs/node/pull/11831
2017-03-14 18:39:08 -04:00
Evan Lucas
b394cf35c5 2017-03-08, Version 7.7.2 (Current)
Notable changes:

* doc: add `Daijiro Wachi` to collaborators (Daijiro Wachi) https://github.com/nodejs/node/pull/11676
* tty: add ref() so process.stdin.ref() etc. work (Ben Schmidt) https://github.com/nodejs/node/pull/7360
* util: fix inspecting symbol key in string (Ali BARIN) https://github.com/nodejs/node/pull/11672

PR-URL: https://github.com/nodejs/node/pull/11745
2017-03-08 16:03:18 -06:00
Italo A. Casas
77249adf84
2017-03-01, Version 7.7.1 (Current)
Notable changes:

Node.js 7.7.0 contains a bug that will prevent all native modules
from building, this patch should fix the issue. Apologies to
everyone who was affected by 7.7.0.

PR-URL: https://github.com/nodejs/node/pull/11638
2017-03-01 19:51:47 -05:00
Italo A. Casas
abc13e56b6
2017-02-28, Version 7.7.0 (Current)
Notables changes:

* child_process: spawnSync() exit code now is null when the child is killed via signal (cjihrig)
[#11288](https://github.com/nodejs/node/pull/11288)
* http: new functions to access the headers for an outgoing HTTP message (Brian White)
[#11562](https://github.com/nodejs/node/pull/11562)
* lib: deprecate node --debug at runtime (Josh Gavant)
[#11275](https://github.com/nodejs/node/pull/11275)
* tls: new tls.TLSSocket() supports sec ctx options (Sam Roberts)
[#11005](https://github.com/nodejs/node/pull/11005)
* url: adding URL.prototype.toJSON support (Michaël Zasso)
[#11236](https://github.com/nodejs/node/pull/11236)
* doc: items in the API documentation may now have changelogs (Anna Henningsen)
[#11489](https://github.com/nodejs/node/pull/11489)
* crypto: adding support for OPENSSL_CONF again (Sam Roberts)
[#11006](https://github.com/nodejs/node/pull/11006)
* src: adding support for trace-event tracing (misterpoe)
[#11106](https://github.com/nodejs/node/pull/11106)

PR-URL: https://github.com/nodejs/node/pull/11553
2017-02-28 21:58:21 -05:00
Italo A. Casas
2b5d83d4df
2017-02-21, Version 7.6.0 (Current)
Notable changes:

* deps:
    * update V8 to 5.5 (Michaël Zasso) [#11029](https://github.com/nodejs/node/pull/11029)
    * upgrade libuv to 1.11.0 (cjihrig) [#11094](https://github.com/nodejs/node/pull/11094)
    * add node-inspect 1.10.4 (Jan Krems) [#10187](https://github.com/nodejs/node/pull/10187)
    * upgrade zlib to 1.2.11 (Sam Roberts) [#10980](https://github.com/nodejs/node/pull/10980)
* lib: build `node inspect` into `node` (Anna Henningsen) [#10187](https://github.com/nodejs/node/pull/10187)
* crypto: Remove expired certs from CNNIC whitelist (Shigeki Ohtsu) [#9469](https://github.com/nodejs/node/pull/9469)
* inspector: add --inspect-brk (Josh Gavant) [#11149](https://github.com/nodejs/node/pull/11149)
* fs: allow WHATWG URL objects as paths (James M Snell) [#10739](https://github.com/nodejs/node/pull/10739)
* src: support UTF-8 in compiled-in JS source files (Ben Noordhuis) [#11129](https://github.com/nodejs/node/pull/11129)
* url: extend url.format to support WHATWG URL (James M Snell) [#10857](https://github.com/nodejs/node/pull/10857)

PR-URL: https://github.com/nodejs/node/pull/11185
2017-02-21 21:38:53 -05:00
Myles Borins
aecb0859e5
2017-02-21, Version 6.10.0 'Boron' (LTS)
Notable Changes:

The SEMVER-MINOR changes include:

*  crypto: allow adding extra certs to well-known CAs (Sam Roberts)
   https://github.com/nodejs/node/pull/9139
*  deps: Upgrade INTL ICU to version 58 (Steven R. Loomis)
   https://github.com/nodejs/node/pull/9234
*  process: add `process.memoryUsage.external` (Fedor Indutny)
   https://github.com/nodejs/node/pull/9587
*  src: add wrapper for process.emitWarning() (Sam Roberts)
   https://github.com/nodejs/node/pull/9139

Notable SEMVER-PATCH changes include:

*  fs: cache non-symlinks in realpathSync. (Jeremy Yallop)
   https://github.com/nodejs/node/pull/10253
*  repl: allow autocompletion for scoped packages (Evan Lucas)
   https://github.com/nodejs/node/pull/10296

PR-URL: https://github.com/nodejs/node/pull/10974
2017-02-21 21:10:39 -05:00
Myles Borins
49c5ff4408
2017-02-21, Version 4.8.0 'Argon' (LTS)
Notable Changes:

* child_process: add shell option to spawn() (cjihrig)
  https://github.com/nodejs/node/pull/4598
* crypto:
  * add ALPN Support (Shigeki Ohtsu)
    https://github.com/nodejs/node/pull/2564
  * allow adding extra certs to well-known CAs (Sam Roberts)
    https://github.com/nodejs/node/pull/9139
* deps:
  * v8: expose statistics about heap spaces (Ben Ripkens)
    https://github.com/nodejs/node/pull/4463
* fs: add the fs.mkdtemp() function. (Florian MARGAINE)
  https://github.com/nodejs/node/pull/5333
* process:
  * add `externalMemory` to `process` (Fedor Indutny)
    https://github.com/nodejs/node/pull/9587
  * add process.cpuUsage() (Patrick Mueller)
    https://github.com/nodejs/node/pull/10796

PR-URL: https://github.com/nodejs/node/pull/10973
2017-02-21 20:45:47 -05:00
Evan Lucas
a1c91eccbb 2017-01-31, Version 7.5.0 (Current)
Notable changes:

* crypto:
  * ability to select cert store at runtime (Adam Majer) #8334
  * Use system CAs instead of using bundled ones (Adam Majer) #8334
* deps:
  * upgrade npm to 4.1.2 (Kat Marchán) #11020
  * upgrade openssl sources to 1.0.2k (Shigeki Ohtsu) #11021
* doc: add basic documentation for WHATWG URL API (James M Snell) #10620
* process: add NODE_NO_WARNINGS environment variable (cjihrig) #10842
* url: allow use of URL with http.request and https.request (James M Snell) #10638

PR-URL: https://github.com/nodejs/node/pull/11062
2017-01-31 20:48:02 -06:00
Myles Borins
54fef6761e
2017-01-31, Version 4.7.3 'Argon' (LTS)
This is a security release of the 'Boron' release line to upgrade
OpenSSL to version 1.0.2k

Although the OpenSSL team have determined a maximum severity rating
of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
and Fedor Indutny) have determined the impact to Node users is "low".
Details on this determination can be found on the Nodejs.org website

https://nodejs.org/en/blog/vulnerability/openssl-january-2017/

Notable Changes:

* deps:
  - upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
		https://github.com/nodejs/node/pull/11021

PR-URL: https://github.com/nodejs/node/pull/11083
2017-01-31 20:00:04 -05:00
Myles Borins
5faaf07063 2017-01-31, Version 6.9.5 'Boron' (LTS)
This is a security release of the 'Boron' release line to upgrade
OpenSSL to version 1.0.2k

Although the OpenSSL team have determined a maximum severity rating
of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
and Fedor Indutny) have determined the impact to Node users is "low".
Details on this determination can be found on the Nodejs.org website

https://nodejs.org/en/blog/vulnerability/openssl-january-2017/

Notable Changes:

* deps:
  - upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
		https://github.com/nodejs/node/pull/11021

PR-URL: https://github.com/nodejs/node/pull/11081
2017-01-31 17:12:54 -05:00
Сковорода Никита Андреевич
f3f2468bdc doc: fix CHANGELOG.md table formatting
* It had some minor errors in td/th html tags.
* Make it clear that v5, v0.10, and v0.12 are EOL and unsupported.

We probably don't want people seeing 'LTS' badge next to those
in the current Node.js repo and think that those are still supported.
Not everyone is aware of the nodejs/LTS repo.

This also includes the dates for v5, v0.10 and v0.12 EOL:
 - 2016-07-01 for v5
 - 2016-11-01 for v0.10
 - 2017-01-01 for v0.12

* Make v5/v0.10/v0.12 not bold in CHANGELOG

Make v5, v0.10, v0.12 not bold in the CHANGELOG.md, as bold is said to
be an indication of the most recent actively supported release futher
on the same page.

PR-URL: https://github.com/nodejs/node/pull/10743
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
2017-01-16 11:28:20 -08:00
Myles Borins
8066215e5d 2017-01-05, Version 6.9.4 'Boron' (LTS)
This is a special release that contains 0 commits. While promoting
additional platforms for v6.9.3 after the release, the tarballs on the
release server were overwritten and now have different shasums. In
order to remove any ambiguity around the release we have opted to do a
semver patch release with no changes.
2017-01-05 18:00:28 -05:00
Myles Borins
d4d3e2f674 2017-01-05, Version 4.7.2 'Argon' (LTS)
This is a special release that contains 0 commits. While promoting
additional platforms for v4.7.1 after the release, the tarballs on the
release server were overwritten and now have different shasums. In
order to remove any ambiguity around the release we have opted to do a
semver patch release with no changes.
2017-01-05 17:58:05 -05:00
Evan Lucas
b8f6c1fff5 2017-01-04, Version 7.4.0 (Current)
Notable changes:

* buffer:
  - Improve performance of Buffer allocation by ~11% (Brian White) https://github.com/nodejs/node/pull/10443
  - Improve performance of Buffer.from() by ~50% (Brian White) https://github.com/nodejs/node/pull/10443
* events: Improve performance of EventEmitter.once() by ~27% (Brian White) https://github.com/nodejs/node/pull/10445
* fs: Allow passing Uint8Array to fs methods where Buffers are supported. (Anna Henningsen) https://github.com/nodejs/node/pull/10382
* http: Improve performance of http server by ~7% (Brian White) https://github.com/nodejs/node/pull/6533
* npm: Upgrade to v4.0.5 (Kat Marchán) https://github.com/nodejs/node/pull/10330

PR-URL: https://github.com/nodejs/node/pull/10589
2017-01-04 12:42:04 -06:00
Myles Borins
b26a469211 2017-01-03, Version 4.7.1 'Argon' (LTS)
This LTS release comes with 180 commits. This includes 117 which are
test related, 34 which are doc related, 15 which are build / tool
related, and 1 commit which is an update to dependencies.

Notable Changes:

* build:
  - shared library support is now working for AIX builds
    (Stewart Addison) https://github.com/nodejs/node/pull/9675
* repl:
  - Passing options to the repl will no longer overwrite defaults
    (cjihrig) https://github.com/nodejs/node/pull/7826
* timers:
  - Re canceling a cancelled timers will no longer throw
    (Jeremiah Senkpiel) https://github.com/nodejs/node/pull/9685

PR-URL: https://github.com/nodejs/node/pull/10395
2017-01-03 19:10:36 -05:00
Myles Borins
2bf1c24f6a 2017-01-03, Version 6.9.3 'Boron' (LTS) Release
This LTS release comes with 312 commits. This includes 229 that are
test related, 62 that are docs related, 17 which are build / tools
related, and 4 commits which are updates to dependencies.

Notable Changes:

* build:
  - shared library support is now working for AIX builds
    (Stewart Addison) https://github.com/nodejs/node/pull/9675
* deps:
    - *npm*: upgrade npm to 3.10.10 (Rebecca Turner)
             https://github.com/nodejs/node/pull/9847
    - *V8*: Destructuring of arrow function arguments via computed
            property no longer throws (Michaël Zasso)
            https://github.com/nodejs/node/pull/10386)
* inspector:
  - /json/version returns object, not an object wrapped in an array
    (Ben Noordhuis) https://github.com/nodejs/node/pull/9762
* module:
  - using --debug-brk and --eval together now works as expected
    (Kelvin Jin) https://github.com/nodejs/node/pull/8876
* process:
  - improve performance of nextTick up to 20% (Evan Lucas)
    https://github.com/nodejs/node/pull/8932
* repl:
    - the division operator will no longer be accidentally parsed as
      regex (Teddy Katz) https://github.com/nodejs/node/pull/10103
    - improved support for generator functions (Teddy Katz)
      https://github.com/nodejs/node/pull/9852
* timers:
  - Re canceling a cancelled timers will no longer throw
    (Jeremiah Senkpiel) https://github.com/nodejs/node/pull/9685

PR-URL: https://github.com/nodejs/node/pull/10394
2017-01-03 18:55:26 -05:00
Rod Vagg
2a5f789141 2016-12-21 Version 0.12.18 (Maintenance) Release
Notable changes:

* npm: upgrade from v2.15.1 to v2.15.11, including accurate updated license (Jeremiah Senkpiel)
* process: `process.versions.ares` now outputs the c-ares version (Johan Bergström)

PR-URL: https://github.com/nodejs/node/pull/10352
2016-12-22 01:50:07 +11:00
cjihrig
ffd01da0f2 2016-12-20, Version 7.3.0 (Current)
Notable changes:

* buffer:
  - buffer.fill() now works properly for the UCS2 encoding on
    Big-Endian machines.
    (Anna Henningsen) https://github.com/nodejs/node/pull/9837
* cluster:
  - disconnect() now returns a reference to the disconnected
    worker. (Sean Villars)
    https://github.com/nodejs/node/pull/10019
* crypto:
  - The built-in list of Well-Known CAs (Certificate Authorities)
    can now be extended via a NODE_EXTRA_CA_CERTS environment
    variable. (Sam Roberts)
    https://github.com/nodejs/node/pull/9139
* http:
  - Remove stale timeout listeners in order to prevent a memory leak
    when using keep alive. (Karl Böhlmark)
    https://github.com/nodejs/node/pull/9440
* tls:
  - Allow obvious key/passphrase combinations. (Sam Roberts)
    https://github.com/nodejs/node/pull/10294
* url:
  - Including base argument in URL.originFor() to meet specification
    compliance. (joyeecheung)
    https://github.com/nodejs/node/pull/10021
  - Improve URLSearchParams to meet specification compliance.
    (Timothy Gu) https://github.com/nodejs/node/pull/9484

PR-URL: https://github.com/nodejs/node/pull/10277
2016-12-20 16:43:12 -05:00
Jeremiah Senkpiel
8ab8363677 2016-12-06, Version 7.2.1 (Current)
Notable changes:

* buffer:
  - Reverted the runtime deprecation of calling `Buffer()` without
`new`. (Anna Henningsen) https://github.com/nodejs/node/pull/9529
  - Fixed `buffer.transcode()` for single-byte character
encodings to `UCS2`. (Anna Henningsen)
https://github.com/nodejs/node/pull/9838
* promise: `--trace-warnings` now produces useful stacktraces for
Promise warnings. (Anna Henningsen)
https://github.com/nodejs/node/pull/9525
* repl: Fixed a bug preventing correct parsing of generator functions.
(Teddy Katz) https://github.com/nodejs/node/pull/9852
* V8: Fixed a significant `instanceof` performance regression.
(Franziska Hinkelmann) https://github.com/nodejs/node/pull/9730

PR-URL: https://github.com/nodejs/node/pull/10127
2016-12-06 17:40:56 -05:00
Myles Borins
6ade6dedab 2016-12-06, Version 4.7.0 'Argon' (LTS)
This LTS release comes with 108 commits. This includes 30 which are doc
related, 28 which are test related, 16 which are build / tool related,
and 4 commits which are updates to dependencies.

Notable Changes:

The SEMVER-MINOR changes include:

* build:
  - export openssl symbols on Windows making it possible to build
    addons linked against the bundled version of openssl (Alex Hultman)
    https://github.com/nodejs/node/pull/7576
* debugger:
  - make listen address configurable in the debugger server
    (Ben Noordhuis) https://github.com/nodejs/node/pull/3316
* dgram:
  - generalized send queue to handle close fixing a potential throw
    when dgram socket is closed in the listening event handler.
    (Matteo Collina) https://github.com/nodejs/node/pull/7066
* http:
  - Introduce the 451 status code "Unavailable For Legal Reasons"
    (Max Barinov) https://github.com/nodejs/node/pull/4377
* tls:
  - introduce `secureContext` for `tls.connect` which is useful for
    caching client certificates, key, and CA certificates.
    (Fedor Indutny) https://github.com/nodejs/node/pull/4246

Notable SEMVER-PATCH changes include:

* build:
  - introduce the configure --shared option for embedders (sxa555)
    https://github.com/nodejs/node/pull/6994
* gtest:
  - the test reporter now outputs tap comments as yamlish
    (Johan Bergström) https://github.com/nodejs/node/pull/9262
* src:
  - node no longer aborts when c-ares initialization fails
    (Ben Noordhuis) https://github.com/nodejs/node/pull/8710
* tls:
  - fix memory leak when writing data to TLSWrap instance during
    handshake (Fedor Indutny)
    https://github.com/nodejs/node/pull/9586

PR-URL: https://github.com/nodejs/node/pull/9736
2016-12-06 14:58:36 -05:00
Myles Borins
c4391f4664 2016-12-06, Version 6.9.2 'Boron' (LTS) Release
This LTS release comes with 144 commits. This includes 47 that are docs
related, 46 that are test related, 15 which are build / tools related,
and 9 commits which are updates to dependencies

Notable Changes:

* buffer:
  - coerce slice parameters consistently
    (Sakthipriyan Vairamani (thefourtheye))
    https://github.com/nodejs/node/pull/9101
* deps:
    - *npm*:
      - upgrade npm to 3.10.9 (Kat Marchán)
       https://github.com/nodejs/node/pull/9286
    - *V8*:
      - Various fixes to destructuring edge cases
        - cherry-pick 3c39bac from V8 upstream (Cristian Cavalli)
          https://github.com/nodejs/node/pull/9138
        - cherry pick 7166503 from upstream v8 (Cristian Cavalli)
          https://github.com/nodejs/node/pull/9173
* gtest:
  - the test reporter now outputs tap comments as yamlish
    (Johan Bergström) https://github.com/nodejs/node/pull/9262
* inspector:
  - inspector now prompts user to use 127.0.0.1 rather than localhost
    (Eugene Ostroukhov) https://github.com/nodejs/node/pull/9451
* tls:
  - fix memory leak when writing data to TLSWrap instance during
    handshake (Fedor Indutny)
    https://github.com/nodejs/node/pull/9586

PR-URL: https://github.com/nodejs/node/pull/9735
2016-12-06 14:32:30 -05:00
Jeremiah Senkpiel
db3f12f7e0 2016-11-22, Version 7.2.0 (Current)
This is a security release impacting Windows 10 users.

Notable changes:

* crypto: The `Decipher` methods `setAuthTag()` and `setAAD` now return
`this`. (Kirill Fomichev) https://github.com/nodejs/node/pull/9398
* dns: Implemented `{ttl: true}` for `resolve4()` and `resolve6()`.
(Ben Noordhuis) https://github.com/nodejs/node/pull/9296 &
https://github.com/nodejs/node/pull/9296
* libuv: Upgrade to v1.10.1 (cjihrig)
https://github.com/nodejs/node/pull/9647
  - Fixed a potential buffer overflow when writing data to console on
Windows 10. (CVE-2016-9551)
* process: Added a new `external` property to the data returned by
`memoryUsage()`. (Fedor Indutny)
https://github.com/nodejs/node/pull/9587
* tls: Fixed a memory leak when writes were queued on TLS connection
that was destroyed during handshake. (Fedor Indutny)
https://github.com/nodejs/node/pull/9626
* V8 (dep): Upgrade to v5.4.500.43 (Michaël Zasso)
https://github.com/nodejs/node/pull/9697
* v8: The data returned by `getHeapStatistics()` now includes three new
fields: `malloced_memory`, `peak_malloced_memory`, and
`does_zap_garbage`. (Gareth Ellis)
https://github.com/nodejs/node/pull/8610

PR-URL: https://github.com/nodejs/node/pull/9745
2016-11-22 18:46:07 -05:00
Evan Lucas
9314886053 2016-11-08, Version 7.1.0 (Current)
Notable changes:

* buffer: add buffer.transcode to transcode a buffer's content from one
  encoding to another primarily using ICU (James M Snell)
* child_process: add public API for IPC channel (cjihrig)
* icu
  * Upgraded to ICU 58 - small icu (Steven R. Loomis)
  * Add `cldr`, `tz`, and `unicode` to `process.versions` (Steven R. Loomis)
* lib: make `String(global) === '[object global]'` (Anna Henningsen)
* libuv: Upgraded to 1.10.0 (cjihrig)
* readline: use icu based string width calculation (James M Snell)
* src:
  * add NODE_PRESERVE_SYMLINKS environment variable that has the same
    effect as the `--preserve-symlinks` flag (Marc Udoff)
  * Fix `String#toLocaleUpperCase()` and `String#toLocaleLowerCase()`
    (Steven R. Loomis)

PR-URL: https://github.com/nodejs/node/pull/9438
2016-11-08 15:14:16 -06:00
Myles Borins
3562658bed 2016-11-08, Version 4.6.2 'Argon' (LTS)
This LTS release comes with 219 commits. This includes 80 commits that
are docs related, 58 commits that are test related, 20 commits that
are build / tool related, and 9 commits that are updates to
dependencies.

Notable Changes

* build:
  - It is now possible to build the documentation from the release
    tarball (Anna Henningsen)
    https://github.com/nodejs/node/pull/8413
* buffer:
  - Buffer.alloc() will no longer incorrectly return a zero filled
    buffer when an encoding is passed (Teddy Katz)
    https://github.com/nodejs/node/pull/9238
* deps:
  - upgrade npm in LTS to 2.15.11 (Kat Marchán)
    https://github.com/nodejs/node/pull/8928
* repl:
  - Enable tab completion for global properties (Lance Ball)
    https://github.com/nodejs/node/pull/7369
* url:
  - `url.format()` will now encode all `#` in `search` (Ilkka Myller)
    https://github.com/nodejs/node/pull/8072

PR-URL: https://github.com/nodejs/node/pull/9298
2016-11-08 14:42:44 -05:00
James M Snell
1e4fafcb1a 2016-10-25, Version 7.0.0 (Current)
Notable Changes:

* Buffer
  * Passing invalid input to Buffer.byteLength will now throw an error [#8946](https://github.com/nodejs/node/pull/8946).
  * Calling Buffer without new is now deprecated and will emit a process warning [#8169](https://github.com/nodejs/node/pull/8169).
  * Passing a negative number to allocUnsafe will now throw an error [#7079](https://github.com/nodejs/node/pull/7079).
* Child Process
  * The fork and execFile methods now have stronger argument validation [#7399](https://github.com/nodejs/node/pull/7399).
* Cluster
  * The worker.suicide method is deprecated and will emit a process warning [#3747](https://github.com/nodejs/node/pull/3747).
* Deps
  * V8 has been updated to 5.4.500.36 [#8317](https://github.com/nodejs/node/pull/8317), [#8852](https://github.com/nodejs/node/pull/8852), [#9253](https://github.com/nodejs/node/pull/9253).
  * NODE_MODULE_VERSION has been updated to 51 [#8808](https://github.com/nodejs/node/pull/8808).
* File System
  * A process warning is emitted if a callback is not passed to async file system methods [#7897](https://github.com/nodejs/node/pull/7897).
* Intl
  * Intl.v8BreakIterator constructor has been deprecated and will emit a process warning [#8908](https://github.com/nodejs/node/pull/8908).
* Promises
  * Unhandled Promise rejections have been deprecated and will emit a process warning [#8217](https://github.com/nodejs/node/pull/8217).
* Punycode
  * The `punycode` module has been deprecated [#7941](https://github.com/nodejs/node/pull/7941).
* URL
  * An Experimental WHATWG URL Parser has been introduced [#7448](https://github.com/nodejs/node/pull/7448).

PR-URL: https://github.com/nodejs/node/pull/9099
2016-10-25 06:53:36 -07:00
Myles Borins
4b65a65e75 2016-10-19, Version 6.9.1 'Boron' (LTS) Release
Notable changes:

* streams: Fix a regression introduced in v6.8.0 in readable stream
that caused unpipe to remove the wrong stream (Anna Henningsen)

PR-URL: https://github.com/nodejs/node/pull/9186
2016-10-19 23:30:15 +01:00
Jeremiah Senkpiel
252cc3d00b doc: v6 is now LTS rather than Current
PR-URL: https://github.com/nodejs/node/pull/9182
Reviewed-By: Claudio Rodriguez <cjrodr@yahoo.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
2016-10-19 19:26:31 +01:00
Jeremiah Senkpiel
e44eb0e6ce doc: fix some table problems in changelog.md
PR-URL: https://github.com/nodejs/node/pull/9183
Reviewed-By: Claudio Rodriguez <cjrodr@yahoo.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
2016-10-19 19:18:18 +01:00
Rod Vagg
0e6750d1cd 2016-10-18 Node.js v6.9.0 'Boron' (LTS) Release
This release marks the transition of Node.js v6 into Long Term Support
(LTS) with the codename 'Boron'. The v6 release line now moves in to
"Active LTS" and will remain so until April 2018. After that time it
will move in to "Maintenance" until end of life in April 2019.

This is also a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/
for details on patched vulnerabilities.

Notable changes:

* crypto: Don't automatically attempt to load an OpenSSL configuration
  file, from the `OPENSSL_CONF` environment variable or from the
  default location for the current platform. Always triggering a
  configuration file load attempt may allow an attacker to load
  compromised OpenSSL configuration into a Node.js process if they are
  able to place a file in a default location. (Fedor Indutny, Rod Vagg)
* node: Introduce the `process.release.lts` property, set to `"Boron"`.
  This value is `"Argon"` for v4 LTS releases and `undefined` for all
  other releases. (Rod Vagg)
* V8: Backport fix for CVE-2016-5172, an arbitrary memory read.
  The parser in V8 mishandled scopes, potentially allowing an attacker
  to obtain sensitive information from arbitrary memory locations via
  crafted JavaScript code. This vulnerability would require an
  attacker to be able to execute arbitrary JavaScript code in a
  Node.js process. (Rod Vagg)
* **v8_inspector**: Generate a UUID for each execution of the
  inspector. This provides additional security to prevent unauthorized
  clients from connecting to the Node.js process via the v8_inspector
  port when running with `--inspect`. Since the debugging protocol
  allows extensive access to the internals of a running process, and
  the execution of arbitrary code, it is important to limit
  connections to authorized tools only. Vulnerability originally
  reported by Jann Horn. (Eugene Ostroukhov)

PR-URL: https://github.com/nodejs/node-private/pull/81
2016-10-19 04:22:07 +11:00
Rod Vagg
83c7a8897c 2016-10-18, Version 4.6.1 'Argon' (LTS)
This is a security release. All Node.js users should consult the security
release summary at
https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/
for details on patched vulnerabilities.

Notable changes:

* c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more
  information at https://c-ares.haxx.se/adv_20160929.html (Daniel Stenberg)

PR-URL: https://github.com/nodejs/node/pull/9153
2016-10-19 04:01:02 +11:00
Rod Vagg
107f77594b 2016-10-18 Version 0.10.48 (Maintenance) Release
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/
for details on patched vulnerabilities.

Notable changes:

* c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more
  information at https://c-ares.haxx.se/adv_20160929.html
  (Rod Vagg)

PR-URL: https://github.com/nodejs/node/pull/9154
2016-10-19 04:00:57 +11:00
Rod Vagg
26e2f0d9e4 2016-10-18 Version 0.12.17 (Maintenance) Release
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/
for details on patched vulnerabilities.

Notable changes:

* c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more
  information at https://c-ares.haxx.se/adv_20160929.html
  (Daniel Stenberg)

PR-URL: https://github.com/nodejs/node/pull/9147
2016-10-19 04:00:49 +11:00
Evan Lucas
113c697ded 2016-10-14, Version 6.8.1 (Current)
* build: Fix building with shared zlib. (Bradley T. Hughes) [#9077](https://github.com/nodejs/node/pull/9077)
* stream: fix `Writable` subclass instanceof checks (Anna Henningsen) [#9088](https://github.com/nodejs/node/pull/9088)
* timers: fix regression with clearImmediate() (Brian White) [#9086](https://github.com/nodejs/node/pull/9086)

PR-URL: https://github.com/nodejs/node/pull/9104
2016-10-14 19:36:43 -05:00
Jeremiah Senkpiel
e4ee09a5b3 2016-10-12, Version 6.8.0 (Current)
* fs:
  - `SyncWriteStream` now inherits from `Stream.Writable`. (Anna
Henningsen) https://github.com/nodejs/node/pull/8830
    - Practically, this means that when stdio is piped to a file,
stdout and stderr will still be `Writable` streams.
  - `fs.existsSync()` has been undeprecated. `fs.exists()` remains
deprecated. (Dan Fabulich) https://github.com/nodejs/node/pull/8364
* http: `http.request()` now accepts a `timeout` option. (Rene Weber)
https://github.com/nodejs/node/pull/8101
* module: The module loader now maintains its own realpath cache. (Anna
Henningsen) https://github.com/nodejs/node/pull/8100
* npm: Upgraded to 3.10.8 (Kat Marchán)
https://github.com/nodejs/node/pull/8706
* stream: `Duplex` streams now show proper `instanceof
Stream.Writable`. (Anna Henningsen)
https://github.com/nodejs/node/pull/8834
* timers: Improved `setTimeout`/`Interval` performance by up to 22%.
(Brian White) https://github.com/nodejs/node/pull/8661

PR-URL: https://github.com/nodejs/node/pull/9034
2016-10-12 16:16:56 -04:00
Evan Lucas
aae1862385 2016-09-27, Version 6.7.0 (Current)
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.

Notable Changes

Semver Minor:

* openssl:
  - Upgrade to 1.0.2i, fixes a number of defects impacting Node.js:
    CVE-2016-6304 ("OCSP Status Request extension unbounded memory
    growth", high severity), CVE-2016-2183, CVE-2016-2178, and CVE-2016-6306.
    (Shigeki Ohtsu) https://github.com/nodejs/node/pull/8714
  - Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in
    a crash when using CRLs, CVE-2016-7052.
    (Shigeki Ohtsu) https://github.com/nodejs/node/pull/8786
  - Remove support for loading dynamic third-party engine modules.
    An attacker may be able to hide malicious code to be inserted
    into Node.js at runtime by masquerading as one of the dynamic
    engine modules. Originally reported by Ahmed Zaki (Skype).
    (Ben Noordhuis) https://github.com/nodejs/node-private/pull/73
* http: CVE-2016-5325 - Properly validate for allowable characters in
  the `reason` argument in `ServerResponse#writeHead()`. Fixes a
  possible response splitting attack vector. This introduces a new
  case where `throw` may occur when configuring HTTP responses, users
  should already be adopting try/catch here. Originally reported
  independently by Evan Lucas and Romain Gaucher.
  (Evan Lucas) https://github.com/nodejs/node-private/pull/60

Semver Patch:

* buffer: Zero-fill excess bytes in new `Buffer` objects created with
  `Buffer.concat()` while providing a `totalLength` parameter that
  exceeds the total length of the original `Buffer` objects being
  concatenated.
  (Сковорода Никита Андреевич) https://github.com/nodejs/node-private/pull/64
* src: Fix regression where passing an empty password and/or salt to
  crypto.pbkdf2() would cause a fatal error
  (Rich Trott) https://github.com/nodejs/node/pull/8572
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
  check whereby a TLS server may be able to serve an invalid wildcard
  certificate for its hostname due to improper validation of `*.` in the
  wildcard string. Originally reported by Alexander Minozhenko and
  James Bunton (Atlassian).
  (Ben Noordhuis) https://github.com/nodejs/node-private/pull/75
* v8: Fix regression where a regex on a frozen object was broken
  (Myles Borins) https://github.com/nodejs/node/pull/8673
2016-09-27 19:45:55 -05:00
Rod Vagg
eba39c4bc6 2016-09-27, Version 4.6.0 'Argon' (LTS)
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.

Notable Changes

Semver Minor:

* openssl:
  - Upgrade to 1.0.2i, fixes a number of defects impacting Node.js:
    CVE-2016-6304 ("OCSP Status Request extension unbounded memory
    growth", high severity), CVE-2016-2183, CVE-2016-6303,
    CVE-2016-2178 and CVE-2016-6306.
    (Shigeki Ohtsu) https://github.com/nodejs/node/pull/8714
  - Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in
    a crash when using CRLs, CVE-2016-7052.
    (Shigeki Ohtsu) https://github.com/nodejs/node/pull/8786
  - Remove support for loading dynamic third-party engine modules.
    An attacker may be able to hide malicious code to be inserted into
    Node.js at runtime by masquerading as one of the dynamic engine
    modules. Originally reported by Ahmed Zaki (Skype).
    (Ben Noordhuis) https://github.com/nodejs/node-private/pull/70
* http: CVE-2016-5325 - Properly validate for allowable characters in
  the `reason` argument in `ServerResponse#writeHead()`. Fixes a
  possible response splitting attack vector. This introduces a new
  case where `throw` may occur when configuring HTTP responses, users
  should already be adopting try/catch here. Originally reported
  independently by Evan Lucas and Romain Gaucher.
  (Evan Lucas) https://github.com/nodejs/node-private/pull/46

Semver Patch:

* buffer: Zero-fill excess bytes in new `Buffer` objects created with
  `Buffer.concat()` while providing a `totalLength` parameter that
  exceeds the total length of the original `Buffer` objects being
  concatenated.
  (Сковорода Никита Андреевич) https://github.com/nodejs/node-private/pull/65
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
  check whereby a TLS server may be able to serve an invalid wildcard
  certificate for its hostname due to improper validation of `*.` in
  the wildcard string. Originally reported by Alexander Minozhenko and
  James Bunton (Atlassian).
  (Ben Noordhuis) https://github.com/nodejs/node-private/pull/63

PR-URL: https://github.com/nodejs/node-private/pull/74
2016-09-28 10:42:18 +10:00
Rod Vagg
e686be90bb 2016-09-27 Version 0.12.16 (Maintenance) Release
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.

Notable changes:

* buffer: Zero-fill excess bytes in new `Buffer` objects created with
  `Buffer.concat()` while providing a `totalLength` parameter that
  exceeds the total length of the original `Buffer` objects being
  concatenated. (Сковорода Никита Андреевич)
* http:
  - CVE-2016-5325 - Properly validate for allowable characters in the
    `reason` argument in `ServerResponse#writeHead()`. Fixes a
    possible response splitting attack vector. This introduces a new
    case where `throw` may occur when configuring HTTP responses,
    users should already be adopting try/catch here. Originally
    reported independently by Evan Lucas and Romain Gaucher.
    (Evan Lucas)
  - Invalid status codes can no longer be sent. Limited to 3 digit
    numbers between 100 - 999. Lack of proper validation may also
    serve as a potential response splitting attack vector. Backported
    from v4.x. (Brian White)
* openssl:
  - Upgrade to 1.0.1u, fixes a number of defects impacting Node.js:
    CVE-2016-6304 ("OCSP Status Request extension unbounded memory
    growth", high severity), CVE-2016-2183, CVE-2016-6303,
    CVE-2016-2178 and CVE-2016-6306.
  - Remove support for loading dynamic third-party engine modules.
    An attacker may be able to hide malicious code to be inserted
    into Node.js at runtime by masquerading as one of the dynamic
    engine modules. Originally reported by Ahmed Zaki (Skype).
    (Ben Noordhuis, Rod Vagg)
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
  check whereby a TLS server may be able to serve an invalid wildcard
  certificate for its hostname due to improper validation of `*.` in
  the wildcard string. Originally reported by Alexander Minozhenko
  and James Bunton (Atlassian). (Ben Noordhuis)

PR-URL: https://github.com/nodejs/node-private/pull/72
2016-09-28 10:38:33 +10:00
Rod Vagg
f5ee3fe10e 2016-09-27 Version 0.10.47 (Maintenance) Release
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.

Notable changes:

* buffer: Zero-fill excess bytes in new `Buffer` objects created with
  `Buffer.concat()` while providing a `totalLength` parameter that
  exceeds the total length of the original `Buffer` objects being
  concatenated. (Сковорода Никита Андреевич)
* http:
  - CVE-2016-5325 - Properly validate for allowable characters in the
    `reason` argument in `ServerResponse#writeHead()`. Fixes a
    possible response splitting attack vector. This introduces a new
    case where `throw` may occur when configuring HTTP responses,
    users should already be adopting try/catch here. Originally
    reported independently by Evan Lucas and Romain Gaucher.
    (Evan Lucas)
  - Invalid status codes can no longer be sent. Limited to 3 digit
    numbers between 100 - 999. Lack of proper validation may also
    serve as a potential response splitting attack vector. Backported
    from v4.x. (Brian White)
* openssl: Upgrade to 1.0.1u, fixes a number of defects impacting
  Node.js: CVE-2016-6304 ("OCSP Status Request extension unbounded
  memory growth", high severity), CVE-2016-2183, CVE-2016-6303,
  CVE-2016-2178 and CVE-2016-6306.
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
  check whereby a TLS server may be able to serve an invalid wildcard
  certificate for its hostname due to improper validation of `*.` in
  the wildcard string. Originally reported by Alexander Minozhenko
  and James Bunton (Atlassian). (Ben Noordhuis)

PR-URL: https://github.com/nodejs/node-private/pull/71
2016-09-28 10:35:20 +10:00
Jeremiah Senkpiel
ea2a309e3b 2016-09-14, Version 6.6.0 (Current)
Notable changes:

* crypto: Added `crypto.timingSafeEqual()`. (not-an-aardvark)
https://github.com/nodejs/node/pull/8304
* events: Made the "max event listeners" memory leak warning more
accessible. (Anna Henningsen) https://github.com/nodejs/node/pull/8298
* promises: Unhandled rejections now emit a process warning after the
first tick. (Benjamin Gruenbaum)
https://github.com/nodejs/node/pull/8223
* repl: Added auto alignment for `.editor` mode. (Prince J Wesley)
https://github.com/nodejs/node/pull/8241
* util: Some functionality has been added to `util.inspect()`:
- Returning `this` from a custom inspect function now works. (Anna
Henningsen) https://github.com/nodejs/node/pull/8174
- Added support for Symbol-based custom inspection methods. (Anna
Henningsen) https://github.com/nodejs/node/pull/8174

Refs: https://github.com/nodejs/node/issues/8428
Refs: https://github.com/nodejs/node/pull/8457
PR-URL: https://github.com/nodejs/node/pull/8466
2016-09-15 14:00:09 -07:00
Evan Lucas
0482d6d592 2016-08-26, Version 6.5.0 (Current)
Notable changes:

* **buffer**: Fix regression introduced in v6.4.0 that prevented .write() at buffer end (Anna Henningsen) https://github.com/nodejs/node/pull/8154
* **deps**: update V8 to 5.1.281.75 (Ali Ijaz Sheikh) https://github.com/nodejs/node/pull/8054
* **inspector**:
  * fix inspector hang while disconnecting (Aleksei Koziatinskii) https://github.com/nodejs/node/pull/8021
  * add support for uncaught exception (Aleksei Koziatinskii) https://github.com/nodejs/node/pull/8043
* **repl**: Fix saving editor mode text in `.save` (Prince J Wesley) https://github.com/nodejs/node/pull/8145
* ***Revert*** "**repl,util**: insert carriage returns in output" (Evan Lucas) https://github.com/nodejs/node/pull/8143

PR-URL: https://github.com/nodejs/node/pull/8253
2016-08-26 11:22:58 -05:00
Myles Borins
e7bd4d2597 2016-08-15, Version 4.5.0 'Argon' (LTS)
Notable Changes:

Semver Minor:

* buffer:
 * backport new buffer constructor APIs to v4.x
   (Сковорода Никита Андреевич)
   https://github.com/nodejs/node/pull/7562
 * backport --zero-fill-buffers cli option (James M Snell)
   https://github.com/nodejs/node/pull/5745
* build:
  * add Intel Vtune profiling support (Chunyang Dai)
    https://github.com/nodejs/node/pull/5527
* repl:
  * copying tabs shouldn't trigger completion (Eugene Obrezkov)
    https://github.com/nodejs/node/pull/5958
* src:
  * add node::FreeEnvironment public API (Cheng Zhao)
    https://github.com/nodejs/node/pull/3098
* test:
  * run v8 tests from node tree (Bryon Leung)
    https://github.com/nodejs/node/pull/4704
* V8:
  * Add post mortem data to improve object inspection and function's
    context variables inspection (Fedor Indutny)
    https://github.com/nodejs/node/pull/3779

Semver Patch:

* **buffer**:
  * ignore negative allocation lengths (Anna Henningsen)
    https://github.com/nodejs/node/pull/7562
* **crypto**:
  * update root certificates (Ben Noordhuis)
    https://github.com/nodejs/node/pull/7363
* **libuv**:
  * upgrade libuv to 1.9.1 (Saúl Ibarra Corretgé)
    https://github.com/nodejs/node/pull/6796
  * upgrade libuv to 1.9.0 (Saúl Ibarra Corretgé)
    https://github.com/nodejs/node/pull/5994
* **npm**:
  * upgrade to 2.15.9 (Kat Marchán)
    https://github.com/nodejs/node/pull/7692
2016-08-16 12:09:23 -04:00
cjihrig
d83373d800 2016-08-15, Version 6.4.0 (Current)
Notable changes:

* build: zlib symbols and additional OpenSSL symbols are now exposed on Windows platforms. (Alex Hultman) https://github.com/nodejs/node/pull/7983 and https://github.com/nodejs/node/pull/7576
* child_process, cluster: Forked child processes and cluster workers now support stdio configuration. (Colin Ihrig) https://github.com/nodejs/node/pull/7811 and https://github.com/nodejs/node/pull/7838
* child_process: argv[0] can now be set to arbitrary values in spawned processes. (Pat Pannuto) https://github.com/nodejs/node/pull/7696
* fs: fs.ReadStream now exposes the number of bytes it has read so far. (Linus Unnebäck) https://github.com/nodejs/node/pull/7942
* repl: The REPL now supports editor mode. (Prince J Wesley) https://github.com/nodejs/node/pull/7275
* util: inspect() can now be configured globally using util.inspect.defaultOptions. (Roman Reiss) https://github.com/nodejs/node/pull/8013

Refs: https://github.com/nodejs/node/issues/8020
PR-URL: https://github.com/nodejs/node/pull/8070
2016-08-16 10:36:00 -04:00
Evan Lucas
c21a212bdc 2016-07-21, Version 6.3.1 (Current)
Notable changes:

* **buffer**:
  * Improve performance of Buffer.from(str, 'hex') and Buffer#write(str, 'hex'). (Christopher Jeffrey) https://github.com/nodejs/node/pull/7602
  * Fix creating from zero-length ArrayBuffer. (Ingvar Stepanyan) https://github.com/nodejs/node/pull/7176
* **deps**:
  * Upgrade to V8 5.0.71.xx. (Ben Noordhuis) https://github.com/nodejs/node/pull/7531
  * Backport V8 instanceof bugfix (Franziska Hinkelmann) https://github.com/nodejs/node/pull/7638
* **repl**: Fix issue with function redeclaration. (Prince J Wesley) https://github.com/nodejs/node/pull/7794
* **util**: Fix inspecting of boxed symbols. (Anna Henningsen) https://github.com/nodejs/node/pull/7641

PR-URL: https://github.com/nodejs/node/pull/7782
2016-07-21 17:33:00 -05:00
Jeremiah Senkpiel
7628031847 2016-07-06, Version 6.3.0 (Current)
Notable changes:

* buffer: Added `buffer.swap64()` to compliment `swap16()` &
`swap32()`. (Zach Bjornson) https://github.com/nodejs/node/pull/7157
* build: New `configure` options have been added for building Node.js
as a shared library. (Stefan Budeanu)
https://github.com/nodejs/node/pull/6994
  - The options are: `--shared`, `--without-v8-platform` &
`--without-bundled-v8`.
* crypto: Root certificates have been updated. (Ben Noordhuis)
https://github.com/nodejs/node/pull/7363
* debugger: The server address is now configurable via
`--debug=<address>:<port>`. (Ben Noordhuis)
https://github.com/nodejs/node/pull/3316
* npm: Upgraded npm to v3.10.3 (Kat Marchán)
https://github.com/nodejs/node/pull/7515 & (Rebecca Turner)
https://github.com/nodejs/node/pull/7410
* readline: Added the `prompt` option to the readline constructor.
(Evan Lucas) https://github.com/nodejs/node/pull/7125
* repl / vm: `sigint`/`ctrl+c` will now break out of infinite loops
without stopping the Node.js instance. (Anna Henningsen)
https://github.com/nodejs/node/pull/6635
* src:
  - Added a `node::FreeEnvironment` public C++ API. (Cheng Zhao)
https://github.com/nodejs/node/pull/3098
  - Refactored `require('constants')`, constants are now available
directly from their respective modules. (James M Snell)
https://github.com/nodejs/node/pull/6534
* stream: Improved `readable.read()` performance by up to 70%. (Brian
White) https://github.com/nodejs/node/pull/7077
* timers: `setImmediate()` is now up to 150% faster in some situations.
(Andras) https://github.com/nodejs/node/pull/6436
* util: Added a `breakLength` option to `util.inspect()` to control how
objects are formatted across lines. (cjihrig)
https://github.com/nodejs/node/pull/7499
* v8-inspector: Experimental support has been added for debugging
Node.js over the inspector protocol. (Ali Ijaz Sheikh)
https://github.com/nodejs/node/pull/6792
  - *Note: This feature is experimental, and it could be altered or
removed.*
  - You can try this feature by running Node.js with the `--inspect`
flag.

Refs: https://github.com/nodejs/node/pull/7441
PR-URL: https://github.com/nodejs/node/pull/7550
2016-07-06 20:00:46 +02:00
Myles Borins
21535e851c 2016-06-28, Version 4.4.7 'Argon' (LTS)
This LTS release comes with 89 commits. This includes 46 commits that
are docs related, 11 commits that are test related, 8 commits that are
build related, and 4 commits that are benchmark related.

Notable Changes:

- debugger:
  - All properties of an array (aside from length) can now be printed
    in the repl (cjihrig)
    https://github.com/nodejs/node/pull/6448
- npm:
  - Upgrade npm to 2.15.8 (Rebecca Turner)
    https://github.com/nodejs/node/pull/7412
- stream:
  - Fix for a bug that became more prevalent with the stream changes
    that landed in v4.4.5. (Anna Henningsen)
    https://github.com/nodejs/node/pull/7160
- V8:
  - Fix for a bug in crankshaft that was causing crashes on arm64
    (Myles Borins)
    https://github.com/nodejs/node/pull/7442
  - Add missing classes to postmortem info such as JSMap and JSSet
    (evan.lucas)
    https://github.com/nodejs/node/pull/3792
2016-06-28 15:53:44 -07:00
Myles Borins
9744928cf5 doc: fix layout problem in v4 changelog
The current layout is breaking the release post tool.

This commit also removed erroneous entires in the main CHANGELOG for
v4.4.6 and v5.12.0.

PR-URL: https://github.com/nodejs/node/pull/7394
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
2016-06-27 10:42:16 -07:00
Evan Lucas
6a9438343b 2016-06-23, Version 5.12.0 (Stable)
Notable changes:

This is a security release. All Node.js users should consult the security
release summary at https://nodejs.org/en/blog/vulnerability/june-2016-security-releases
for details on patched vulnerabilities.

* **buffer**
  * backport allocUnsafeSlow (Сковорода Никита Андреевич) [#7169](https://github.com/nodejs/node/pull/7169)
  * ignore negative allocation lengths (Anna Henningsen) [#7221](https://github.com/nodejs/node/pull/7221)
* **deps**: backport 3a9bfec from v8 upstream (Ben Noordhuis) [nodejs/node-private#40](https://github.com/nodejs/node-private/pull/40)
  * Fixes a Buffer overflow vulnerability discovered in v8. More details
    can be found in the CVE (CVE-2016-1699).

PR-URL: https://github.com/nodejs/node-private/pull/51
2016-06-23 18:27:28 -05:00
Rod Vagg
fb146cecc3 2016-06-23 Version 0.12.15 (Maintenance) Release
This is a security release. All Node.js users should consult the security
release summary at
https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/ for
details on patched vulnerabilities.

Notable changes:

* libuv: (CVE-2014-9748) Fixes a bug in the read/write locks implementation for
  Windows XP and Windows 2003 that can lead to undefined and potentially unsafe
  behaviour. More information can be found at
  https://github.com/libuv/libuv/issues/515 or at
  https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/.
* V8: (CVE-2016-1669) Fixes a potential Buffer overflow vulnerability
  discovered in V8, more details can be found in the CVE at
  https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1669 or at
  https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/.

PR-URL: https://github.com/nodejs/node-private/pull/53
2016-06-24 09:19:52 +10:00
Rod Vagg
71b29bb8a9 2016-06-23 Version 0.10.46 (Maintenance) Release
This is a security release. All Node.js users should consult the security
release summary at
https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/ for
details on patched vulnerabilities.

Notable changes:

* libuv: (CVE-2014-9748) Fixes a bug in the read/write locks implementation for
  Windows XP and Windows 2003 that can lead to undefined and potentially unsafe
  behaviour. More information can be found at
  https://github.com/libuv/libuv/issues/515 or at
  https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/.
* V8: (CVE-2016-1669) Fixes a potential Buffer overflow vulnerability discovered
  in V8, more details can be found in the CVE CVE-2016-1669 at
  https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1669 or at
  https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/.

Commits:

* [3374f57973] - deps: update libuv to 0.10.37 (Saúl Ibarra Corretgé) https://github.com/nodejs/node/pull/7293
* [fcb9145e29] - deps: backport 3a9bfec from v8 upstream (Myles Borins) https://github.com/nodejs/node-private/pull/43

PR-URL: https://github.com/nodejs/node-private/pull/52
2016-06-24 09:19:52 +10:00
Myles Borins
a9c34aeae7 2016-06-23, Version 4.4.6 'Argon' (LTS)
This is an important security release. All Node.js users should consult
the security release summary at nodejs.org for details on patched
vulnerabilities.

This release is specifically related to a Buffer overflow vulnerability
discovered in v8, more details can be found in the CVE
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1669

PR-URL: https://github.com/nodejs/node-private/pull/41
2016-06-23 16:15:04 -07:00
Evan Lucas
e427150e75 2016-06-17, Version 6.2.2 (Current) Release
Notable changes:

* **http**:
  - req.read(0) could cause incoming connections to stall and time out
    under certain conditions. (Fedor Indutny) [#7211](https://github.com/nodejs/node/pull/7211)
  - When freeing the socket to be reused in keep-alive Agent wait for
    both prefinish and end events. Otherwise the next request may be
    written before the previous one has finished sending the body, leading
    to a parser errors. (Fedor Indutny) [#7149](https://github.com/nodejs/node/pull/7149)
* **npm**: upgrade npm to 3.9.5 (Kat Marchán) [#7139](https://github.com/nodejs/node/pull/7139)

PR-URL: https://github.com/nodejs/node/pull/7323
2016-06-17 10:48:07 -05:00
Rod Vagg
daafe2c65e 2016-06-02, Version 6.2.1 (Current)
* buffer: Ignore negative lengths in calls to Buffer() and
  Buffer.allocUnsafe(). This fixes a possible security concern
  (reported by Feross Aboukhadijeh) where user input is passed
  unchecked to the Buffer constructor or allocUnsafe() as it can
  expose parts of the memory slab used by other Buffers in the
  application. Note that negative lengths are not supported by the
  Buffer API and user input to the constructor should always be
  sanitised and type-checked.
  (Anna Henningsen) https://github.com/nodejs/node/pull/7030
* npm: Upgrade npm to 3.9.3
  (Kat Marchán) https://github.com/nodejs/node/pull/7030
* tty: Default to blocking mode for stdio on OS X. A bug fix
  in libuv 1.9.0, introduced in Node.js v6.0.0, exposed problems with
  Node's use of non-blocking stdio, particularly on OS X which has a
  small output buffer. This change should fix CLI applications that
  have been having problems with output since Node.js v6.0.0 on OS X.
  The core team is continuing to address stdio concerns that exist
  across supported platforms and progress can be tracked at
  https://github.com/nodejs/node/pull/6980.
  (Jeremiah Senkpiel) https://github.com/nodejs/node/pull/6895
* V8: Upgrade to V8 5.0.71.52. This includes a fix that addresses
  problems experienced by users of node-inspector since Node.js
  v6.0.0, see https://github.com/nodejs/node/issues/6980 for details.
  (Michaël Zasso) https://github.com/nodejs/node/pull/6928
2016-06-03 08:46:13 +10:00
Anna Henningsen
b5f76dbd3e
doc: fix broken references in changelogs
Some references to a few versions were broken, likely in part
due to the transition to a split changelog format.

PR-URL: https://github.com/nodejs/node/pull/6942
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
2016-05-26 00:51:38 +02:00
Myles Borins
e03c32696e 2016-05-24, Version 4.4.5 'Argon' (LTS)
Notable changes:

* **buffer**:
  * Buffer no longer errors if you call lastIndexOf with a search term
    longer than the buffer (Anna Henningsen)
    https://github.com/nodejs/node/pull/6511

* contextify:
  * Context objects are now properly garbage collected, this solves a
    problem some individuals were experiencing with extreme memory
    growth (Ali Ijaz Sheikh)
    https://github.com/nodejs/node/pull/6871

* deps:
  * update npm to 2.15.5 (Rebecca Turner)
    https://github.com/nodejs/node/pull/6663

* http:
  * Invalid status codes can no longer be sent. Limited to 3 digit
    numbers between 100 - 999 (Brian White)
    https://github.com/nodejs/node/pull/6291
2016-05-24 11:53:27 -07:00
Evan Lucas
26120e2eb0 2016-05-17, Version 6.2.0 (Stable)
- **buffer**: fix lastIndexOf and indexOf in various edge cases (Anna
  Henningsen) [#6511](https://github.com/nodejs/node/pull/6511)
- **child_process**: use /system/bin/sh on android (Ben Noordhuis)
  [#6745](https://github.com/nodejs/node/pull/6745)
- **deps**:
  - upgrade npm to 3.8.9 (Rebecca Turner)
    [#6664](https://github.com/nodejs/node/pull/6664)
  - upgrade to V8 5.0.71.47 (Ali Ijaz Sheikh)
    [#6572](https://github.com/nodejs/node/pull/6572)
  - upgrade libuv to 1.9.1 (Saúl Ibarra Corretgé)
    [#6796](https://github.com/nodejs/node/pull/6796)
  - Intl: ICU 57 bump (Steven R. Loomis)
    [#6088](https://github.com/nodejs/node/pull/6088)
- **repl**:
  - copying tabs shouldn't trigger completion (Eugene Obrezkov)
    [#5958](https://github.com/nodejs/node/pull/5958)
  - exports `Recoverable` (Blake Embrey)
    [#3488](https://github.com/nodejs/node/pull/3488)
- **src**: add O_NOATIME constant (Rich Trott)
  [#6492](https://github.com/nodejs/node/pull/6492)
- **src,module**: add --preserve-symlinks command line flag (James M
  Snell) [#6537](https://github.com/nodejs/node/pull/6537)
- **util**: adhere to `noDeprecation` set at runtime (Anna Henningsen)
  [#6683](https://github.com/nodejs/node/pull/6683)

As of this release the 6.X line now includes 64-bit binaries for Linux
on Power Systems running in big endian mode in addition to the existing
64-bit binaries for running in little endian mode.

PR-URL: https://github.com/nodejs/node/pull/6810
2016-05-17 16:09:13 -05:00
James M Snell
c663a6db05 doc: refactor the changelog by version
The changelog was getting rather huge and difficult
to manage. It also wasn't very useful in terms of
being able to quickly find specific Node.js versions,
or tracking the history for a single major release
stream.

This reorganizes the changelog by versions separated
out over multiple files. An index of the most recent
versions is provided in the main log.

PR-URL: https://github.com/nodejs/node/pull/6503
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Robert Lindstaedt <robert.lindstaedt@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
2016-05-11 09:25:45 -07:00
Rod Vagg
98b534ff5a 2016-05-06 Version 0.12.14 (Maintenance) Release
Notable changes:

* npm: Correct erroneous version number in v2.15.1 code
  (Forrest L Norvell) https://github.com/nodejs/node/pull/5988
* openssl: Upgrade to v1.0.1t, addressing security vulnerabilities
  (Shigeki Ohtsu) https://github.com/nodejs/node/pull/6553
  - Fixes CVE-2016-2107 "Padding oracle in AES-NI CBC MAC check"
  - Fixes CVE-2016-2105 "EVP_EncodeUpdate overflow"
  - See https://nodejs.org/en/blog/vulnerability/openssl-may-2016/
    for full details
2016-05-06 23:54:00 +10:00
Rod Vagg
1ec421e122 2016-05-06 Version 0.10.45 (Maintenance) Release
Notable changes:

* npm: Correct erroneous version number in v2.15.1 code
  (Forrest L Norvell) https://github.com/nodejs/node/pull/5987
* openssl: Upgrade to v1.0.1t, addressing security vulnerabilities
  (Shigeki Ohtsu) https://github.com/nodejs/node/pull/6553
  - Fixes CVE-2016-2107 "Padding oracle in AES-NI CBC MAC check"
  - Fixes CVE-2016-2105 "EVP_EncodeUpdate overflow"
  - See https://nodejs.org/en/blog/vulnerability/openssl-may-2016/ for
    full details
2016-05-06 23:26:21 +10:00
Myles Borins
2bceda6493 doc: get rid of sneaky hard tabs in CHANGELOG
My editor did something strange. Sorry about that

PR-URL: https://github.com/nodejs/node/pull/6608
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
2016-05-05 18:27:05 -07:00
Myles Borins
7c7e50f813 2016-05-05, Version 4.4.4 'Argon' (LTS)
Notable changes

* deps:
  * update openssl to 1.0.2h. (Shigeki Ohtsu)
    [#6551](https://github.com/nodejs/node/pull/6551)
    - Please see our blog postfor more info on the security
      contents of this release.
      https://nodejs.org/en/blog/vulnerability/openssl-may-2016/

PR-URL: https://github.com/nodejs/node/pull/6583
Reviewed-By: James M Snell <jasnell@gmail.com>
2016-05-05 17:18:39 -07:00
Jeremiah Senkpiel
b9ceb42ae2 2016-05-05, Version 6.1.0 (Current)
* assert: `deep{Strict}Equal()` now works correctly with circular
references. (Rich Trott) https://github.com/nodejs/node/pull/6432
* debugger: Arrays are now formatted correctly in the debugger repl.
(cjihrig) https://github.com/nodejs/node/pull/6448
* deps: Upgrade OpenSSL sources to 1.0.2h (Shigeki Ohtsu)
https://github.com/nodejs/node/pull/6550
- Please see our blog post for more info on the security contents of
this release:
- https://nodejs.org/en/blog/vulnerability/openssl-may-2016/
* net: Introduced a `Socket#connecting` property. (Fedor Indutny)
https://github.com/nodejs/node/pull/6404
- Previously this information was only available as the undocumented,
internal `_connecting` property.
* process: Introduced `process.cpuUsage()`. (Patrick Mueller)
https://github.com/nodejs/node/pull/6157
* stream: `Writable#setDefaultEncoding()` now returns `this`.
(Alexander Makarenko) https://github.com/nodejs/node/pull/5040
* util: Two new additions to `util.inspect()`:
- Added a `maxArrayLength` option to truncate the formatting of
Arrays. (James M Snell) https://github.com/nodejs/node/pull/6334
- This is set to `100` by default.
- Added a `showProxy` option for formatting proxy intercepting
handlers. (James M Snell) https://github.com/nodejs/node/pull/6465
- Inspecting proxies is non-trivial and as such this is off by
default.

PR-URL: https://github.com/nodejs/node/pull/6557
2016-05-05 19:23:28 -04:00
Evan Lucas
a465627210 2016-05-05, Version 5.11.1 (Stable)
Notable changes

* buffer: safeguard against accidental kNoZeroFill (Сковорода Никита Андреевич) [nodejs/node-private#35](https://github.com/nodejs/node-private/pull/35)
* deps: upgrade openssl sources to 1.0.2h (Shigeki Ohtsu) [#6552](https://github.com/nodejs/node/pull/6552)
2016-05-05 17:55:40 -05:00
James M Snell
b8f035b07c doc: fix v6 changelog
Not quite sure how, but quite a few of the commits were missing
from the original changelog generated for v6 relative to v5.11.0.
This updates the change log.

PR-URL: https://github.com/nodejs/node/pull/6435
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
2016-04-29 11:17:19 -07:00
Myles Borins
cc5d9767af meta: split CHANGELOG into two files
The unfortunate has happened, our CHANGELOG is now over 1 MB and cannot
be viewed on github. This commit breaks the CHANGELOG into two files
so that we can continue to show our changes rendered in the github UI.

Closes: https://github.com/nodejs/node/issues/5533

PR-URL: https://github.com/nodejs/node/pull/6337
Reviewed-By: Claudio Rodriguez <cjrodr@yahoo.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Roman Reiss <me@silverwind.io>
2016-04-26 13:16:01 -07:00
James M Snell
1a29a5773a 2016-04-26, Version 6.0.0 (Current) Release
The following significant (semver-major) changes have been made since the
previous Node v5.0.0 release.

* Buffer
  * New Buffer constructors have been added
    [#4682](https://github.com/nodejs/node/pull/4682)
  * Previously deprecated Buffer APIs are removed
    [#5048](https://github.com/nodejs/node/pull/5048),
    [#4594](https://github.com/nodejs/node/pull/4594)
  * Improved error handling [#4514](https://github.com/nodejs/node/pull/4514)
* Cluster
  * Worker emitted as first argument in 'message' event
    [#5361](https://github.com/nodejs/node/pull/5361).
* Crypto
  * Improved error handling [#3100](https://github.com/nodejs/node/pull/3100),
    [#5611](https://github.com/nodejs/node/pull/5611)
  * Simplified Certificate class bindings
    [#5382](https://github.com/nodejs/node/pull/5382)
  * Improved control over FIPS mode
    [#5181](https://github.com/nodejs/node/pull/5181)
  * pbkdf2 digest overloading is deprecated
    [#4047](https://github.com/nodejs/node/pull/4047)
* Dependencies
  * Reintroduce shared c-ares build support
    [#5775](https://github.com/nodejs/node/pull/5775).
  * V8 updated to 5.0.71.31 [#6111](https://github.com/nodejs/node/pull/6111).
* DNS
  * Add resolvePtr API to query plain DNS PTR records
    [#4921](https://github.com/nodejs/node/pull/4921).
* Domains
  * Clear stack when no error handler
  [#4659](https://github.com/nodejs/node/pull/4659).
* File System
  * The `fs.realpath()` and `fs.realpathSync()` methods have been updated
    to use a more efficient libuv implementation. This change includes the
    removal of the `cache` argument and the method can throw new errors
    [#3594](https://github.com/nodejs/node/pull/3594)
  * FS apis can now accept and return paths as Buffers
    [#5616](https://github.com/nodejs/node/pull/5616).
  * Error handling and type checking improvements
    [#5616](https://github.com/nodejs/node/pull/5616),
    [#5590](https://github.com/nodejs/node/pull/5590),
    [#4518](https://github.com/nodejs/node/pull/4518),
    [#3917](https://github.com/nodejs/node/pull/3917).
  * fs.read's string interface is deprecated
    [#4525](https://github.com/nodejs/node/pull/4525)
* HTTP
  * 'clientError' can now be used to return custom errors from an
    HTTP server [#4557](https://github.com/nodejs/node/pull/4557).
* Modules
  * Current directory is now prioritized for local lookups
    [#5689](https://github.com/nodejs/node/pull/5689)
  * Symbolic links are preserved when requiring modules
    [#5950](https://github.com/nodejs/node/pull/5950)
* Net
  * DNS hints no longer implicitly set
    [#6021](https://github.com/nodejs/node/pull/6021).
  * Improved error handling and type checking
    [#5981](https://github.com/nodejs/node/pull/5981),
    [#5733](https://github.com/nodejs/node/pull/5733),
    [#2904](https://github.com/nodejs/node/pull/2904)
* OS X
  * MACOSX_DEPLOYMENT_TARGET has been bumped up to 10.7
    [#6402](https://github.com/nodejs/node/pull/6402).
* Path
  * Improved type checking [#5348](https://github.com/nodejs/node/pull/5348).
* Process
  * Introduce process warnings API
    [#4782](https://github.com/nodejs/node/pull/4782).
  * Throw exception when non-function passed to nextTick
    [#3860](https://github.com/nodejs/node/pull/3860).
* Readline
  * Emit key info unconditionally
    [#6024](https://github.com/nodejs/node/pull/6024)
* REPL
  * Assignment to `_` will emit a warning.
    [#5535](https://github.com/nodejs/node/pull/5535)
* Timers
  * Fail early when callback is not a function
    [#4362](https://github.com/nodejs/node/pull/4362)
* TLS
  * Rename 'clientError' to 'tlsClientError'
    [#4557](https://github.com/nodejs/node/pull/4557)
  * SHA1 used for sessionIdContext
    [#3866](https://github.com/nodejs/node/pull/3866)
* TTY
  * Previously deprecated setRawMode wrapper is removed
    [#2528](https://github.com/nodejs/node/pull/2528).
* Util
  * Changes to Error object formatting
    [#4582](https://github.com/nodejs/node/pull/4582).
* Windows
  * Windows XP and Vista are no longer supported
    [#5167](https://github.com/nodejs/node/pull/5167),
    [#5167](https://github.com/nodejs/node/pull/5167).
2016-04-26 13:05:32 -07:00
Minqi Pan
879aeb5e49 doc: add Minqi Pan to collaborators
Also changed alias P.S.V.R to Minqi Pan.

Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/6387
2016-04-26 14:24:21 +08:00
Myles Borins
1fa8fce210 2016-04-20, Version 5.11.0 (Stable) Release
Buffer:
  * Buffer.prototype.compare can now compare sub-ranges of two Buffers
   (James M Snell) https://github.com/nodejs/node/pull/5880

deps:
  * update to http-parser 2.7.0
    (Fedor Indutny) https://github.com/nodejs/node/pull/6279
  * update ESLint to 2.7.0
    (silverwind) https://github.com/nodejs/node/pull/6132

net:
  * adds support for passing DNS lookup hints to createConnection()
    (Colin Ihrig) https://github.com/nodejs/node/pull/6000

node:
  * Make the builtin libraries available for the --eval and --print
    CLI options
    (Anna Henningsen) https://github.com/nodejs/node/pull/6207

npm:
  * upgrade npm to 3.8.6
    (Kat Marchán) https://github.com/nodejs/node/pull/6153

repl:
  * Pressing enter in the repl will repeat the last command by default
    if no input has been received. This behaviour was in node
    previously and was not removed intentionally.
    (Rich Trott) https://github.com/nodejs/node/pull/6090

src:
  * add SIGINFO to supported signals
    (James Reggio) https://github.com/nodejs/node/pull/6093

streams:
  * Fix a regression that caused by net streams requesting multiple
    chunks synchronously when combined with cork/uncork
    (Matteo Collina) https://github.com/nodejs/node/pull/6164

zlib:
  * The flushing flag is now configurable allowing for decompression
    of partial data
    (Anna Henningsen) https://github.com/nodejs/node/pull/6069

PR-URL: https://github.com/nodejs/node/pull/6322
2016-04-21 13:34:57 -07:00
Vladimir Varankin
31524d7310 doc: fix a typo in 5.10.1's changelog
PR-URL: https://github.com/nodejs/node/pull/6076
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Roman Klauke <romaaan.git@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
2016-04-07 09:51:25 -07:00
Myles Borins
82d57d39ae 2016-04-05, Version 5.10.1 (Stable) Release
Notable changes:

http:
  * Enclose IPv6 Host header in square brackets. This will enable
  proper seperation of the host adress from any port reference
  (Mihai Potra) https://github.com/nodejs/node/pull/5314

path:
  * Make win32.isAbsolute more consistent (Brian White)
  https://github.com/nodejs/node/pull/6028

PR-URL: https://github.com/nodejs/node/pull/6060
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
2016-04-05 16:29:11 -07:00
Rod Vagg
5fc6938cff 2016-03-31 Version 0.10.44 (Maintenance) Release
Notable changes:

* npm: Upgrade to v2.15.1. IMPORTANT: This is a major upgrade to npm
  v2 LTS from the previously deprecated npm v1. (Forrest L Norvell)
* npm: Upgrade to v2.15.1. Fixes a security flaw in the use of
  authentication tokens in HTTP requests that would allow an attacker
  to set up a server that could collect tokens from users of the
  command-line interface. Authentication tokens have previously been
  sent with every request made by the CLI for logged-in users,
  regardless of the destination of the request. This update fixes this
  by only including those tokens for requests made against the
  registry or registries used for the current install. IMPORTANT:
  This is a major upgrade to npm v2 LTS from the previously deprecated
  npm v1. (Forrest L Norvell) https://github.com/nodejs/node/pull/5967
* openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they
  are obsolete and not considered safe. This release of Node.js turns
  on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers
  included in these lists which can be used in SSLv3 and higher. Full
  details can be found in our LTS discussion on the matter
  (https://github.com/nodejs/LTS/issues/85).
  (Shigeki Ohtsu) https://github.com/nodejs/node/pull/5712

PR-URL: https://github.com/nodejs/node/pull/5968
2016-03-31 22:20:21 -07:00
Rod Vagg
4882ec4e36 2016-03-31 Version 0.12.13 (LTS) Release
Notable changes:

* npm: Upgrade to v2.15.1. Fixes a security flaw in the use of
  authentication tokens in HTTP requests that would allow an attacker
  to set up a server that could collect tokens from users of the
  command-line interface. Authentication tokens have previously been
  sent with every request made by the CLI for logged-in users,
  regardless of the destination of the request. This update fixes this
  by only including those tokens for requests made against the
  registry or registries used for the current install.
  (Forrest L Norvell) https://github.com/nodejs/node/pull/5967
* openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they
  are obsolete and not considered safe. This release of Node.js turns
  on `OPENSSL_NO_WEAK_SSL_CIPHERS` to fully disable the 27 ciphers
  included in these lists which can be used in SSLv3 and higher. Full
  details can be found in our LTS discussion on the matter
  (https://github.com/nodejs/LTS/issues/85).
  (Shigeki Ohtsu) https://github.com/nodejs/node/pull/5712

PR-URL: https://github.com/nodejs/node/pull/5967
2016-03-31 22:18:24 -07:00
Evan Lucas
64c87e2cf4 2016-03-31 Version 5.10.0 (Stable) Release
Notable changes:

* buffer:
  * make byteLength work with ArrayBuffer & DataView (Jackson Tian)
[#5255](https://github.com/nodejs/node/pull/5255)
  * backport --zero-fill-buffers command line option (James M Snell)
[#5744](https://github.com/nodejs/node/pull/5744)
  * backport new buffer constructor APIs (James M Snell)
[#5763](https://github.com/nodejs/node/pull/5763)
  * add swap16() and swap32() methods (James M Snell)
[#5724](https://github.com/nodejs/node/pull/5724)
* fs: add the fs.mkdtemp() function. (Florian MARGAINE)
[#5333](https://github.com/nodejs/node/pull/5333)
* net: emit host in lookup event (HUANG Wei)
[#5598](https://github.com/nodejs/node/pull/5598)
* node: --no-browser-globals configure flag (Fedor Indutny)
[#5853](https://github.com/nodejs/node/pull/5853)
* npm: Upgrade to v3.8.3. Fixes a security flaw in the use of
authentication tokens in HTTP requests that would allow an attacker to
set up a server that could collect tokens from users of the command-line
interface. Authentication tokens have previously been sent with every
request made by the CLI for logged-in users, regardless of the destination
of the request. This update fixes this by only including those tokens
for requests made against the registry or registries used for the
current install. (Forrest L Norvell)
[npm/node#6](https://github.com/npm/node/pull/6)
* repl: support standalone blocks (Prince J Wesley)
[#5581](https://github.com/nodejs/node/pull/5581)
* src: override v8 thread defaults using cli options (Tom Gallacher)
[#4344](https://github.com/nodejs/node/pull/4344)

PR-URL: https://github.com/nodejs/node/pull/5970
2016-03-31 22:29:46 -05:00
Myles Borins
05510211a6 2016-03-31, Version v4.4.2 'Argon' (LTS)
Notable Changes

* https:
  - Under certain conditions ssl sockets may have been causing a memory
  leak when keepalive is enabled. This is no longer the case.
    - (Alexander Penev) https://github.com/nodejs/node/pull/5713

* lib:
  - The way that we were internally passing arguments was causing a
  potential leak. By copying the arguments into an array we can avoid this
    - (Nathan Woltman) https://github.com/nodejs/node/pull/4361

* npm:
  - Upgrade to v2.15.1. Fixes a security flaw in the use of authentication
  tokens in HTTP requests that would allow an attacker to set up a server
  that could collect tokens from users of the command-line interface.
  Authentication tokens have previously been sent with every request made
  by the CLI for logged-in users, regardless of the destination of the
  request. This update fixes this by only including those tokens for
  requests made against the registry or registries used for the current
  install. (Forrest L Norvell)

* repl:
  - Previously if you were using the repl in strict mode the column number
  would be wrong in a stack trace. This is no longer an issue.
    - (Prince J Wesley) https://github.com/nodejs/node/pull/5416

PR-URL: https://github.com/nodejs/node/pull/5961
2016-03-31 18:36:56 -07:00
Jeremiah Senkpiel
80ec0cc4d8 2016-03-23, Version 5.9.1 (Stable)
Notable changes:

* buffer: Now properly throws RangeErrors on out-of-bounds writes (Matt
Loring) https://github.com/nodejs/node/pull/5605
  - This effects write{Float|Double} when the noAssert option is not
used.
* timers:
  - Returned timeout objects now have a Timeout constructor name
(Jeremiah Senkpiel) https://github.com/nodejs/node/pull/5793
  - Performance of Immediate processing is now ~20-40% faster (Brian
White) https://github.com/nodejs/node/pull/4169
* vm: Fixed a contextify regression introduced in v5.9.0 (Ali Ijaz
Sheikh) https://github.com/nodejs/node/pull/5800

PR-URL: https://github.com/nodejs/node/pull/5831
2016-03-24 10:11:19 -04:00
Myles Borins
2c672891e1 2016-03-22, Version v4.4.1 'Argon' (LTS)
This LTS release comes with 113 commits, 56 of which are doc related,
18 of which are build / tooling related, 16 of which are test related
and 7 which are benchmark related.

Notable Changes:

* build:
  - Updated Logos for the OSX + Windows installers
    - (Rod Vagg) https://github.com/nodejs/node/pull/5401
    - (Robert Jefe Lindstaedt) https://github.com/nodejs/node/pull/5531
  - New option to select your VS Version in the Windows installer
    - (julien.waechter) https://github.com/nodejs/node/pull/4645
  - Support Visual C++ Build Tools 2015
    - (João Reis) https://github.com/nodejs/node/pull/5627
* tools:
  - Gyp now works on OSX without XCode
    - (Shigeki Ohtsu) https://github.com/nodejs/node/pull/1325

PR-URL: https://github.com/nodejs/node/pull/5835
2016-03-22 15:56:16 -07:00
Evan Lucas
e7039dbd94 2016-03-16, Version 5.9.0 (Stable)
Notable changes:

* **contextify**: Fixed a memory consumption issue related to heavy use
of `vm.createContext` and `vm.runInNewContext`. (Ali Ijaz Sheikh)
https://github.com/nodejs/node/pull/5392
* **governance**: The following members have been added as
collaborators:
  - Andreas Madsen (@AndreasMadsen)
  - Benjamin Gruenbaum (@benjamingr)
  - Claudio Rodriguez (@claudiorodriguez)
  - Glen Keane (@thekemkid)
  - Jeremy Whitlock (@whitlockjc)
  - Matt Loring (@matthewloring)
  - Phillip Johnsen (@phillipj)
* **lib**: copy arguments object instead of leaking it (Nathan Woltman)
https://github.com/nodejs/node/pull/4361
* **src**: allow combination of -i and -e cli flags (Rich Trott)
https://github.com/nodejs/node/pull/5655
* **v8**: backport fb4ccae from v8 upstream (Vladimir Krivosheev) #4231
  -  breakout events from v8 to offer better support for external
     debuggers
* **zlib**: add support for concatenated members (Kári Tristan
Helgason) https://github.com/nodejs/node/pull/5120

PR-URL: https://github.com/nodejs/node/pull/5702
2016-03-16 16:41:20 -05:00
Jeremiah Senkpiel
3c8475241d 2016-03-08, Version 5.8.0 (Stable)
Notable changes:

* child_process: “send()” now accepts an options parameter (cjihrig)
https://github.com/nodejs/node/pull/5283
- Currently the only option is “keepOpen”, which keeps the underlying
socket open after the message is sent.
* constants: “ENGINE_METHOD_RSA” is now correctly exposed (Sam Roberts)
https://github.com/nodejs/node/pull/5463
* Fixed two regressions which originated in v5.7.0:
  - http: Errors inside of http client callbacks now propagate
correctly (Trevor Norris) https://github.com/nodejs/node/pull/5591
  - path: Fixed normalization of absolute paths (Evan Lucas)
https://github.com/nodejs/node/pull/5589
* repl: “start()” no longer requires an options parameter (cjihrig)
https://github.com/nodejs/node/pull/5388
* util: Improved “format()” performance 50-300% (Evan Lucas)
https://github.com/nodejs/node/pull/5360

PR-URL: https://github.com/nodejs/node/pull/5559
2016-03-09 10:54:16 -05:00
Myles Borins
9277aed48a 2016-03-08, Version 4.4.0 'Argon' (LTS)
In December we announced that we would be doing a minor release in order to
get a number of voted on SEMVER-MINOR changes into LTS. Our ability to release this
was delayed due to the unforeseen security release v4.3. We are quickly bumping to
v4.4 in order to bring you the features that we had committed to releasing.

This release also includes over 70 fixes to our docs and over 50 fixes to tests.

The SEMVER-MINOR changes include:
  * deps:
    - An update to v8 that introduces a new flag --perf_basic_prof_only_functions (Ali Ijaz Sheikh) https://github.com/nodejs/node/pull/3609
  * http:
    - A new feature in http(s) agent that catches errors on *keep alived* connections (José F. Romaniello) https://github.com/nodejs/node/pull/4482
  * src:
    - Better support for Big-Endian systems (Bryon Leung) https://github.com/nodejs/node/pull/3410
  * tls:
    - A new feature that allows you to pass common SSL options to `tls.createSecurePair` (Коренберг Марк) https://github.com/nodejs/node/pull/2441
  * tools
    - a new flag `--prof-process` which will execute the tick processor on the provided isolate files (Matt Loring) https://github.com/nodejs/node/pull/4021

Notable semver patch changes include:

  * buld:
    - Support python path that includes spaces. This should be of particular interest to our Windows users who may have python living in `c:/Program Files` (Felix Becker) https://github.com/nodejs/node/pull/4841
  * https:
    - A potential fix for https://github.com/nodejs/node/issues/3692 HTTP/HTTPS client requests throwing EPROTO (Fedor Indutny) https://github.com/nodejs/node/pull/4982
  * installer:
    - More readable profiling information from isolate tick logs (Matt Loring) https://github.com/nodejs/node/pull/3032
  * *npm:
    - upgrade to npm 2.14.20 (Kat Marchán) https://github.com/nodejs/node/pull/5510
  * process:
    - Add support for symbols in event emitters. Symbols didn't exist when it was written ¯\_(ツ)_/¯ (cjihrig) https://github.com/nodejs/node/pull/4798
  * querystring:
    - querystring.parse() is now 13-22% faster! (Brian White) https://github.com/nodejs/node/pull/4675
  * streams:
    - performance improvements for moving small buffers that shows a 5% throughput gain. IoT projects have been seen to be as much as 10% faster with this change! (Matteo Collina) https://github.com/nodejs/node/pull/4354
  * tools:
    - eslint has been updated to version 2.1.0 (Rich Trott) https://github.com/nodejs/node/pull/5214

PR-URL: https://github.com/nodejs/node/pull/5301
2016-03-08 22:51:39 -08:00
Rod Vagg
46170bca24 2016-03-08 Version 0.12.12 (LTS) Release
Notable changes:

* openssl: Fully remove SSLv2 support, the `--enable-ssl2` command
  line argument will now produce an error. The DROWN Attack
  (https://drownattack.com/) creates a vulnerability where SSLv2 is
  enabled by a server, even if a client connection is not using SSLv2.
  The SSLv2 protocol is widely considered unacceptably broken and
  should not be supported. More information is available at
  https://www.openssl.org/news/vulnerabilities.html#2016-0800

Note that the upgrade to OpenSSL 1.0.1s in Node.js v0.12.11 removed
internal SSLv2 support. The change in this release was originally
intended for v0.12.11. The `--enable-ssl2` command line argument now
produces an error rather than being a no-op.

PR-URL: https://github.com/nodejs/nodejs.org/pull/562
2016-03-09 14:29:06 +11:00
Rod Vagg
8938355398 2016-03-04 Version 0.10.43 (Maintenance) Release
Notable changes:

* http_parser: Update to http-parser 1.2 to fix an unintentionally
  strict limitation of allowable header characters.
  (James M Snell) https://github.com/nodejs/node/pull/5242
* domains:
  - Prevent an exit due to an exception being thrown rather than
  emitting an 'uncaughtException' event on the `process` object when
  no error handler is set on the domain within which an error is
  thrown and an 'uncaughtException' event listener is set on
  `process`. (Julien Gilli) https://github.com/nodejs/node/pull/3887
  - Fix an issue where the process would not abort in the proper
  function call if an error is thrown within a domain with no error
  handler and `--abort-on-uncaught-exception` is used.
  (Julien Gilli) https://github.com/nodejs/node/pull/3887
* openssl: Upgrade from 1.0.1r to 1.0.1s
  (Ben Noordhuis) https://github.com/nodejs/node/pull/5508
  - Fix a double-free defect in parsing malformed DSA keys that may
    potentially be used for DoS or memory corruption attacks. It is
    likely to be very difficult to use this defect for a practical
    attack and is therefore considered low severity for Node.js users.
    More info is available at
    https://www.openssl.org/news/vulnerabilities.html#2016-0705
  - Fix a defect that can cause memory corruption in certain very rare
    cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
    functions. It is believed that Node.js is not invoking the code
    paths that use these functions so practical attacks via Node.js
    using this defect are _unlikely_ to be possible. More info is
    available at
    https://www.openssl.org/news/vulnerabilities.html#2016-0797
  - Fix a defect that makes the CacheBleed Attack
    (https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible.
    This defect enables attackers to execute side-channel attacks
    leading to the potential recovery of entire RSA private keys. It
    only affects the Intel Sandy Bridge (and possibly older)
    microarchitecture when using hyper-threading. Newer
    microarchitectures, including Haswell, are unaffected. More info
    is available at
    https://www.openssl.org/news/vulnerabilities.html#2016-0702
  - Remove SSLv2 support, the `--enable-ssl2` command line argument
    will now produce an error. The DROWN Attack
    (https://drownattack.com/) creates a vulnerability where SSLv2 is
    enabled by a server, even if a client connection is not using
    SSLv2. The SSLv2 protocol is widely considered unacceptably broken
    and should not be supported. More information is available at
    https://www.openssl.org/news/vulnerabilities.html#2016-0800

PR-URL: https://github.com/nodejs/node/pull/5404
2016-03-03 20:02:53 -06:00
Rod Vagg
4f08540b73 2016-03-03 Version 0.12.11 (LTS) Release
Notable changes:

* http_parser: Update to http-parser 2.3.2 to fix an unintentionally
  strict limitation of allowable header characters.
  (James M Snell) https://github.com/nodejs/node/pull/5241
* domains:
  - Prevent an exit due to an exception being thrown rather than
    emitting an 'uncaughtException' event on the `process` object when
    no error handler is set on the domain within which an error is
    thrown and an 'uncaughtException' event listener is set on
    `process`. (Julien Gilli) https://github.com/nodejs/node/pull/3885
  - Fix an issue where the process would not abort in the proper
    function call if an error is thrown within a domain with no error
    handler and `--abort-on-uncaught-exception` is used.
    (Julien Gilli) https://github.com/nodejs/node/pull/3885
* openssl: Upgrade from 1.0.2f to 1.0.2g
  (Ben Noordhuis) https://github.com/nodejs/node/pull/5509
  - Fix a double-free defect in parsing malformed DSA keys that may
    potentially be used for DoS or memory corruption attacks. It is
    likely to be very difficult to use this defect for a practical
    attack and is therefore considered low severity for Node.js users.
    More info is available at
    https://www.openssl.org/news/vulnerabilities.html#2016-0705
  - Fix a defect that can cause memory corruption in certain very rare
    cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
    functions. It is believed that Node.js is not invoking the code
    paths that use these functions so practical attacks via Node.js
    using this defect are _unlikely_ to be possible. More info is
    available at
    https://www.openssl.org/news/vulnerabilities.html#2016-0797
  - Fix a defect that makes the CacheBleed Attack
    (https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This
    defect enables attackers to execute side-channel attacks leading
    to the potential recovery of entire RSA private keys. It only
    affects the Intel Sandy Bridge (and possibly older)
    microarchitecture when using hyper-threading. Newer
    microarchitectures, including Haswell, are unaffected. More info
    is available at
    https://www.openssl.org/news/vulnerabilities.html#2016-0702

PR-URL: https://github.com/nodejs/node/pull/5403
2016-03-03 20:02:32 -06:00
Jeremiah Senkpiel
9091ccdc2d 2016-03-02, Version 5.7.1 (Stable)
Notable changes:

* governance: The Core Technical Committee (CTC) added four new members
to help guide Node.js core development: Evan Lucas, Rich Trott, Ali
Ijaz Sheikh and Сковорода Никита Андреевич (Nikita Skovoroda).

* openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis)
https://github.com/nodejs/node/pull/5507
  - Fix a double-free defect in parsing malformed DSA keys that may
potentially be used for DoS or memory corruption attacks. It is likely
to be very difficult to use this defect for a practical attack and is
therefore considered low severity for Node.js users. More info is
available at https://www.openssl.org/news/vulnerabilities.html#2016-0705
  - Fix a defect that can cause memory corruption in certain very rare
cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
functions. It is believed that Node.js is not invoking the code paths
that use these functions so practical attacks via Node.js using this
defect are _unlikely_ to be possible. More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0797
  - Fix a defect that makes the CacheBleed Attack
(https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This
defect enables attackers to execute side-channel attacks leading to the
potential recovery of entire RSA private keys. It only affects the
Intel Sandy Bridge (and possibly older) microarchitecture when using
hyper-threading. Newer microarchitectures, including Haswell, are
unaffected. More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0702

* Fixed several regressions that appeared in v5.7.0:
  - path.relative():
    - Output is no longer unnecessarily verbose (Brian White)
https://github.com/nodejs/node/pull/5389
    - Resolving UNC paths on Windows now works correctly (Owen Smith)
https://github.com/nodejs/node/pull/5456
    - Resolving paths with prefixes now works correctly from the root
directory (Owen Smith) https://github.com/nodejs/node/pull/5490
  - url: Fixed an off-by-one error with `parse()` (Brian White)
https://github.com/nodejs/node/pull/5394
  - dgram: Now correctly handles a default address case when offset and
length are specified (Matteo Collina)
https://github.com/nodejs/node/pull/5407

PR-URL: https://github.com/nodejs/node/pull/5464
2016-03-02 18:46:04 -05:00
Myles Borins
d6608ed47a 2016-03-02, Version 4.3.2 'Argon' (LTS)
This is a security release with only a single commit, an update to openssl due to a recent security advisory. You can read more about the security advisory on the Node.js website https://nodejs.org/en/blog/vulnerability/openssl-march-2016/

* openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis) https://github.com/nodejs/node/pull/5507
  - Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks. It is likely to be very difficult to use this defect for a practical attack and is therefore considered low severity for Node.js users. More info is available at CVE-2016-0705 https://www.openssl.org/news/vulnerabilities.html#2016-0705.
  - Fix a defect that can cause memory corruption in certain very rare cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()` functions. It is believed that Node.js is not invoking the code paths that use these functions so practical attacks via Node.js using this defect are _unlikely_ to be possible. More info is available at CVE-2016-0797 https://www.openssl.org/news/vulnerabilities.html#2016-0797.
  - Fix a defect that makes the _CacheBleed Atta https://ssrg.nicta.com.au/projects/TS/cachebleed/ _ possible. This defect enables attackers to execute side-channel attacks leading to the potential recovery of entire RSA private keys. It only affects the Intel Sandy Bridge (and possibly older) microarchitecture when using hyper-threading. Newer microarchitectures, including Haswell, are unaffected. More info is available at CVE-2016-0702 https://www.openssl.org/news/vulnerabilities.html#2016-0702.

PR-URL: https://github.com/nodejs/node/pull/5526
2016-03-02 13:39:47 -08:00
Rod Vagg
7b0a83d2b0 2016-02-23, Version 5.7.0 (Stable)
* buffer:
  - You can now supply an encoding argument when filling a
    Buffer Buffer#fill(string[, start[, end]][, encoding]), supplying
    an existing Buffer will also work with
    Buffer#fill(buffer[, start[, end]]). See the API documentation for
    details on how this works. (Trevor Norris) #4935
  - Buffer#indexOf() no longer requires a byteOffset argument if you
    also wish to specify an encoding:
    Buffer#indexOf(val[, byteOffset][, encoding]).
    (Trevor Norris) #4803
* child_process: spawn() and spawnSync() now support a 'shell' option
  to allow for optional execution of the given command inside a shell.
  If set to true, cmd.exe will be used on Windows and /bin/sh
  elsewhere. A path to a custom shell can also be passed to override
  these defaults. On Windows, this option allows .bat. and .cmd files
  to be executed with spawn() and spawnSync(). (Colin Ihrig) #4598
* http_parser: Update to http-parser 2.6.2 to fix an unintentionally
  strict limitation of allowable header characters.
  (James M Snell) #5237
* dgram: socket.send() now supports accepts an array of Buffers or
  Strings as the first argument. See the API docs for details on how
  this works. (Matteo Collina) #4374
* http: Fix a bug where handling headers will mistakenly trigger an
  'upgrade' event where the server is just advertising its protocols.
  This bug can prevent HTTP clients from communicating with HTTP/2
  enabled servers. (Fedor Indutny) #4337
* net: Added a listening Boolean property to net and http servers to
  indicate whether the server is listening for connections.
  (José Moreira) #4743
* node: The C++ node::MakeCallback() API is now reentrant and calling
  it from inside another MakeCallback() call no longer causes the
  nextTick queue or Promises microtask queue to be processed out of
  order. (Trevor Norris) #4507
* tls: Add a new tlsSocket.getProtocol() method to get the negotiated
  TLS protocol version of the current connection. (Brian White) #4995
* vm: Introduce new 'produceCachedData' and 'cachedData' options to
  new vm.Script() to interact with V8's code cache. When a new
  vm.Script object is created with the 'produceCachedData' set to true
  a Buffer with V8's code cache data will be produced and stored in
  cachedData property of the returned object. This data in turn may be
  supplied back to another vm.Script() object with a 'cachedData'
  option if the supplied source is the same. Successfully executing a
  script from cached data can speed up instantiation time. See the API
  docs for details. (Fedor Indutny) #4777
* performance: Improvements in:
  - process.nextTick() (Ruben Bridgewater) #5092
  - path module (Brian White) #5123
  - querystring module (Brian White) #5012
  - streams module when processing small chunks (Matteo Collina) #4354

PR-URL: https://github.com/nodejs/node/pull/5295
2016-02-24 17:15:22 +11:00
Myles Borins
c1b3d78a39 2016-02-16, Version 4.3.1 'Argon' (LTS)
Notable changes:

* buffer: make byteLength work with Buffer correctly (Jackson Tian)
  - https://github.com/nodejs/node/pull/4738
* debugger: guard against call from non-node context (Ben Noordhuis)
  - https://github.com/nodejs/node/pull/4328
* node_contextify: do not incept debug context (Myles Borins)
  - https://github.com/nodejs/node/pull/4819
* deps: update to http-parser 2.5.2 (James Snell)
  - https://github.com/nodejs/node/pull/5238

PR-URL: https://github.com/nodejs/node/pull/5200#issuecomment-184897483
2016-02-16 17:02:01 -08:00
James M Snell
de91e9a8a7 doc: fix v4.3.0 changelog commit entries
The wrong commit SHA's were used

PR-URL: https://github.com/nodejs/node/pull/5164
Reviewed-By: Myles Borins <myles.borins@gmail.com>
2016-02-15 08:10:14 -08:00
James M Snell
1a68f85c4e 2016-02-09, Version 5.6.0 (Stable)
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.

Notable changes

* http: fix defects in HTTP header parsing for requests and responses
  that can allow request smuggling (CVE-2016-2086) or response
  splitting (CVE-2016-2216). HTTP header parsing now aligns more
  closely with the HTTP spec including restricting the acceptable
  characters.
* http-parser: upgrade from 2.6.0 to 2.6.1
* npm: upgrade npm from 3.3.12 to 3.6.0
  (Rebecca Turner) https://github.com/nodejs/node/pull/4958
* openssl: upgrade from 1.0.2e to 1.0.2f. To mitigate against the
  Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
  parameters shorter than 1024-bits, up from the previous limit of
  768-bits.
2016-02-09 09:30:44 -08:00
James M Snell
7daded4ff0 2016-02-09, Version 4.3.0 'Argon' (LTS)
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.

Note that this release includes a non-backward compatible change to
address a security issue. This change increases the version of the LTS
v4.x line to v4.3.0. There will be *no further updates* to v4.2.x.

* http: fix defects in HTTP header parsing for requests and responses
  that can allow request smuggling (CVE-2016-2086) or response
  splitting (CVE-2016-2216). HTTP header parsing now aligns more
  closely with the HTTP spec including restricting the acceptable
  characters.
* http-parser: upgrade from 2.5.0 to 2.5.1
* openssl: upgrade from 1.0.2e to 1.0.2f. To mitigate against the
  Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
  parameters shorter than 1024-bits, up from the previous limit of
  768-bits.
* src:
  - introduce new `--security-revert={cvenum}` command line flag for
    selective reversion of specific CVE fixes
  - allow the fix for CVE-2016-2216 to be selectively reverted using
    `--security-revert=CVE-2016-2216`

PR-URL: https://github.com/nodejs/node-private/pull/20
2016-02-09 09:29:14 -08:00
James M Snell
2dc89da504 2016-02-09, Version 0.12.10 (LTS)
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.

Notable changes:

* http: fix defects in HTTP header parsing for requests and responses
  that can allow request smuggling (CVE-2016-2086) or response
  splitting (CVE-2016-2216). HTTP header parsing now aligns more
  closely with the HTTP spec including restricting the acceptable
  characters.
* http-parser: upgrade from 2.3.0 to 2.3.1
* openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the
  Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
  parameters shorter than 1024-bits, up from the previous limit of
  768-bits.
* src:
  - introduce new `--security-revert={cvenum}` command line flag for
    selective reversion of specific CVE fixes
  - allow the fix for CVE-2016-2216 to be selectively reverted using
    `--security-revert=CVE-2016-2216`
* build:
  - xz compressed tar files will be made available from nodejs.org for
    v0.12 builds from v0.12.10 onward
  - A headers.tar.gz file will be made available from nodejs.org for
    v0.12 builds from v0.12.10 onward, a future change to node-gyp
    will be required to make use of these

PR-URL: https://github.com/nodejs/node-private/pull/24
2016-02-09 09:27:27 -08:00
James M Snell
bc86c5675b 2016-02-09, Version 0.10.42 (Maintenance)
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.

Notable changes:

* http: fix defects in HTTP header parsing for requests and responses
  that can allow request smuggling (CVE-2016-2086) or response
  splitting (CVE-2016-2216). HTTP header parsing now aligns more
  closely with the HTTP spec including restricting the acceptable
  characters.
* http-parser: upgrade from 1.0 to 1.1
* openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the
  Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
  parameters shorter than 1024-bits, up from the previous limit of
  768-bits.
* src:
  - introduce new `--security-revert={cvenum}` command line flag for
    selective reversion of specific CVE fixes
  - allow the fix for CVE-2016-2216 to be selectively reverted using
    `--security-revert=CVE-2016-2216`
* build:
  - xz compressed tar files will be made available from nodejs.org for
    v0.10 builds from v0.10.42 onward
  - A headers.tar.gz file will be made available from nodejs.org for
    v0.10 builds from v0.10.42 onward, a future change to node-gyp
    will be required to make use of these

PR-URL: https://github.com/nodejs/node-private/pull/25
2016-02-09 09:26:03 -08:00
James M Snell
b5b5bb1e3c src: avoid compiler warning in node_revert.cc
PR-URL: https://github.com/nodejs/node-private/pull/26
Reviewed-By: Rod Vagg <r@va.gg>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
2016-02-09 09:22:13 -08:00
Myles Borins
8221917e85 2016-01-21, Version 4.2.6 "Argon" (LTS) Release
Notable changes:

* Fix regression in debugger and profiler functionality

PR-URL: https://github.com/nodejs/node/pull/4788
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
2016-01-21 14:19:57 -08:00
Evan Lucas
318ded2c4d 2016-01-20, Version 5.5.0 (Stable)
Notable changes:

* events: make sure console functions exist (Dave) https://github.com/nodejs/node/pull/4479
* fs: add autoClose option to fs.createWriteStream (Saquib) https://github.com/nodejs/node/pull/3679
* http: improves expect header handling (Daniel Sellers) https://github.com/nodejs/node/pull/4501
* node: allow preload modules with -i (Evan Lucas) https://github.com/nodejs/node/pull/4696
* v8,src: expose statistics about heap spaces (`v8.getHeapSpaceStatistics()`) (Ben Ripkens) https://github.com/nodejs/node/pull/4463
* Minor performance improvements:
  - lib: Use arrow functions instead of bind where possible (Minwoo Jung) https://github.com/nodejs/node/pull/3622
  - module: cache stat() results more aggressively (Ben Noordhuis) https://github.com/nodejs/node/pull/4575
  - querystring: improve parse() performance (Brian White) https://github.com/nodejs/node/pull/4675

PR-URL: https://github.com/nodejs/node/pull/4742
2016-01-20 20:23:48 -06:00
Myles Borins
d50a8a9848 2016-01-20, Version 4.2.5 "Argon" (LTS) Release
Notable changes:

* assert
  -  accommodate ES6 classes that extend Error (Rich Trott) https://github.com/nodejs/node/pull/4166
* build
  - add "--partly-static" build options (Super Zheng) https://github.com/nodejs/node/pull/4152
* deps
  - backport 066747e from upstream V8 (Ali Ijaz Sheikh) https://github.com/nodejs/node/pull/4655
  - backport 200315c from V8 upstream (Vladimir Kurchatkin) https://github.com/nodejs/node/pull/4128
  - upgrade libuv to 1.8.0 (Saúl Ibarra Corretgé)
* docs
  - various updates landed in 70 different commits!
* repl
  - attach location info to syntax errors (cjihrig) https://github.com/nodejs/node/pull/4013
  - display error message when loading directory (Prince J Wesley) https://github.com/nodejs/node/pull/4170
* tests
  - various updates landed in over 50 commits
* util
  - allow lookup of hidden values (cjihrig) https://github.com/nodejs/node/pull/3988

PR-URL: https://github.com/nodejs/node/pull/4768
2016-01-20 12:47:54 -08:00
Myles Borins
a254507dfa 2016-01-12, Version 5.4.1 (Stable)
Notable Changes:

* Minor performance improvements:
  - module: move unnecessary work for early return (Andres Suarez) https://github.com/nodejs/node/pull/3579
* Various bug fixes
* Various doc fixes
* Various test improvements

PR-URL: https://github.com/nodejs/node/pull/4626
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
2016-01-12 16:12:31 -08:00
Jeremiah Senkpiel
5f0abd6472 2016-01-06, Version 5.4.0 (Stable)
* http:
  - A new status code was added: 451 - "Unavailable For Legal Reasons"
(Max Barinov) https://github.com/nodejs/node/pull/4377
  - Idle sockets that have been kept alive now handle errors (José F.
Romaniello) https://github.com/nodejs/node/pull/4482
* This release also includes several minor performance improvements:
  - assert: deepEqual is now speedier when comparing TypedArrays
(Claudio Rodriguez) https://github.com/nodejs/node/pull/4330
  - lib: Use arrow functions instead of bind where possible (Minwoo
Jung) https://github.com/nodejs/node/pull/3622
  - node: Improved accessor perf of process.env (Trevor Norris)
https://github.com/nodejs/node/pull/3780
  - node: Improved performance of process.hrtime() (Trevor Norris)
https://github.com/nodejs/node/pull/3780, (Evan Lucas)
https://github.com/nodejs/node/pull/4484
  - node: Improved GetActiveHandles performance (Trevor Norris)
https://github.com/nodejs/node/pull/3780
  - util: Use faster iteration in util.format() (Jackson Tian)
https://github.com/nodejs/node/pull/3964

Refs: https://github.com/nodejs/node/pull/4547
PR-URL: https://github.com/nodejs/node/pull/4623
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
2016-01-11 12:42:53 -05:00
James M Snell
7fac47c94a 2015-12-23, Version 4.2.4 "Argon" (LTS) Release
Maintenance Update

Notable changes

* Roughly 78% of the commits are documentation and test
  improvements
* domains:
  - Fix handling of uncaught exceptions (Julien Gilli)
    [#3884](https://github.com/nodejs/node/pull/3884)
* deps:
  - Upgrade to npm 2.14.12 (Kat Marchán)
    [#4110](https://github.com/nodejs/node/pull/4110)
  - Backport 819b40a from V8 upstream (Michaël Zasso)
    [#3938](https://github.com/nodejs/node/pull/3938)
  - Updated node LICENSE file with new npm license (Kat Marchán)
    [#4110](https://github.com/nodejs/node/pull/4110)
2015-12-23 09:22:48 -08:00
Jeremiah Senkpiel
14f81a022d 2015-07-09 io.js v1.8.4 Release
Notable changes

* openssl: Upgrade to 1.0.2d, fixes CVE-2015-1793 (Alternate Chains
Certificate Forgery) https://github.com/nodejs/io.js/pull/2141.
2015-12-20 19:14:23 +03:00
Rod Vagg
8e724e6677 2015-07-04 io.js v1.8.3 Release
Maintenance release

Notable Changes:

* v8: Fixed an out-of-band write in utf8 decoder. This is an important
  security update as it can be used to cause a denial of service
  attack.
* openssl: - Upgrade to 1.0.2b and 1.0.2c, introduces DHE
  man-in-the-middle protection (Logjam) and fixes malformed
  ECParameters causing infinite loop (CVE-2015-1788). See the
  security advisory for full details. (Shigeki Ohtsu) #1950 #1958
* build:
  - Added support for compiling with Microsoft Visual C++ 2015
  - Started building and distributing headers-only tarballs along with
    binaries
2015-12-20 19:14:23 +03:00
Rod Vagg
361db7e191 2015-05-17 io.js v1.8.2 Release
Maintenance release

Notable Changes:

* crypto: significantly reduced memory usage for TLS (Fedor Indutny &
  Сковорода Никита Андреевич) #1529
* npm: Upgrade npm to 2.9.0. See the v2.8.4 and v2.9.0 release notes for
  details.
2015-12-20 19:14:23 +03:00
cjihrig
e5774c9df0 2015-12-16, Version 5.3.0 (Stable)
Notable changes:

* buffer:
  - Buffer.prototype.includes() has been added to keep parity
    with TypedArrays. (Alexander Martin) #3567.
* domains:
  - Fix handling of uncaught exceptions.
    (Julien Gilli) #3654.
* https:
  - Added support for disabling session caching.
    (Fedor Indutny) #4252.
* repl:
  - Allow third party modules to be imported using
    require(). This corrects a regression from 5.2.0.
    (Ben Noordhuis) #4215.
* deps:
  - Upgrade libuv to 1.8.0.
    (Saúl Ibarra Corretgé) #4276.

PR-URL: https://github.com/nodejs/node/pull/4281

Conflicts:
	src/node_version.h
2015-12-16 14:53:22 -05:00
Rod Vagg
6ca5ea3860 2015-12-09, Version 5.2.0 (Stable)
Notable changes:

* build:
  - Add support for Intel's VTune JIT profiling when compiled with
    --enable-vtune-profiling. For more information about VTune, see
    https://software.intel.com/en-us/node/544211. (Chunyang Dai) #3785.
  - Properly enable V8 snapshots by default. Due to a configuration
    error, snapshots have been kept off by default when the intention
    is for the feature to be enabled. (Fedor Indutny) #3962.
* crypto:
  - Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects
    (created via crypto.createECDH(curve_name)) with private keys that
    are not dynamically generated via generateKeys(). The public key
    is now computed when explicitly setting a private key. Added
    validity checks to reduce the possibility of computing weak or
    invalid shared secrets. Also, deprecated the setPublicKey() method
    for ECDH objects as its usage is unnecessary and can lead to
    inconsistent state. (Michael Ruddy) #3511.
  - Update root certificates from the current list stored maintained
    by Mozilla NSS. (Ben Noordhuis) #3951.
  - Multiple CA certificates can now be passed with the ca option to
    TLS methods as an array of strings or in a single new-line
    separated string. (Ben Noordhuis) #4099
* tools: Include a tick processor in core, exposed via the
  --prof-process command-line argument which can be used to process V8
  profiling output files generated when using the --prof command-line
  argument. (Matt Loring) #4021.

PR-URL: https://github.com/nodejs/node/pull/4181
2015-12-09 16:22:19 +11:00
Rod Vagg
ab009a0955 2015-12-04, Version 5.1.1 (Stable)
Security Update

Notable items:

* **http**: Fix a bug where an HTTP socket may no longer have a socket
  but a pipelined request triggers a pause or resume, a potential
  denial-of-service vector. (Fedor Indutny)
* **openssl**: Upgrade to 1.0.2e, containing fixes for:
  - CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64",
    an attack is considered feasible against DH, an attack against RSA
    and DSA is considered possible but unlikely, EC algorithms are not
    affected. Details are available at
    <http://openssl.org/news/secadv/20151203.txt>.
  - CVE-2015-3194 "Certificate verify crash with missing PSS parameter",
    a potential denial-of-service vector for Node.js TLS servers; TLS
    clients are also impacted. Details are available at
    <http://openssl.org/news/secadv/20151203.txt>.
  (Shigeki Ohtsu) #4134
* v8: Backport fixes for a bug in `JSON.stringify()` that can result
  in out-of-bounds reads for arrays. (Ben Noordhuis)

PR-URL: https://github.com/nodejs/node-private/pull/11
2015-12-05 15:38:01 +11:00
Rod Vagg
e935a5214c 2015-12-04, Version 4.2.3 "Argon" (LTS) Release
Security Update

Notable items:

* http: Fix a bug where an HTTP socket may no longer have a socket
  but a pipelined request triggers a pause or resume, a potential
  denial-of-service vector. (Fedor Indutny)
* openssl: Upgrade to 1.0.2e, containing fixes for:
  - CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64",
    an attack is considered feasible against a Node.js TLS server using
    DHE key exchange. Details are available at
    <http://openssl.org/news/secadv/20151203.txt>.
  - CVE-2015-3194 "Certificate verify crash with missing PSS parameter",
    a potential denial-of-service vector for Node.js TLS servers; TLS
    clients are also impacted. Details are available at
    <http://openssl.org/news/secadv/20151203.txt>.
  (Shigeki Ohtsu) #4134
* v8: Backport fixes for a bug in `JSON.stringify()` that can result
  in out-of-bounds reads for arrays. (Ben Noordhuis)

PR-URL: https://github.com/nodejs/node-private/pull/12
2015-12-05 15:37:52 +11:00
Rod Vagg
07d8741ddf 2015-12-04, Version 0.12.9 (Stable)
Security Update

Notable items:

* http: Fix a bug where an HTTP socket may no longer have a socket but a
  pipelined request triggers a pause or resume, a potential
  denial-of-service vector. (Fedor Indutny)
* openssl: Upgrade to 1.0.1q, fixes CVE-2015-3194
  "Certificate verify crash with missing PSS parameter", a potential
  denial-of-service vector for Node.js TLS servers; TLS clients are also
  impacted. Details are available at
  <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) #4133

PR-URL: https://github.com/nodejs/node-private/pull/13
2015-12-05 15:37:40 +11:00
Rod Vagg
2c61b84772 2015-12-04, Version 0.10.41 (Maintenance)
Security Update

Notable items:

* build: Add support for Microsoft Visual Studio 2015
* npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as
  part of the strategy to get a version of npm into Node.js v0.10.x that
  works with the current registry
  (https://github.com/nodejs/LTS/issues/37). This version of npm prints
  out a banner each time it is run. The banner warns that the next
  standard release of Node.js v0.10.x will ship with a version of npm
  v2.
* openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194
  "Certificate verify crash with missing PSS parameter", a potential
  denial-of-service vector for Node.js TLS servers; TLS clients are also
  impacted. Details are available at
  <http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis)
  #4133

PR-URL: https://github.com/nodejs/node-private/pull/15
2015-12-05 15:31:15 +11:00
Rod Vagg
483016ffd9 2015-11-25 Version 0.12.8 (LTS) Release
PR-URL: https://github.com/nodejs/node/pull/2806
2015-12-05 15:31:15 +11:00
Jeremiah Senkpiel
29cd1195ec 2015-11-17, Version 5.1.0 (Stable)
PR-URL: https://github.com/nodejs/node/pull/3736
2015-11-17 16:52:26 -05:00
James M Snell
3268383c2b doc: fix wrong date and known issue in changelog.md
* A known issue was resolved but not removed from the list
* The wrong date was documented in the changelog for v4.2.2

PR-URL: https://github.com/nodejs/node/pull/3650
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
2015-11-04 15:21:00 -08:00
James M Snell
3be3fb6538 2015-11-03, Version 4.2.2 "Argon" (LTS) Release 2015-11-03 12:09:16 -08:00
Rod Vagg
837b17408a 2015-10-29, Version 5.0.0 (Stable)
Notable changes:

* buffer: (Breaking) Removed both 'raw' and 'raws' encoding types from Buffer,
  these have been deprecated for a long time (Sakthipriyan Vairamani) #2859.
* console: (Breaking) Values reported by console.time() now have 3 decimals of
  accuracy added (Michaël Zasso) #3166.
* fs:
  - fs.readFile*(), fs.writeFile*(), and fs.appendFile*() now also accept a file
    descriptor as their first argument (Johannes Wüller) #3163.
  - (Breaking) In fs.readFile(), if an encoding is specified and the internal
    toString() fails the error is no longer thrown but is passed to the callback
    (Evan Lucas) #3485.
  - (Breaking) In fs.read() (using the fs.read(fd, length, position, encoding,
    callback) form), if the internal toString() fails the error is no longer
    thrown but is passed to the callback (Evan Lucas) #3503.
* http:
  - Fixed a bug where pipelined http requests would stall (Fedor Indutny) #3342.
  - (Breaking) When parsing HTTP, don't add duplicates of the following headers:
    Retry-After, ETag, Last-Modified, Server, Age, Expires. This is in addition
    to the following headers which already block duplicates: Content-Type,
    Content-Length, User-Agent, Referer, Host, Authorization,
    Proxy-Authorization, If-Modified-Since, If-Unmodified-Since, From, Location,
    Max-Forwards (James M Snell) #3090.
  - (Breaking) The callback argument to OutgoingMessage#setTimeout() must be a
    function or a TypeError is thrown (James M Snell) #3090.
  - (Breaking) HTTP methods and header names must now conform to the RFC 2616
    "token" rule, a list of allowed characters that excludes control characters
    and a number of separator characters. Specifically, methods and header names
    must now match /^[a-zA-Z0-9_!#$%&'*+.^`|~-]+$/ or a TypeError will be thrown
    (James M Snell) #2526.
* node:
  - (Breaking) Deprecated the _linklist module (Rich Trott) #3078.
  - (Breaking) Removed require.paths and require.registerExtension(), both had
    been previously set to throw Error when accessed
    (Sakthipriyan Vairamani) #2922.
* npm: Upgraded to version 3.3.6 from 2.14.7, see
  https://github.com/npm/npm/releases/tag/v3.3.6 for more details. This is a
  major version bump for npm and it has seen a significant amount of change.
  Please see the original npm v3.0.0 release notes for a list of major changes
  (Rebecca Turner) #3310.
* src: (Breaking) Bumped NODE_MODULE_VERSION to 47 from 46, this is necessary
  due to the V8 upgrade. Native add-ons will need to be recompiled
  (Rod Vagg) #3400.
* timers: Attempt to reuse the timer handle for setTimeout().unref(). This fixes
  a long-standing known issue where unrefed timers would perviously hold
  beforeExit open (Fedor Indutny) #3407.
* tls:
  - Added ALPN Support (Shigeki Ohtsu) #2564.
  - TLS options can now be passed in an object to createSecurePair()
    (Коренберг Марк) #2441.
  - (Breaking) The default minimum DH key size for tls.connect() is now 1024
    bits and a warning is shown when DH key size is less than 2048 bits. This a security consideration to prevent "logjam" attacks. A new minDHSize TLS
    option can be used to override the default. (Shigeki Ohtsu) #1831.
* util:
  - (Breaking) util.p() was deprecated for years, and has now been removed
    (Wyatt Preul) #3432.
  - (Breaking) util.inherits() can now work with ES6 classes. This is considered
    a breaking change because of potential subtle side-effects caused by a
    change from directly reassigning the prototype of the constructor using
    `ctor.prototype = Object.create(superCtor.prototype, { constructor: { ... } })`
    to using `Object.setPrototypeOf(ctor.prototype, superCtor.prototype)`
    (Michaël Zasso) #3455.
* v8: (Breaking) Upgraded to 4.6.85.25 from 4.5.103.35 (Ali Ijaz Sheikh) #3351.
  - Implements the spread operator, see
    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Spread_operator
    for further information.
  - Implements new.target, see
    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/new.target
    for further information.
* zlib: Decompression now throws on truncated input (e.g. unexpected end of
  file) (Yuval Brik) #2595.

PR-URL: https://github.com/nodejs/node/pull/3466
2015-10-30 07:53:24 +11:00
Phillip Johnsen
dae9fae0fe doc: label v4.2.1 as LTS in changelog heading
PR-URL: https://github.com/nodejs/node/pull/3360
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
2015-10-14 21:51:53 +02:00
Timothy Gu
81503e597b doc: fix typo in changelog
PR-URL: https://github.com/nodejs/node/pull/3353
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
2015-10-14 13:35:26 +11:00
James M Snell
0a7076b0f1 2015-10-13, Version 4.2.1 'Argon' (LTS) Release
* Includes fixes for two regressions
  - Assertion error in WeakCallback  - see [#3329](https://github.com/nodejs/node/pull/3329)
  - Undefined timeout regression - see [#3331](https://github.com/nodejs/node/pull/3331)

* Document an additional known issue with pipelined requests
  - See: https://github.com/nodejs/node/issues/3332 and https://github.com/nodejs/node/pull/3342
2015-10-13 10:39:14 -07:00
Rod Vagg
4bc9d97c5f doc: label v4.2.0 as LTS in changelog heading
Update the label for v4.2.0 to (LTS) from (Stable)

Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/3343
2015-10-13 08:26:33 -07:00
James M Snell
47db2472e5 2015-10-12, Version 4.2.0 'Argon' (LTS) Release
The first Node.js LTS release! See https://github.com/nodejs/LTS/
for details of the LTS process.

* **icu**: Updated to version 56 with significant performance improvements
  (Steven R. Loomis) https://github.com/nodejs/node/pull/3281
* **node**:
  - Added new `-c` (or `--check`) command line argument for checking script
    syntax without executing the code (Dave Eddy) https://github.com/nodejs/node/pull/2411
  - Added `process.versions.icu` to hold the current ICU library version
    (Evan Lucas) https://github.com/nodejs/node/pull/3102
  - Added `process.release.lts` to hold the current LTS codename when the
    binary is from an active LTS release line (Rod Vagg) https://github.com/nodejs/node/pull/3212
* **npm**: Upgraded to npm 2.14.7 from 2.14.4, see release notes:
  https://github.com/npm/npm/releases/tag/v2.14.7 for full details (Kat Marchán) https://github.com/nodejs/node/pull/3299

PR-URL: https://github.com/nodejs/node/pull/3258
2015-10-12 11:17:37 -07:00
reggi
3ef2e4acf3 doc: fix typos in changelog
PR-URL: https://github.com/nodejs/node/pull/3291
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
2015-10-11 18:55:06 +02:00
Martial
f5a3f44f5c doc: standardize references to userland
Change occurrences of "user-land" to "userland".

PR-URL: https://github.com/nodejs/node/pull/3192
Fixes: https://github.com/nodejs/node/issues/3189
Reviewed-By: Rich Trott <rtrott@gmail.com>
2015-10-06 20:28:33 -07:00
Rod Vagg
820735d967 2015-10-05, Version 4.1.2 (Stable) Release
Notable changes

* http:
  - Fix out-of-order 'finish' event bug in pipelining that can abort
    execution, fixes DoS vulnerability CVE-2015-7384
    (Fedor Indutny) #3128
  - Account for pending response data instead of just the data on the
    current request to decide whether pause the socket or not
    (Fedor Indutny) #3128
* libuv: Upgraded from v1.7.4 to v1.7.5, see release notes for details
  (Saúl Ibarra Corretgé) #3010
  - A better rwlock implementation for all Windows versions
  - Improved AIX support
* v8:
  - Upgraded from v4.5.103.33 to v4.5.103.35 (Ali Ijaz Sheikh) #3117
  - Backported f782159 from v8's upstream to help speed up Promise
    introspection (Ben Noordhuis) #3130
  - Backported c281c15 from v8's upstream to add JSTypedArray length
    in post-mortem metadata (Julien Gilli) #3031

PR-URL: https://github.com/nodejs/node/pull/3128
2015-10-06 07:03:18 +11:00
Rod Vagg
4a6f1feecb 2015-09-22, Version 4.1.1 (Stable) Release
Notable changes

* buffer: Fixed a bug introduced in v4.1.0 where allocating a new
  zero-length buffer can result in the next allocation of a TypedArray
  in JavaScript not being zero-filled. In certain circumstances this
  could result in data leakage via reuse of memory space in
  TypedArrays, breaking the normally safe assumption that TypedArrays
  should be always zero-filled. (Trevor Norris) #2931.
* http: Guard against response-splitting of HTTP trailing headers
  added via response.addTrailers() by removing new-line ([\r\n])
  characters from values. Note that standard header values are already
  stripped of new-line characters. The expected security impact is low
  because trailing headers are rarely used. (Ben Noordhuis) #2945.
* npm: Upgrade to npm 2.14.4 from 2.14.3, see release notes for full
  details (Kat Marchán) #2958
  - Upgrades graceful-fs on multiple dependencies to no longer rely on
    monkey-patching fs
  - Fix npm link for pre-release / RC builds of Node
* v8: Update post-mortem metadata to allow post-mortem debugging tools
  to find and inspect:
  - JavaScript objects that use dictionary properties
    (Julien Gilli) #2959
  - ScopeInfo and thus closures (Julien Gilli) #2974

PR-URL: https://github.com/nodejs/node/pull/2995
2015-09-23 11:33:13 +10:00
Jeremiah Senkpiel
e4f2952341 2015-09-17, Version 4.1.0 (Stable) Release
Notable changes:

* buffer:
  - Buffers are now created in JavaScript, rather than C++. This increases the speed of buffer creation (Trevor Norris) https://github.com/nodejs/node/pull/2866.
  - `Buffer#slice()` now uses `Uint8Array#subarray()` internally, increasing `slice()` performance (Karl Skomski) https://github.com/nodejs/node/pull/2777.
* fs:
  - `fs.utimes()` now properly converts numeric strings, `NaN`, and `Infinity` (Yazhong Liu) https://github.com/nodejs/node/pull/2387.
  - `fs.WriteStream` now implements `_writev`, allowing for super-fast bulk writes (Ron Korving) https://github.com/nodejs/node/pull/2167.
* http: Fixed an issue with certain `write()` sizes causing errors when using `http.request()` (Fedor Indutny) https://github.com/nodejs/node/pull/2824.
* npm: Upgrade to version 2.14.3, see https://github.com/npm/npm/releases/tag/v2.14.3 for more details (Kat Marchán) https://github.com/nodejs/node/pull/2822.
* src: V8 cpu profiling no longer erroneously shows idle time (Oleksandr Chekhovskyi) https://github.com/nodejs/node/pull/2324.
* v8: Lateral upgrade to 4.5.103.33 from 4.5.103.30, contains minor fixes (Ali Ijaz Sheikh) https://github.com/nodejs/node/pull/2870.
  - This fixes a previously known bug where some computed object shorthand properties did not work correctly (https://github.com/nodejs/node/issues/2507).

Refs: https://github.com/nodejs/node/issues/2844
PR-URL: https://github.com/nodejs/node/pull/2889
2015-09-17 15:27:01 +10:00
Rod Vagg
b9813641dc 2015-09-15 io.js v3.3.1 Release
* buffer: Fixed a minor errors that was causing crashes
  (Michaël Zasso) #2635,
* child_process: Fix error that was causing crashes (Evan Lucas) #2727
* crypto: Replace use of rwlocks, unsafe on Windows XP / 2003
  (Ben Noordhuis) #2723
* libuv: Upgrade from 1.7.3 to 1.7.4 (Saúl Ibarra Corretgé) #2817
* node: Fix faulty process.release.libUrl on Windows (Rod Vagg) #2699
* node-gyp: Float v3.0.3 which has improved support for Node.js and
  io.js v0.10 to v4+ (Rod Vagg) #2700
* npm: Upgrade to version 2.14.3 from 2.13.3, includes a security
  update, see https://github.com/npm/npm/releases/tag/v2.14.2 for more
  details, (Kat Marchán) #2696.
* timers: Improved timer performance from porting the 0.12
  implementation, plus minor fixes (Jeremiah Senkpiel) #2540,
  (Julien Gilli) nodejs/node-v0.x-archive#8751 nodejs/node-v0.x-archive#8905

PR-URL: https://github.com/nodejs/node/pull/2698
2015-09-15 19:14:17 +10:00
Rod Vagg
380a3d89c3 2015-09-08, Version 4.0.0 (Stable) Release
This list of changes is relative to the last io.js v3.x branch
release, v3.3.0. Please see the list of notable changes in the v3.x,
v2.x and v1.x releases for a more complete list of changes from
0.12.x. Note, that some changes in the v3.x series as well as major
breaking changes in this release constitute changes required for full
convergence of the Node.js and io.js projects.

* child_process: ChildProcess.prototype.send() and process.send()
  operate asynchronously across all platforms so an optional callback
  parameter has been introduced that will be invoked once the message
  has been sent, i.e. .send(message[, sendHandle][, callback])
  (Ben Noordhuis) #2620.
* node: Rename "io.js" code to "Node.js" (cjihrig) #2367.
* node-gyp: This release bundles an updated version of node-gyp that
  works with all versions of Node.js and io.js including nightly and
  release candidate builds. From io.js v3 and Node.js v4 onward, it
  will only download a headers tarball when building addons rather
  than the entire source. (Rod Vagg) #2700.
* npm: Upgrade to version 2.14.2 from 2.13.3, includes a security
  update, see https://github.com/npm/npm/releases/tag/v2.14.2 for more
  details, (Kat Marchán) #2696.
* timers: Improved timer performance from porting the 0.12
  implementation, plus minor fixes (Jeremiah Senkpiel) #2540,
  (Julien Gilli) nodejs/node-v0.x-archive#8751 nodejs/node-v0.x-archive#8905
* util: The util.is*() functions have been deprecated, beginning with
  deprecation warnings in the documentation for this release, users
  are encouraged to seek more robust alternatives in the npm registry,
  (Sakthipriyan Vairamani) #2447.
* v8: Upgrade to version 4.5.103.30 from 4.4.63.30 (Ali Ijaz Sheikh) #2632.
  - Implement new TypedArray prototype methods: copyWithin(), every(),
    fill(), filter(), find(), findIndex(), forEach(), indexOf(),
    join(), lastIndexOf(), map(), reduce(), reduceRight(), reverse(),
    slice(), some(), sort(). See
    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray
    for further information.
  - Implement new TypedArray.from() and TypedArray.of() functions. See
    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray
    for further information.
  - Implement arrow functions. See
    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Functions/Arrow_functions
    for further information.
  - Full ChangeLog available at
    https://github.com/v8/v8-git-mirror/blob/4.5.103/ChangeLog

PR-URL: https://github.com/nodejs/node/pull/2742
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
2015-09-09 08:56:13 +10:00
Rod Vagg
a06e11d9d3 doc: update changelog for io.js v3.3.0
Notable changes:

* build: Add a --link-module option to configure that can be used to
  bundle additional JavaScript modules into a built binary
  (Bradley Meck) #2497
* docs: Merge outstanding doc updates from joyent/node
  (James M Snell) #2378
* http_parser: Significant performance improvement by having
  http.Server consume all initial data from its net.Socket and parsing
  directly without having to enter JavaScript. Any 'data' listeners on
  the net.Socket will result in the data being "unconsumed" into
  JavaScript, thereby undoing any performance gains.
  (Fedor Indutny) #2355
* libuv: Upgrade to 1.7.3 (from 1.6.1), see
  https://github.com/libuv/libuv/blob/v1.x/ChangeLog for details
  (Saúl Ibarra Corretgé) #2310
* V8: Upgrade to 4.4.63.30 (from 4.4.63.26) (Michaël Zasso) #2482

cherry-picked from v3.x @ 1a6e52db30

PR-URL: https://github.com/nodejs/node/pull/2653
Reviewed-By: cjihrig - Colin Ihrig <cjihrig@gmail.com>
2015-09-02 09:15:38 -04:00
P.S.V.R
f93032385e doc: merge CHANGELOG.md with joyent/node ChangeLog
PR-URL: https://github.com/nodejs/node/pull/2536
Reviewed-By: Rod Vagg <rod@vagg.org>
2015-08-30 17:43:23 +10:00
Rod Vagg
f9539c19e8 doc: update changelog for io.js v3.2.0
Notable changes:

* events: Added EventEmitter#listenerCount(event) as a replacement for
  EventEmitter.listenerCount(emitter, event), which has now been
  marked as deprecated in the docs. (Sakthipriyan Vairamani) #2349
* module: Fixed an error with preloaded modules when the current
  working directory doesn't exist. (Bradley Meck) #2353
* node: Startup time is now about 5% faster when not passing V8 flags.
  (Evan Lucas) #2483
* repl: Tab-completion now works better with arrays.
  (James M Snell) #2409
* string_bytes: Fixed an unaligned write in the handling of UCS2
  encoding. (Fedor Indutny) #2480
* tls: Added a new --tls-cipher-list flag that can be used to override
  the built-in default cipher list. (James M Snell) #2412

PR-URL: https://github.com/nodejs/node/pull/2512
2015-08-25 15:48:50 +10:00
Roman Reiss
cded6e7993 doc: fix CHANGELOG.md on master
This patch applies the diff of CHANGELOG from v3.x branch to master,
corresponding to the 3.1.0 release.

Fixes: https://github.com/nodejs/node/issues/2456
Fixes: https://github.com/nodejs/node/issues/2502

PR-URL: https://github.com/nodejs/node/pull/2513
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
2015-08-24 12:44:09 +05:30
cjihrig
a69ab27ab4 node: rename from io.js to node
This commit replaces instances of io.js with Node.js, based on the
recent convergence. There are some remaining instances of io.js,
related to build and the installer.

Fixes: https://github.com/nodejs/node/issues/2361
PR-URL: https://github.com/nodejs/node/pull/2367
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: João Reis <reis@janeasystems.com>
2015-08-23 17:59:43 -04:00
Rod Vagg
6faf17cb45 2015-08-04 io.js v3.0.0 Release
Notable changes:

* buffer:
  - Due to changes in V8, it has been necessary to reimplement Buffer
    on top of V8's Uint8Array. While every effort has been made to
    maintain performance, users are likely to experience a different
    performance profile depending on how Buffer is used.
    (Trevor Norris) #1825.
  - Buffer can now take ArrayBuffers as a constructor argument
    (Trevor Norris) #2002.
  - When a single buffer is passed to Buffer.concat(), a new, copied
    Buffer object will be returned; previous behavior was to return
    the original Buffer object (Sakthipriyan Vairamani) #1937.
* build: PPC support has been added to core to allow compiling on
  pLinux BE and LE (AIX support coming soon) (Michael Dawson) #2124.
* dgram: If an error occurs within socket.send() and a callback has
  been provided, the error is only passed as the first argument to the
  callback and not emitted on the socket object; previous behavior was
  to do both (Matteo Collina & Chris Dickinson) #1796
* freelist: Deprecate the undocumented freelist core module
  (Sakthipriyan Vairamani) #2176.
* http:
  - Status codes now all use the official IANA names as per RFC7231,
    e.g. http.STATUS_CODES[414] now returns 'URI Too Long' rather than
    'Request-URI Too Large' (jomo) #1470.
  - Calling .getName() on an HTTP agent no longer returns a trailing
    colon, HTTPS agents will no longer return an extra colon near the
    middle of the string (Brendan Ashworth) #1617.
* node:
  - NODE_MODULE_VERSION has been bumped to 45 to reflect the break in
    ABI (Rod Vagg) #2096.
  - Introduce a new process.release object that contains a name
    property set to 'io.js' and sourceUrl, headersUrl and libUrl
    (Windows only) properties containing URLs for the relevant
    resources; this is intended to be used by node-gyp
    (Rod Vagg) #2154.
  - The version of node-gyp bundled with io.js now downloads and uses
    a tarball of header files from iojs.org rather than the full
    source for compiling native add-ons; it is hoped this is a
    temporary floating patch and the change will be upstreamed to
    node-gyp soon (Rod Vagg) #2066.
* repl: Persistent history is now enabled by default. The history file
  is located at ~/.node_repl_history, which can be overridden by the
  new environment variable NODE_REPL_HISTORY. This deprecates the
  previous NODE_REPL_HISTORY_FILE variable. Additionally, the format
  of the file has been changed to plain text to better handle file
  corruption. (Jeremiah Senkpiel) #2224.
* smalloc: The smalloc module has been removed as it is no longer
  possible to provide the API due to changes in V8
  (Ben Noordhuis) #2022.
* tls: Add server.getTicketKeys() and server.setTicketKeys() methods
  for TLS session key rotation (Fedor Indutny) #2227.
* v8: Upgraded to 4.4.63.26
  - ES6: Enabled computed property names
  - ES6: Array can now be subclassed in strict mode
  - ES6: Implement rest parameters in staging, use the
    --harmony-rest-parameters command line flag
  - ES6: Implement the spread operator in staging, use the
    --harmony-spreadcalls command line flag
  - Removed SetIndexedPropertiesToExternalArrayData and related APIs,
    forcing a shift to Buffer to be reimplemented based on Uint8Array
  - Introduction of Maybe and MaybeLocal C++ API for objects which may
    or may not have a value.
  - Added support for PPC

PR-URL: https://github.com/nodejs/io.js/pull/2299
2015-08-04 14:07:41 -07:00
cjihrig
3ce020b7ba 2015-07-28 io.js v2.5.0 Release
Notable changes

* **https**: TLS sessions in Agent are reused (Fedor Indutny)
https://github.com/nodejs/io.js/pull/2228.
* **src**: base64 decoding is now 50% faster (Ben Noordhuis)
https://github.com/nodejs/io.js/pull/2193.
* **npm**: Upgraded to v2.13.2, release notes can be found in
<https://github.com/npm/npm/releases/tag/v2.13.2> (Kat Marchán)
https://github.com/nodejs/io.js/pull/2241.

PR-URL: https://github.com/nodejs/io.js/issues/2239
2015-07-28 11:08:18 -04:00
Jeremiah Senkpiel
a179bcbe9e 2015-07-17 io.js v2.4.0 Release
Notable changes

* src: Added a new `--track-heap-objects` flag to track heap object
allocations for heap snapshots (Bradley Meck)
https://github.com/nodejs/io.js/pull/2135.
* readline: Fixed a freeze that affected the repl if the keypress event
handler threw (Alex Kocharin) https://github.com/nodejs/io.js/pull/2107.
* npm: Upgraded to v2.13.0, release notes can be found in
https://github.com/npm/npm/releases/tag/v2.13.0 (Forrest L Norvell)
https://github.com/nodejs/io.js/pull/2152.

PR-URL: https://github.com/nodejs/io.js/pull/2189
2015-07-17 16:23:26 -07:00
Jeremiah Senkpiel
dfcd202753 2015-07-09 io.js v2.3.4 Release
Notable changes

* openssl: Upgrade to 1.0.2d, fixes CVE-2015-1793 (Alternate Chains
Certificate Forgery).
* npm: Upgraded to v2.12.1, release notes can be found in
https://github.com/npm/npm/releases/tag/v2.12.0 and
https://github.com/npm/npm/releases/tag/v2.12.1 (Kat Marchán)
https://github.com/nodejs/io.js/pull/2112.
2015-07-09 12:23:41 -07:00
Jeremiah Senkpiel
2faae580ae 2015-07-04 io.js v2.3.3 Release
Notable changes

* deps: Fixed an out-of-band write in utf8 decoder.
This is an important security update as it can be used to cause a
denial of service attack.
2015-07-03 17:10:40 -07:00
Rod Vagg
44c2465451 2015-07-02 io.js v2.3.2 Release
Notable changes

build:
  - Added support for compiling with Microsoft Visual C++ 2015
  - Started building and distributing headers-only tarballs along with binaries
2015-07-02 18:58:40 +10:00
Rod Vagg
8e53fd5371 2015-06-23 io.js v2.3.1 Release
PR-URL: https://github.com/nodejs/io.js/pull/1996

Notable changes

* module: The number of syscalls made during a require() have been
  significantly reduced again (see #1801 from v2.2.0 for previous
  work), which should lead to a performance improvement
  (Pierre Inglebert) #1920.
* npm:
  - Upgrade to v2.11.2 (Rebecca Turner) #1956.
  - Upgrade to v2.11.3 (Forrest L Norvell) #2018.
* zlib: A bug was discovered where the process would abort if the
  final part of a zlib decompression results in a buffer that would
  exceed the maximum length of 0x3fffffff bytes (~1GiB). This was
  likely to only occur during buffered decompression (rather than
  streaming). This is now fixed and will instead result in a thrown
  RangeError (Michaël Zasso) #1811.
2015-06-23 15:32:41 +10:00
Rod Vagg
5dfe0d5d61 doc: remove irrelevant SEMVER-MINOR & MAJOR 2015-06-13 15:41:05 +10:00
Rod Vagg
41951d45b6 2015-06-13 io.js v2.3.0 Release
Notable Changes:

* libuv: Upgraded to 1.6.0 and 1.6.1, see full ChangeLog for details.
  (Saúl Ibarra Corretgé) #1905 #1889. Highlights include:
  - Fix TTY becoming blocked on OS X
  - Fix UDP send callbacks to not to be synchronous
  - Add uv_os_homedir() (exposed as os.homedir(), see below)
* npm: See full release notes for details. (Kat Marchán) #1899. Highlight:
  - Use GIT_SSH_COMMAND (available as of Git 2.3)
* openssl:
  - Upgrade to 1.0.2b and 1.0.2c, introduces DHE man-in-the-middle protection
    (Logjam) and fixes malformed ECParameters causing infinite loop
    (CVE-2015-1788). See the security advisory for full details.
    (Shigeki Ohtsu) #1950 #1958
  - Support FIPS mode of OpenSSL, see README for instructions.
    (Fedor Indutny) #1890
* os: Add os.homedir() method. (Colin Ihrig) #1791
* smalloc: Deprecate whole module. (Vladimir Kurchatkin) #1822
* Add new collaborators:
  - Alex Kocharin (@rlidwka)
  - Christopher Monsanto (@monsanto)
  - Ali Ijaz Sheikh (@ofrobots)
  - Oleg Elifantiev (@Olegas)
  - Domenic Denicola (@domenic)
  - Rich Trott (@Trott)
2015-06-13 14:09:33 +10:00
Rod Vagg
3dfd254659 2015-06-12 io.js v2.3.0 Release 2015-06-13 13:22:17 +10:00
Rod Vagg
d29034b34b doc: adjust changelog to clarify client revert
PR-URL: https://github.com/nodejs/io.js/pull/1859
Reviewed-By: Brendan Ashworth <brendan.ashworth@me.com>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
2015-06-01 20:25:05 +10:00
Rod Vagg
fe84797301 2015-06-01 io.js v2.2.1 Release
PR-URL: https://github.com/nodejs/io.js/pull/1856

Notable Changes:

* http: reverts the removal of an undocumented `client` property on client
  connections, this property is being used in the wild, most notably by
  https://github.com/request/request which is used by npm.
  (Michaël Zasso) [#1852](nodejs#1852).
2015-06-01 13:21:15 +10:00
Rod Vagg
5d83401086 doc: put SEMVER-MINOR on pre-load module fix 2.2.0 2015-05-31 16:04:57 +10:00
Rod Vagg
0c57de5b37 2015-05-31 io.js v2.2.0 Release
PR-URL: https://github.com/nodejs/io.js/pull/1808

Notable Changes:

* node: Speed-up require() by replacing usage of fs.statSync() and
  fs.readFileSync() with internal variants that are faster for this use-case
  and do not create as many objects for the garbage collector to clean up.
  The primary two benefits are: significant increase in application start-up
  time on typical applications and better start-up time for the debugger by
  eliminating almost all of the thousands of exception events.
  (Ben Noordhuis) #1801.
* node: Resolution of pre-load modules (-r or --require) now follows the
  standard require() rules rather than just resolving paths, so you can now
  pre-load modules in node_modules. (Ali Ijaz Sheikh) #1812.
* npm: Upgraded npm to v2.11.0. New hooks for preversion, version, and
  postversion lifecycle events, some SPDX-related license changes and license
  file inclusions. See the release notes for full details.
2015-05-31 16:00:27 +10:00
Rod Vagg
ba76a9d872 doc: remove bad semver-major entry from CHANGELOG
PR-URL: https://github.com/nodejs/io.js/pull/1782
Reviewed-By: Roman Reiss <me@silverwind.io>
2015-05-24 16:52:33 +10:00
Rod Vagg
a6a3f8c78d doc: fix changelog s/2.0.3/2.1.0 2015-05-24 13:56:20 +10:00
Rod Vagg
4d8f4d5cb3 2015-05-24 io.js v2.1.0 Release
PR-URL: https://github.com/nodejs/io.js/pull/1777

Notable Changes:

* crypto: Diffie-Hellman key exchange (DHE) parameters ('dhparams') must now be
  1024 bits or longer or an error will be thrown. A warning will also be printed
  to the console if you supply less than 2048 bits. See https://weakdh.org/ for
  further context on this security concern. (Shigeki Ohtsu) #1739.
* node: A new --trace-sync-io command line flag will print a warning and a stack
  trace whenever a synchronous API is used. This can be used to track down
  synchronous calls that may be slowing down an application.
  (Trevor Norris) #1707.
* node: To allow for chaining of methods, the setTimeout(), setKeepAlive(),
  setNoDelay(), ref() and unref() methods used in 'net', 'dgram', 'http',
  'https' and 'tls' now return the current instance instead of undefined
  (Roman Reiss & Evan Lucas) #1699 #1768 #1779.
* npm: Upgraded to v2.10.1, release notes can be found in
  https://github.com/npm/npm/releases/tag/v2.10.1 and
  https://github.com/npm/npm/releases/tag/v2.10.0.
* util: A significant speed-up (in the order of 35%) for the common-case of a
  single string argument to util.format(), used by console.log()
  (Сковорода Никита Андреевич) #1749.
2015-05-24 12:08:57 +10:00
Felipe Batista
f0a8bc3f84 doc: fix spelling in CHANGELOG
Reviewed-By: Roman Reiss <me@silverwind.io>
2015-05-20 14:25:37 +02:00
Frederic Hemberger
066274794c doc: update links from iojs/io.js to nodejs/io.js
Replaced all links in doc and comments to point to the new org.

PR-URL: https://github.com/nodejs/io.js/pull/1715
Reviewed-By: Roman Reiss <me@silverwind.io>
2015-05-18 08:13:09 +02:00
Jeremiah Senkpiel
c7fb91dc13 doc: fix v2.0.2 entry in changelog.md 2015-05-15 19:28:16 -04:00
Jeremiah Senkpiel
3e7a143814 2015-05-15 io.js v2.0.2 Release
PR-URL: https://github.com/iojs/io.js/pull/1679

Notable Changes:

* win,node-gyp: the delay-load hook for windows addons has now been
correctly enabled by default, it had wrongly defaulted to off in the
release version of 2.0.0 (Bert Belder) #1433
* os: tmpdir()'s trailing slash stripping has been refined to fix an
issue when the temp directory is at '/'. Also considers which slash is
used by the operating system. (cjihrig) #1673
* tls: default ciphers have been updated to use gcm and aes128 (Mike
MacCana) #1660
* build: v8 snapshots have been re-enabled by default as suggested by
the v8 team, since prior security issues have been resolved. This
should give some perf improvements to both startup and vm context
creation. (Trevor Norris) #1663
* src: fixed preload modules not working when other flags were used
before --require (Yosuke Furukawa) #1694
* dgram: fixed send()'s callback not being asynchronous (Yosuke
Furukawa) #1313
* readline: emitKeys now keeps buffering data until it has enough to
parse. This fixes an issue with parsing split escapes. (Alex Kocharin)
* cluster: works now properly emit 'disconnect' to cluser.worker (Oleg
Elifantiev) #1386
events: uncaught errors now provide some context (Evan Lucas) #1654
2015-05-15 18:38:20 -04:00
Rod Vagg
6c80e38b01 2015-05-07 io.js v2.0.1 Release (PROPOSAL)
PR-URL: https://github.com/iojs/io.js/pull/1629
2015-05-07 14:12:47 -07:00
Brian White
71dc7152ee doc: fix PR link in CHANGELOG
PR-URL: https://github.com/iojs/io.js/pull/1624
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
2015-05-05 10:16:11 -04:00
Rod Vagg
7c89c4c7ac 2015-05-04 io.js v2.0.0 Release
PR-URL: https://github.com/iojs/io.js/pull/1532

Notable Changes:

* crypto: significantly reduced memory usage for TLS (Fedor Indutny & Сковорода
  Никита Андреевич) #1529
* net: socket.connect() now accepts a 'lookup' option for a custom DNS
  resolution mechanism, defaults to dns.lookup() (Evan Lucas) #1505
* npm: Upgrade npm to 2.9.0. See the v2.8.4 and v2.9.0 release notes for
  details. Notable items:
  - Add support for default author field to make npm init -y work without
    user-input (@othiym23) npm/npm/d8eee6cf9d
  - Include local modules in npm outdated and npm update (@ArnaudRinquin)
    npm/npm#7426
  - The prefix used before the version number on npm version is now configurable
    via tag-version-prefix (@kkragenbrink) npm/npm#8014
* os: os.tmpdir() is now cross-platform consistent and will no longer returns a
  path with a trailling slash on any platform (Christian Tellnes) #747
* process:
  - process.nextTick() performance has been improved by between 2-42% across the
    benchmark suite, notable because this is heavily used across core (Brian White) #1548
  - New process.geteuid(), process.seteuid(id), process.getegid() and
    process.setegid(id) methods allow you to get and set effective UID and GID
    of the process (Evan Lucas) #1536
* repl:
  - REPL history can be persisted across sessions if the NODE_REPL_HISTORY_FILE
    environment variable is set to a user accessible file,
    NODE_REPL_HISTORY_SIZE can set the maximum history size and defaults to 1000
    (Chris Dickinson) #1513
  - The REPL can be placed in to one of three modes using the NODE_REPL_MODE
    environment variable: sloppy, strict or magic (default); the new magic mode
    will automatically run "strict mode only" statements in strict mode
    (Chris Dickinson) #1513
* smalloc: the 'smalloc' module has been deprecated due to changes coming in V8
  4.4 that will render it unusable
* util: add Promise, Map and Set inspection support (Christopher Monsanto) #1471
* V8: upgrade to 4.2.77.18, see the ChangeLog for full details. Notable items:
  - Classes have moved out of staging; the class keyword is now usable in strict
    mode without flags
  - Object literal enhancements have moved out of staging; shorthand method and
    property syntax is now usable ({ method() { }, property })
  - Rest parameters (function(...args) {}) are implemented in staging behind the
    --harmony-rest-parameters flag
  - Computed property names ({['foo'+'bar']:'bam'}) are implemented in staging
    behind the --harmony-computed-property-names flag
  - Unicode escapes ('\u{xxxx}') are implemented in staging behind the
    --harmony_unicode flag and the --harmony_unicode_regexps flag for use in
    regular expressions
* Windows:
  - Random process termination on Windows fixed (Fedor Indutny) #1512 / #1563
  - The delay-load hook introduced to fix issues with process naming (iojs.exe /
    node.exe) has been made opt-out for native add-ons. Native add-ons should
    include 'win_delay_load_hook': 'false' in their binding.gyp to disable this
    feature if they experience problems . (Bert Belder) #1433
* Governance:
  - Rod Vagg (@rvagg) was added to the Technical Committee (TC)
  - Jeremiah Senkpiel (@Fishrock123) was added to the Technical Committee (TC)
2015-05-04 14:34:44 -07:00
Yosuke Furukawa
391cae3595 doc: Add Known issues to v1.7.0/1.7.1 CHANGELOG
PR-URL: https://github.com/iojs/io.js/pull/1473
Reviewed-By: Brendan Ashworth <brendan.ashworth@me.com>
2015-04-29 01:13:31 +09:00
Chris Dickinson
7b7da2edf7 2015-04-20 io.js v1.8.1 Release
Notable Changes:

* build: revert vcbuild.bat changes
* changes inherited from v1.8.0:
  * build: Support for building io.js as a static
    library (Marat Abdullin) #1341
  * npm: Upgrade npm to 2.8.3. (Forrest L Norvell) #1448
  * deps: upgrade openssl to 1.0.2a (Shigeki Ohtsu) #1389
  * src: allow multiple arguments to be passed to
    process.nextTick (Trevor Norris) #1077
  * module: the interaction of require('.') with NODE_PATH has been
    restored and deprecated. This functionality will be removed at
    a later point. (Roman Reiss) #1363
2015-04-20 16:00:30 -07:00
Chris Dickinson
c0f841352d 2015-04-17 io.js v1.8.0 Release
Notable Changes:

* build: Support for building io.js as a static
  library (Marat Abdullin) #1341
* deps: upgrade openssl to 1.0.2a (Shigeki Ohtsu) #1389
* npm: Upgrade npm to 2.8.3. (Forrest L Norvell) #1448
* src: allow multiple arguments to be passed to
  process.nextTick (Trevor Norris) #1077
* module: the interaction of require('.') with NODE_PATH has been
  restored and deprecated. This functionality will be removed at
  a later point. (Roman Reiss) #1363
2015-04-17 14:49:15 -07:00
Rod Vagg
44e1f68fb6 2015-04-14 io.js v1.7.1 Release
Notable changes:

* build: A syntax error in the Makefile for release builds caused
  1.7.0 to be DOA and unreleased. (Rod Vagg) #1421
2015-04-14 22:58:04 +10:00
Rod Vagg
a75149fd6f 2015-04-14 io.js v1.7.0 Release
Notable changes:

* C++ API: Fedor Indutny contributed a feature to V8 which has been
  backported to the V8 bundled in io.js. SealHandleScope allows a C++
  add-on author to seal a HandleScope to prevent further, unintended
  allocations within it. Currently only enabled for debug builds of
  io.js. This feature helped detect the leak in #1075 and is now
  activated on the root HandleScope in io.js. (Fedor Indutny) #1395.
* ARM: This release includes significant work to improve the state of
  ARM support for builds and tests. The io.js CI cluster's ARMv6,
  ARMv7 and ARMv8 build servers are now all (mostly) reporting passing
  builds and tests.
  - ARMv8 64-bit (AARCH64) is now properly supported, including a
    backported fix in libuv that was mistakenly detecting the
    existence of `epoll_wait()`. (Ben Noordhuis) #1365.
  - ARMv6: #1376 reported a problem with Math.exp() on ARMv6 (incl
    Raspberry Pi). The culprit is erroneous codegen for ARMv6 when
    using the "fast math" feature of V8. --nofast_math has been turned
    on for all ARMv6 variants by default to avoid this, fast math can
    be turned back on with --fast_math. (Ben Noordhuis) #1398.
  - Tests: timeouts have been tuned specifically for slower platforms,
    detected as ARMv6 and ARMv7. (Roman Reiss) #1366.
* npm: Upgrade npm to 2.7.6. See the release notes
  (https://github.com/npm/npm/releases/tag/v2.7.6) for details.
2015-04-14 22:11:29 +10:00
Jeremiah Senkpiel
f3e9da3e69 2015-04-06 io.js v1.6.4 Release
Notable changes:

* npm: upgrade npm to 2.7.5. See the npm CHANGELOG.md for details.
Includes two important security fixes.
https://github.com/npm/npm/blob/master/CHANGELOG.md#v275-2015-03-26
* openssl: preliminary work has been done for an upcoming upgrade to
OpenSSL 1.0.2a #1325 (Shigeki Ohtsu). See #589 for additional details.
* timers: a minor memory leak when timers are unreferenced was fixed,
alongside some related timers issues #1330 (Fedor Indutny). This
appears to have fixed the remaining leak reported in #1075.
* android: it is now possible to compile io.js for Android and related
devices #1307 (Giovanny Andres Gongora Granada).
2015-04-06 10:09:20 -04:00
Giovanny Andres Gongora Granada
48d69cf1bb Revert "doc: fix typo in CHANGELOG.md"
This reverts commit bde2b3e397.

PR-URL: https://github.com/iojs/io.js/pull/1349
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
2015-04-05 13:10:58 -04:00
Giovanny Andres Gongora Granada
bde2b3e397 doc: fix typo in CHANGELOG.md
PR-URL: https://github.com/iojs/io.js/pull/1342
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
2015-04-04 14:45:13 -04:00
Rod Vagg
4845f9c209 2015-03-31 io.js v1.6.3 Release
Notable changes:

 * fs: corruption can be caused by fs.writeFileSync() and append-mode
   fs.writeFile() and fs.writeFileSync() under certain circumstances,
   reported in #1058, fixed in #1063 (Olov Lassus).
 * iojs: an "internal modules" API has been introduced to allow core
   code to share JavaScript modules internally only without having to
   expose them as a public API, this feature is for core-only #848
   (Vladimir Kurchatkin).
 * timers: two minor problems with timers have been fixed:
   - Timer#close() is now properly idempotent #1288 (Petka Antonov).
   - setTimeout() will only run the callback once now after an
     unref() during the callback #1231 (Roman Reiss).
 * Windows: a "delay-load hook" has been added for compiled add-ons
   on Windows that should alleviate some of the problems that Windows
   users may be experiencing with add-ons in io.js #1251
   (Bert Belder).
 * V8: minor bug-fix upgrade for V8 to 4.1.0.27.
 * npm: upgrade npm to 2.7.4. See npm CHANGELOG.md for details.
2015-03-31 22:45:08 +11:00
Rod Vagg
33c57354aa 2015-03-23 io.js v1.6.2 Release
Notable Changes:

* Windows: The ongoing work in improving the state of Windows support
  has resulted in full test suite passes once again. As noted in the
  release notes for v1.4.2, CI system and configuration problems
  prevented it from properly reporting problems with the Windows
  tests, the problems with the CI and the codebase appear to have been
  fully resolved.
* FreeBSD: A kernel bug impacting io.js/Node.js was discovered and a
  patch has been introduced to prevent it causing problems for io.js
  (Fedor Indutny) #1218.
* module: you can now require('.') instead of having to require('./'),
  this is considered a bugfix (Michaël Zasso) #1185.
* v8: updated to 4.1.0.25 including patches for --max_old_space_size
  values above 4096 and Solaris support, both of which are already
  included in io.js.
2015-03-23 16:26:28 +11:00
Mathieu Darse
bc9c1a5a7b doc: fix typo in CHANGELOG
PR-URL: https://github.com/iojs/io.js/pull/1230
Reviewed-By: Rod Vagg <rod@vagg.org>
2015-03-22 17:32:28 +11:00
Rod Vagg
4b91d502b1 2015-03-20 io.js v1.6.1 Release
Notable Changes:

* path: New type-checking on path.resolve()
  <https://github.com/iojs/io.js/pull/1153> uncovered some edge-cases
  being relied upon in the wild, most notably path.dirname(undefined).
  Type-checking has been loosened for path.dirname(), path.basename(),
  and path.extname(), (Colin Ihrig)
  <https://github.com/iojs/io.js/pull/1216>.
* querystring: Internal optimizations in querystring.parse() and
  querystring.stringify() <https://github.com/iojs/io.js/pull/847>
  prevented Number literals from being properly converted via
  querystring.escape() <https://github.com/iojs/io.js/pull/1208>,
  exposing a blind-spot in the test suite. The bug and the tests have
  now been fixed (Jeremiah Senkpiel)
  <https://github.com/iojs/io.js/pull/1213>.
2015-03-20 13:19:18 +11:00
Chris Dickinson
8e3a9d8de0 2015-03-19 io.js v1.6.0 Release
Notable Changes:

* node: a new -r or --require command-line option can be used to
  pre-load modules at start-up (Ali Ijaz Sheikh)
* querystring: parse() and stringify() are now faster (Brian White)
* http: the http.ClientRequest#flush() method has been deprecated and
  replaced with http.ClientRequest#flushHeaders() to match the same
  change now in Node.js v0.12 as per
  https://github.com/joyent/node/pull/9048 (Yosuke Furukawa)
* net: allow server.listen() to accept a String option for port, e.g.
  { port: "1234" }, to match the same option being accepted in
  net.connect() as of https://github.com/joyent/node/pull/9268 (Ben
  Noordhuis)
* tls: further work on the reported memory leak although there appears
  to be a minor leak remaining for the use-case in question, track
  progress at https://github.com/iojs/io.js/issues/1075.
* v8: backport a fix for an integer overflow when --max_old_space_size
  values above 4096 are used (Ben Noordhuis)
* platforms: the io.js CI system now reports passes on FreeBSD and
  SmartOS (_Solaris_).
* npm: upgrade npm to 2.7.1. See the npm CHANGELOG.md for details.
  https://github.com/npm/npm/blob/master/CHANGELOG.md#v271-2015-03-05
2015-03-19 11:12:05 -07:00
Rod Vagg
f19e9b6a76 2015-03-09 io.js v1.5.1 Release
Notable changes:

* tls: The reported TLS memory leak has been at least partially
  resolved via various commits in this release. Current testing indicated
  that there may still be some leak problems. Progress being tracked at:
  https://github.com/iojs/io.js/issues/1075
* http: Fixed an error reported at
  https://github.com/joyent/node/issues/9348 and
  https://github.com/npm/npm/issues/7349
  Pending data was not being fully read upon an 'error' event leading to
  an assertion failure on socket.destroy().
  (Fedor Indutny) https://github.com/iojs/io.js/pull/1103
2015-03-09 11:01:40 -07:00
Rod Vagg
25a7fc8ffb 2015-03-06 io.js v1.5.0 Release
Notable changes:

* buffer: New `Buffer#indexOf()` method, modelled off `Array#indexOf()`.
  Accepts a String, Buffer or a Number. Strings are interpreted as UTF8.
  (Trevor Norris) https://github.com/iojs/io.js/pull/561
* fs: `options` object properties in `'fs'` methods no longer perform a
  `hasOwnProperty()` check, thereby allowing options objects to have
  prototype properties that apply. (Jonathan Ong)
  https://github.com/iojs/io.js/pull/635
* tls: A likely TLS memory leak was reported by PayPal. Some of the recent
  changes in stream_wrap appear to be to blame. The initial fix is in
  https://github.com/iojs/io.js/pull/1078, you can track the progress
  toward closing the leak at
  https://github.com/iojs/io.js/issues/1075 (Fedor Indutny).
* npm: Upgrade npm to 2.7.0. See npm CHANGELOG.md:
  https://github.com/npm/npm/blob/master/CHANGELOG.md#v270-2015-02-26
  for details including why this is a semver-minor when it could have
  been semver-major.
* TC: Colin Ihrig (@cjihrig) resigned from the TC due to his desire to do
  more code and fewer meetings.
2015-03-06 13:59:02 -08:00
Rod Vagg
6433ad1eef doc: add missing newline in CHANGELOG
Pushed without review
2015-03-02 17:49:24 -08:00
Rod Vagg
5133304ace Working on v1.4.4 2015-03-02 16:48:12 -08:00
Rod Vagg
b0710d7657 2015-03-02 io.js v1.4.3 Release
Notable changes:

* stream: Fixed problems for platforms without `writev()` support,
  particularly Windows. Changes introduced in 1.4.1, via
  https://github.com/iojs/io.js/pull/926, broke some
  functionality for these platforms, this has now been addressed.
  https://github.com/iojs/io.js/pull/1008 (Fedor Indutny)
* arm: We have the very beginnings of ARMv8 / ARM64 / AARCH64
  support. An upgrade to OpenSSL 1.0.2 is one requirement for full
  support. https://github.com/iojs/io.js/pull/1028
  (Ben Noordhuis)
* Add new collaborator: Julian Duque @julianduque
2015-03-02 16:45:43 -08:00
Rod Vagg
b6b9628df7 2015-02-28 io.js v1.4.2 Release
Notable changes:

* tls: A typo introduced in the TLSWrap changes in
  https://github.com/iojs/io.js/pull/840 only encountered as a bug on
  Windows was not caught by the io.js CI system due to problems with the
  Windows build script and the Windows CI slave configuration, see
  Fixed in https://github.com/iojs/io.js/pull/994 &
  https://github.com/iojs/io.js/pull/1004 (Fedor Indutny)
* npm: Upgrade npm to 2.6.1. See
  https://github.com/npm/npm/blob/master/CHANGELOG.md#v260-2015-02-12
  for details.
* Add new collaborators:
  - Robert Kowalski (@robertkowalski)
  - Christian Vaagland Tellnes (@tellnes)
  - Brian White (@mscdex)
2015-02-28 15:12:58 -06:00
Tim Oxley
84ee2722a3 doc: minor formatting fixes.
PR-URL: https://github.com/iojs/io.js/pull/996
Reviewed-By: Rod Vagg <rod@vagg.org>
2015-02-27 18:02:46 -06:00
Rod Vagg
4810dd494e 2015-02-26 io.js v1.4.1 Release
Notable changes:

* process / promises: An'unhandledRejection' event is now emitted on
  process whenever a Promise is rejected and no error handler is
  attached to the Promise within a turn of the event loop. A
  'rejectionHandled' event is now emitted whenever a Promise was
  rejected and an error handler was attached to it later than after an
  event loop turn. See the process documentation for more detail.
  https://github.com/iojs/io.js/pull/758 (Petka Antonov)
* streams: you can now use regular streams as an underlying socket for
  tls.connect() https://github.com/iojs/io.js/pull/758 (Fedor Indutny)
* http: A new 'abort' event emitted when a http.ClientRequest is
  aborted by the client. https://github.com/iojs/io.js/pull/945
  (Evan Lucas)
* V8: Upgrade V8 to 4.1.0.21. Includes an embargoed fix, details
  should be available at
  https://code.google.com/p/chromium/issues/detail?id=430201
  when embargo is lifted. A breaking ABI change has been held back
  from this upgrade, possibly to be included when io.js merges V8 4.2.
  See https://github.com/iojs/io.js/pull/952 for discussion.
* npm: Upgrade npm to 2.6.0. Includes features to support the new
  registry and to prepare for npm@3. See npm CHANGELOG.md
  https://github.com/npm/npm/blob/master/CHANGELOG.md#v260-2015-02-12
  for details.
* libuv: Upgrade to 1.4.2. See libuv ChangeLog
  https://github.com/libuv/libuv/blob/v1.x/ChangeLog for details of
  fixes.
2015-02-26 13:37:12 -06:00
Tim Oxley
2e63bad7eb doc: link & formatting of SHAs in commit list
This adds more consistency, plus links to commits are particularly useful.

PR-URL: https://github.com/iojs/io.js/pull/967
Reviewed-By: Rod Vagg <rod@vagg.org>
2015-02-26 11:22:52 -06:00
Brian White
329f364ea2 doc: fix PR reference in CHANGELOG
The CHANGELOG referenced PR 847, but should really be 846.

PR-URL: https://github.com/iojs/io.js/pull/903
Reviewed-By: Christian Tellnes <christian@tellnes.no>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
2015-02-20 10:38:05 -05:00
Rod Vagg
0ac57317aa doc: fix typo, rephrase cipher change in CHANGELOG
PR-URL: https://github.com/iojs/io.js/pull/902
Reviewed-By: Roman Reiss <me@silverwind.io>
2015-02-20 20:44:07 +11:00
Rod Vagg
1d7a47f29c 2015-02-20 io.js v1.3.0 Release
Notable changes:

* url: `url.resolve('/path/to/file', '.')` now returns `/path/to/`
  with the trailing slash, `url.resolve('/', '.')` returns `/`.
  https://github.com/iojs/io.js/issues/278 (Amir Saboury)
* tls: tls (and in turn https) now rely on a stronger default
  cipher suite which excludes the RC4 cipher. If you still want to
  use RC4, you have to specify your own ciphers suite.
  https://github.com/iojs/io.js/issues/826 (Roman Reiss)
2015-02-20 20:27:42 +11:00
Rod Vagg
69b5922b31 2015-02-10 io.js v1.2.0 Release
Notable changes:

* stream:
  - Simpler stream construction, see
    https://github.com/iojs/readable-stream/issues/102 for details.
    This extends the streams base objects to make their constructors
    accept default implementation methods, reducing the boilerplate
    required to implement custom streams. An updated version of
    readable-stream will eventually be released to match this change
    in core. (@sonewman)
* dns:
  - `lookup()` now supports an `'all'` boolean option, default to
    `false` but when turned on will cause the method to return an
    array of *all* resolved names for an address, see,
    https://github.com/iojs/io.js/pull/744 (@silverwind)
* assert:
  - Remove `prototype` property comparison in `deepEqual()`,
    considered a bugfix, see https://github.com/iojs/io.js/pull/636
    (@vkurchatkin)
  - Introduce a `deepStrictEqual()` method to mirror `deepEqual()`
    but performs strict equality checks on primitives, see
    https://github.com/iojs/io.js/pull/639 (@vkurchatkin)
* **tracing**:
  - Add LTTng (Linux Trace Toolkit Next Generation) when compiled
    with the  `--with-lttng` option. Trace points match those
    available for DTrace and ETW.
    https://github.com/iojs/io.js/pull/702 (@thekemkid)
* npm upgrade to 2.5.1
* **libuv** upgrade to 1.4.0
* Add new collaborators:
  - Aleksey Smolenchuk (@lxe)
  - Shigeki Ohtsu (@shigeki)
2015-02-11 13:48:17 +11:00
Calvin Metcalf
10277d2e57 docs: include mention of new crypto methods
Include mention of privateEncrypt and publicDecrypt in changelog.

PR-URL: https://github.com/iojs/io.js/pull/722
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
2015-02-05 19:42:50 +01:00
Chris Dickinson
6629751596 2015-02-03 io.js v1.1.0 Release
Notable changes:

* debug: fix v8 post-mortem debugging.
* crypto: publicEncrypt now supports password-protected private keys.
* crypto: ~30% speedup on hashing functions.
* errors
  - better formatting via util.inspect
  - more descriptive errors from fs. This necessitated a
    NODE_MODULE_VERSION bump.
  - more descriptive errors from http.setHeader
* dep updates:
  - npm: upgrade to 2.4.1
  - http-parser: rollback to 2.3.0
  - libuv: update to 1.3.0
  - v8: update to 4.1.0.14
* http.request: inherited properties on options are now respected
* add iterable interface to buffers.
* fs: fix fd leak on `fs.createReadStream`. See 497fd72 for details.
* installer: on Windows, emit WM_SETTINGCHANGE after install to make
  other running processes aware of the PATH changes.
* Added new collaborators:
  - Vladimir Kurchatkin (@vkurchatkin)
  - Micleușanu Nicu (@micnic)
2015-02-03 14:13:21 -08:00
Michael Hart
8b09ae76f1 doc: add links for http_parser/libuv upgrades
PR-URL: https://github.com/iojs/io.js/pull/471
Reviewed-By: Rod Vagg <rod@vagg.org>
2015-01-27 16:43:38 +11:00
Rod Vagg
d1fc9c6cae 2015-01-24 io.js v1.0.4 Release
Notable changes:

* npm upgrade to 2.3.0 fixes Windows "uid is undefined" errors
* crypto.pseudoRandomBytes() is now an alias for crypto.randomBytes()
  and will block if there is insufficient entropy to produce secure
  values. See https://github.com/iojs/io.js/commit/e5e5980 for details.
* Patch for V8 to properly detect ARMv6; binaries now work again on
  ARMv6 (Raspberry Pi etc.)
* Minor V8 upgrade from 4.1.0.7 to 4.1.0.12
* 'punycode' core module bumped from stability level 2-Unstable,
  to 3-Stable
* Added new collaborators:
  - Thorsten Lorenz (@thlorenz)
  - Stephen Belanger (@qard)
  - Jeremiah Senkpiel (@fishrock123)
  - Evan Lucas (@evanlucas)
  - Brendan Ashworth (@brendanashworth)
2015-01-24 22:35:32 +11:00
Andres Suarez
bb766d2c47 doc: update "net" section in node to io.js changes
PR-URL: https://github.com/iojs/io.js/pull/567
Reviewed-By: Rod Vagg <rod@vagg.org>
2015-01-24 22:04:13 +11:00
Bert Belder
60402b924b docs: remove incorrect entry from changelog
`url.format()` doesn't take a `path` option; the change that
introduced it was reverted in 913addbff5.

PR: https://github.com/iojs/io.js/pull/546
Reviewed-by: Ben Noordhuis <info@bnoordhuis.nl>
2015-01-22 02:19:34 +01:00
Rod Vagg
b5c69d1d1b 2015-01-20 io.js v1.0.3 Release
Notable changes

* V8 upgrade from 3.31 to 4.1, this is not a major upgrade, the version number "4.1" signifies tracking towards Chrome 41. The 3.31 branch is now not tracking towards a stable release.
* Re-enable Windows XP / 2003 support
* npm upgrade to 2.2.0
* Improved FreeBSD support
2015-01-20 12:35:53 +11:00
Rod Vagg
b65a11e072 2015-01-16 io.js v1.0.2 Release
Notable changes:

* Windows installer fixes
* Bundled node-gyp fixes for Windows
* http_parser v2.4.1 upgrade
* libuv v1.2.1 upgrade
2015-01-16 15:00:22 +11:00
isaacs
c80a9449b3 doc: Add http keepalive behavior to CHANGELOG.md
PR-URL: https://github.com/iojs/io.js/pull/458
Reviewer: Rod Vagg
2015-01-15 17:40:00 -08:00
Ben Noordhuis
3dd7ebb0ba doc: update cluster entry in CHANGELOG
PR-URL: https://github.com/iojs/io.js/pull/425
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
2015-01-14 22:00:51 +01:00
Rod Vagg
545959468f 2015-01-14 io.js v1.0.1 Release 2015-01-14 15:31:29 +11:00
Rui Marinho
86454cbd13 doc: improve write style consistency
Add more consistent verbs to each changelog entry, add missing periods,
trim white-space and fix sorting of entries.

PR-URL: https://github.com/iojs/io.js/pull/360
Reviewed-By: Rod Vagg <rod@vagg.org>
2015-01-14 15:12:25 +11:00
Shigeki Ohtsu
d7cbceb3c8 doc: add missed new features in CHANGELOG
Some new features were missed in Buffer and process.

PR: https://github.com/iojs/io.js/pull/359
Reviewed-by: Bert Belder <bertbelder@gmail.com>
2015-01-14 03:45:35 +01:00