This prevents leaking of the internal `inspect()` properties when
using a custom inspect function.
It also aligns the indentation to the way it was in v8.0.0 since
that changed unintentionally. All strings returned by the custom
inspect function will now be indented appropriately to the current
depth.
PR-URL: https://github.com/nodejs/node/pull/24971
Refs: https://github.com/nodejs/node/issues/24765
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with keep-alive HTTP connections
(CVE-2019-5739)
* Node.js: Slowloris HTTP Denial of Service with keep-alive
(CVE-2019-5737)
* OpenSSL: 0-byte record padding oracle (CVE-2019-1559)
Notable Changes:
* deps: OpenSSL has been upgraded to 1.0.2r which contains a fix for
CVE-2019-1559 (https://www.openssl.org/news/secadv/20190226.txt). Under
certain circumstances, a TLS server can be forced to respond differently to
a client if a zero-byte record is received with an invalid padding
compared to a zero-byte record with an invalid MAC. This can be used as the
basis of a padding oracle attack to decrypt data.
* http:
- Backport `server.keepAliveTimeout` to prevent keep-alive HTTP and HTTPS
connections remaining open and inactive for an extended period of time,
leading to a potential Denial of Service (DoS).
(CVE-2019-5739 / Timur Shemsedinov, Matteo Collina)
- Further prevention of "Slowloris" attacks on HTTP and HTTPS
connections by consistently applying the receive timeout set by
`server.headersTimeout` to connections in keep-alive mode. Reported by
Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/169
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Slowloris HTTP Denial of Service with keep-alive
(CVE-2019-5737)
* OpenSSL: 0-byte record padding oracle (CVE-2019-1559)
Notable Changes:
* deps: OpenSSL has been upgraded to 1.0.2r which contains a fix for
CVE-2019-1559 (https://www.openssl.org/news/secadv/20190226.txt). Under
certain circumstances, a TLS server can be forced to respond differently to
a client if a zero-byte record is received with an invalid padding
compared to a zero-byte record with an invalid MAC. This can be used as the
basis of a padding oracle attack to decrypt data.
* http: Further prevention of "Slowloris" attacks on HTTP and HTTPS
connections by consistently applying the receive timeout set by
`server.headersTimeout` to connections in keep-alive mode. Reported by
Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/165
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
for details on patched vulnerabilities.
A fix for the following CVE is included in this release:
* Node.js: Slowloris HTTP Denial of Service with keep-alive
(CVE-2019-5737)
Notable Changes:
* http: Further prevention of "Slowloris" attacks on HTTP and HTTPS
connections by consistently applying the receive timeout set by
`server.headersTimeout` to connections in keep-alive mode. Reported by
Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/164
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
for details on patched vulnerabilities.
A fix for the following CVE is included in this release:
* Node.js: Slowloris HTTP Denial of Service with keep-alive
(CVE-2019-5737)
Notable Changes:
* http: Further prevention of "Slowloris" attacks on HTTP and HTTPS
connections by consistently applying the receive timeout set by
`server.headersTimeout` to connections in keep-alive mode. Reported by
Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/163
This error is used to propagate errors returned from the
inspector module's command system.
PR-URL: https://github.com/nodejs/node/pull/26255
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
PR-URL: https://github.com/nodejs/node/pull/26251
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/26250
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Upstream V8 is dropping support for mips/mipsel/mips64/mips64el.
This commit removes the build flags from the configure script
and some loose ends from the documentation.
PR-URL: https://github.com/nodejs/node/pull/26192
Fixes: https://github.com/nodejs/node/issues/26179
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Yang Guo <yangguo@chromium.org>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit removes the --diagnostic-report-verbose CLI option
and all associated logic. The flag is currently only used in one
place, and only reflects the settings at startup. Additionally,
Node tends to use the NODE_DEBUG mechanism for adding verbose
output.
PR-URL: https://github.com/nodejs/node/pull/26195
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Most important change here is to point people to the YAML material in
the docs rather than the previous way we indicated versions that
introduced or deprecated APIs.
Remove contents about assets as we do not actually have any in the docs.
Otherwise, a bunch of stylistic changes, mostly to keep things concise
and direct.
PR-URL: https://github.com/nodejs/node/pull/26176
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Remove all-caps from child_process.md.
PR-URL: https://github.com/nodejs/node/pull/26141
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This adds a few examples and clarifications.
PR-URL: https://github.com/nodejs/node/pull/26110
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Include the stack of requires that led to a MODULE_NOT_FOUND error.
PR-URL: https://github.com/nodejs/node/pull/25690
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
libuv returns values for `blksize` and `blocks` on stat calls so
do not coerce them into `undefined` on Windows.
PR-URL: https://github.com/nodejs/node/pull/26056
Fixes: https://github.com/nodejs/node/issues/25913
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/26055
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Prefer structured output over stringified information
for libuv handles and the native stack trace.
PR-URL: https://github.com/nodejs/node/pull/26019
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Adds a `repl.setupHistory()` instance method so that
programmatic REPLs can also write history to a file.
This change also refactors all of the history file
management to `lib/internal/repl/history.js`, cleaning
up and simplifying `lib/internal/repl.js`.
PR-URL: https://github.com/nodejs/node/pull/25895
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/25579
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
setDiagnosticReportOptions() is a method on process.report,
making the "DiagnosticReport" part redundant. Rename the
function to setOptions().
PR-URL: https://github.com/nodejs/node/pull/25990
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
This commit makes several corrections, and generally edits the
documentation for process.report and its methods.
PR-URL: https://github.com/nodejs/node/pull/25983
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Socket timeouts set using the `'connection'` event are replaced by
`server.keepAliveTimeout` when a response is handled.
PR-URL: https://github.com/nodejs/node/pull/25748
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/25565
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/25565
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
When adding to the REPL API recently, I was unsure what to put as a
version number for the new method I added. This change adds a reference
to `releases.md` where the use of `REPLACEME` is discussed.
PR-URL: https://github.com/nodejs/node/pull/25961
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
PR-URL: https://github.com/nodejs/node/pull/25906
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/25910
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/25855
Refs: https://github.com/nodejs/node/pull/25755
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
OpenSSL has supported async notification of sessions and tickets since
1.1.0 using SSL_CTX_sess_set_new_cb(), for all versions of TLS. Using
the async API is optional for TLS1.2 and below, but for TLS1.3 it will
be mandatory. Future-proof applications should start to use async
notification immediately. In the future, for TLS1.3, applications that
don't use the async API will silently, but gracefully, fail to resume
sessions and instead do a full handshake.
See: https://wiki.openssl.org/index.php/TLS1.3#Sessions
PR-URL: https://github.com/nodejs/node/pull/25831
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
