PR-URL: https://github.com/nodejs/node/pull/40029
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Shingo Inoue <leko.noor@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This commit adds a suggestion to create a github issue for the security
release tweets. Currently, the security release document requests that
these tweets be created by asking in the #nodejs-social channel. Someone
from that channel would then create an issue, so we could just create
the issue ourselves.
PR-URL: https://github.com/nodejs/node/pull/39940
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/39925
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Main changes:
- Replace current HTML anchor generation to match
header anchor generation in Github markdown.
- Remove unnecessary double namespacing on generated anchors/links (E.G.
`esm.md#loaders` instead of `esm.md#esm_loaders`).
- Anchors/links are automatically prefixed with their respective modules
when concatenated for usage in `all.html`.
Benefits:
- All anchor links within and between markdown API docs actually work.
- Adding new anchor links no longer requires contributors to generate
the HTML docs first to look up the correct anchors.
- Anchors are much shorter.
- All previous anchor links are preserved by generating hidden legacy
anchors.
PR-URL: https://github.com/nodejs/node/pull/39304
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
This makes it simpler for everyone to do the statistical analysis since
it doesn't require to install R and its dependencies.
Refs: https://github.com/targos/node-benchmark-compare
PR-URL: https://github.com/nodejs/node/pull/39835
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Zijian Liu <lxxyxzj@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Update the maintaining openssl guide to mention following the
instructions in the v14.x-staging version of the guide for the
v14.x-staging branch as the instructions for the quic fork use
a git clone/checkout of the forked repository while the previous
instructions for the non-forked openssl use the release tarball.
Remove references to End-of-Life Node.js 10 and update for Node.js
12 as it is necessary to regenerate the configution files.
PR-URL: https://github.com/nodejs/node/pull/39878
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
`deccompressionStream.writable` -> `decompressionStream.writable`.
PR-URL: https://github.com/nodejs/node/pull/39898
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Generators in pipeline must be able to be aborted or pipeline
can deadlock.
PR-URL: https://github.com/nodejs/node/pull/39067
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit adds a note about only creating a CVE for Node.js
vulnerabilities.
The motivation for this is a recent HackerOne report where I created a
CVE for a c-ares issue. This CVE should have been created by the c-ares
project, and it was later, but we never updated our HackerOne report to
use their CVE number. Hopefully this extra note in the release doc will
help us check for this situaion and avoid this in the future.
PR-URL: https://github.com/nodejs/node/pull/39845
Refs: https://hackerone.com/reports/1178337
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
- update intructions on adding cc for email to
nodejs-sec mailing list as UI does not allow it
to be done directly.
Signed-off-by: Michael Dawson <mdawson@devrus.com>
PR-URL: https://github.com/nodejs/node/pull/39674
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/37863
Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com>
Co-authored-by: James M Snell <jasnell@gmail.com>
Reviewed-By: Guy Bedford <guybedford@gmail.com>
Code samples that use CJS-only syntax need to use the cjs markdown
identifiers.
PR-URL: https://github.com/nodejs/node/pull/39792
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
PR-URL: https://github.com/nodejs/node/pull/39509
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Harshitha K P <harshitha014@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com>
PR-URL: https://github.com/nodejs/node/pull/39766
Reviewed-By: Harshitha K P <harshitha014@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Signed-off-by: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/39708
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
fixed variable name in queueMicrotask where url variable was used
instead of key
PR-URL: https://github.com/nodejs/node/pull/39634
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Harshitha K P <harshitha014@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Signed-off-by: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/39693
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Bradley Farias <bradley.meck@gmail.com>
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
Adds the `stream()` method to get a `ReadableStream` for the `Blob`.
Also makes some other improvements to get the implementation closer
to the API standard definition.
Signed-off-by: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/39693
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Bradley Farias <bradley.meck@gmail.com>
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
This is a security release.
Notable Changes:
- CVE-2021-3672/CVE-2021-22931:
Improper handling of untypical characters in domain names (High)
- CVE-2021-22930:
Use after free on close http2 on stream canceling (High)
- CVE-2021-22939:
Incomplete validation of rejectUnauthorized parameter (Low)
PR-URL: https://github.com/nodejs-private/node-private/pull/280
This is a security release.
Notable Changes:
- CVE-2021-3672/CVE-2021-22931:
Improper handling of untypical characters in domain names (High)
- CVE-2021-22930:
Use after free on close http2 on stream canceling (High)
- CVE-2021-22939:
Incomplete validation of rejectUnauthorized parameter (Low)
PR-URL: https://github.com/nodejs-private/node-private/pull/279
This is a security release.
Notable Changes:
- CVE-2021-3672/CVE-2021-22931:
Improper handling of untypical characters in domain names (High)
- CVE-2021-22930:
Use after free on close http2 on stream canceling (High)
- CVE-2021-22939:
Incomplete validation of rejectUnauthorized parameter (Low)
PR-URL: https://github.com/nodejs-private/node-private/pull/278
