Convert to asterisks when there are mixed styles in document.
Addresses Markdownlint MD004 rule
PR-URL: https://github.com/nodejs/node/pull/29516
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Address Markdownlint MD007 rule.
Default suggestion is 2 space indenting for unordered list items.
PR-URL: https://github.com/nodejs/node/pull/29390
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Address Markdownlint MD006 rule.
Can flag when list items aren't indented far enough.
PR-URL: https://github.com/nodejs/node/pull/29390
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Addresses Markdownlint MD033 issues.
Altering changlog should usually be avoided, but they don't render
currently.
PR-URL: https://github.com/nodejs/node/pull/29374
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
These are rendered as single breaks.
Addresses Markdownlint MD012 rule.
PR-URL: https://github.com/nodejs/node/pull/29352
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with keep-alive HTTP connections
(CVE-2019-5739)
* Node.js: Slowloris HTTP Denial of Service with keep-alive
(CVE-2019-5737)
* OpenSSL: 0-byte record padding oracle (CVE-2019-1559)
Notable Changes:
* deps: OpenSSL has been upgraded to 1.0.2r which contains a fix for
CVE-2019-1559 (https://www.openssl.org/news/secadv/20190226.txt). Under
certain circumstances, a TLS server can be forced to respond differently to
a client if a zero-byte record is received with an invalid padding
compared to a zero-byte record with an invalid MAC. This can be used as the
basis of a padding oracle attack to decrypt data.
* http:
- Backport `server.keepAliveTimeout` to prevent keep-alive HTTP and HTTPS
connections remaining open and inactive for an extended period of time,
leading to a potential Denial of Service (DoS).
(CVE-2019-5739 / Timur Shemsedinov, Matteo Collina)
- Further prevention of "Slowloris" attacks on HTTP and HTTPS
connections by consistently applying the receive timeout set by
`server.headersTimeout` to connections in keep-alive mode. Reported by
Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/169
The 6.15.0 security release introduced some unexpected breakages on
the 6.x release line. This is a special release to fix a regression
in the HTTP binary upgrade response body and add a missing CLI flag
to adjust the max header size of the http parser.
Notable changes:
* cli:
- add --max-http-header-size flag (cjihrig)
https://github.com/nodejs/node/pull/24811
* http:
- add maxHeaderSize property (cjihrig)
https://github.com/nodejs/node/pull/24860
PR-URL: https://github.com/nodejs/node/pull/25178
Notable Changes:
This is a patch release to address a bad backport of the fix for "Slowloris
HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers
timeout to an entire keep-alive HTTP session, resulting in prematurely
disconnected sockets.
PR-URL: https://github.com/nodejs/node/pull/24803
Refs: https://github.com/nodejs/node/pull/24796
Refs: https://github.com/nodejs/node/issues/24760
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Debugger port 5858 listens on any interface by default
(CVE-2018-12120)
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
* Node.js: HTTP request splitting (CVE-2018-12116)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication
(CVE-2018-5407)
Notable Changes:
* debugger: Backport of https://github.com/nodejs/node/pull/8106 to
prevent the debugger from listening on `0.0.0.0`. It now defaults to
`127.0.0.1`. Reported by Ben Noordhuis. (CVE-2018-12120 / Ben Noordhuis).
* deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
* http:
* Headers received by HTTP servers must not exceed 8192 bytes in total to
prevent possible Denial of Service attacks. Reported by Trevor Norris.
(CVE-2018-12121 / Matteo Collina)
* A timeout of 40 seconds now applies to servers receiving HTTP headers. This
value can be adjusted with `server.headersTimeout`. Where headers are not
completely received within this period, the socket is destroyed on the next
received chunk. In conjunction with `server.setTimeout()`, this aids in
protecting against excessive resource retention and possible Denial of
Service. Reported by Jan Maybach (liebdich.com).
(CVE-2018-12122 / Matteo Collina)
* Two-byte characters are now strictly disallowed for the `path` option in
HTTP client requests. Paths containing characters outside of the range
`\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior
can be reverted if necessary by supplying the
`--security-revert=CVE-2018-12116` command line argument (this is not
recommended). Reported as security concern for Node.js 6 and 8 by
Arkadiy Tetelman (lob.com), fixed by backporting a change by Benno
Fünfstück applied to Node.js 10 and later.
(CVE-2018-12116 / Matteo Collina)
* url: Fix a bug that would allow a hostname being spoofed when parsing
URLs with `url.parse()` with the `'javascript:'` protocol. Reported by
Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/153
Minor formatting adjustments to two changelog files in preparation for a
markdown lint rule.
PR-URL: https://github.com/nodejs/node/pull/24391
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-0732 (OpenSSL)
* CVE-2018-12115 (Node.js)
Notable changes:
* buffer: Fix out-of-bounds (OOB) write in `Buffer.write()` for UCS-2 encoding
(CVE-2018-12115)
* deps: Upgrade to OpenSSL 1.0.2p, fixing:
* Client DoS due to large DH parameter (CVE-2018-0732)
* ECDSA key extraction via local side-channel (CVE not assigned)
* Assert
* Calling `assert.fail()` with more than one argument is deprecated. #70dcacd710
* Calling `assert.ok()` with no arguments will now throw. #3cd7977a42
* Calling `assert.ifError()` will now throw with any argument other than `undefined` or `null`. Previously the method would throw with any truthy value. #e65a6e81ef
* The `assert.rejects()` and `assert.doesNotReject()` methods have been added for working with async functions. #599337f43e
* Async_hooks
* Older experimental async_hooks APIs have been removed. #1cc6b993b9
* Buffer
* Uses of `new Buffer()` and `Buffer()` outside of the `node_modules` directory will now emit a runtime deprecation warning. #9d4ab90117
* `Buffer.isEncoding()` now returns `undefined` for falsy values, including an empty string. #452eed956e
* `Buffer.fill()` will throw if an attempt is made to fill with an empty `Buffer`. #1e802539b2
* Child Process
* Undefined properties of env are ignored. #38ee25e2e2, #85739b6c5b
* Console
* The `console.table()` method has been added. #97ace04492
* Crypto
* The `crypto.createCipher()` and `crypto.createDecipher()` methods have been deprecated. Please use `crypto.createCipheriv()` and `crypto.createDecipheriv()` instead. #81f88e30dd
* The `decipher.finaltol()` method has been deprecated. #19f3927d92
* The `crypto.DEFAULT_ENCODING` property has been deprecated. #6035beea93
* The `ECDH.convertKey()` method has been added. #f2e02883e7
* The `crypto.fips` property has been deprecated. #6e7992e8b8
* Dependencies
* V8 has been updated to 6.6. #9daebb48d6
* OpenSSL has been updated to 1.1.0h. #66cb29e646
* EventEmitter
* The `EventEmitter.prototype.off()` method has been added as an alias for `EventEmitter.prototype.removeListener()`. #3bb6f07d52
* File System
* The `fs.promises` API provides experimental promisified versions of the `fs` functions. #329fc78e49
* Invalid path errors are now thrown synchronously. #d8f73385e2
* The `fs.readFile()` method now partitions reads to avoid thread pool exhaustion. #67a4ce1c6e
* HTTP
* Processing of HTTP Status codes `100`, `102-199` has been improved. #baf8495078
* Multi-byte characters in URL paths are now forbidden. #b961d9fd83
* N-API
* The n-api is no longer experimental. #cd7d7b15c1
* Net
* The `'close'` event will be emitted after `'end'`. #9b7a6914a7
* Perf_hooks
* The `PerformanceObserver` class is now an `AsyncResource` and can be monitored using `async_hooks`. #009e41826f
* Trace events are now emitted for performance events. #9e509b622b
* The `performance` API has been simplified. #2ec6995555
* Performance milestone marks will be emitted as trace events. #96cb4fb795
* Process
* Using non-string values for `process.env` is deprecated. #5826fe4e79
* The `process.assert()` method is deprecated. #703e37cf3f
* REPL
* REPL now experimentally supports top-level await when using the `--experimental-repl-await` flag. #eeab7bc068
* The previously deprecated "magic mode" has been removed. #4893f70d12
* The previously deprecated `NODE_REPL_HISTORY_FILE` environment variable has been removed. #60c9ad7979
* Proxy objects are shown as Proxy objects when inspected. #90a43906ab
* Streams
* The `'readable'` event is now always deferred with nextTick. #1e0f3315c7
* A new `pipeline()` method has been provided for building end-to-data stream pipelines. #a5cf3feaf1
* Experimental support for async for-await has been added to `stream.Readable`. #61b4d60c5d
* Timers
* The `enroll()` and `unenroll()` methods have been deprecated. #68783ae0b8
* TLS
* The `tls.convertNONProtocols()` method has been deprecated. #9204a0db6e
* Support for NPN (next protocol negotiation) has been dropped. #5bfbe5ceae
* The `ecdhCurve` default is now `'auto'`. #af78840b19
* Trace Events
* A new `trace_events` top-level module allows trace event categories to be enabled/disabld at runtime. #da5d818a54
* URL
* The WHATWG URL API is now a global. #312414662b
* Util
* `util.types.is[…]` type checks have been added. #b20af8088a
* Support for bigint formatting has been added to `util.inspect()`. #39dc947409
Notable changes:
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the
latest releases for PPC little endian were built using GCC 4.9.X
instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are
doing this release to ensure that the hosted binaries are adhering to
our platform support contract.
PR-URL: https://github.com/nodejs/node/pull/19680
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* CVE-2018-7158
* CVE-2018-7159
* CVE-2018-7160
Notable changes:
* Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that
are known to impact Node.js.
* **Fix for inspector DNS rebinding vulnerability (CVE-2018-7160)**:
A malicious website could use a DNS rebinding attack to trick a web
browser to bypass same-origin-policy checks and allow HTTP
connections to localhost or to hosts on the local network,
potentially to an open inspector port as a debugger, therefore
gaining full code execution access. The inspector now only allows
connections that have a browser `Host` value of `localhost` or
`localhost6`.
* **Fix for `'path'` module regular expression denial of service
(CVE-2018-7158)**: A regular expression used for parsing POSIX an
Windows paths could be used to cause a denial of service if an
attacker were able to have a specially crafted path string passed
through one of the impacted `'path'` module functions.
* **Reject spaces in HTTP `Content-Length` header values
(CVE-2018-7159)**: The Node.js HTTP parser allowed for spaces inside
`Content-Length` header values. Such values now lead to rejected
connections in the same way as non-numeric values.
* **Update root certificates**: 5 additional root certificates have
been added to the Node.js binary and 30 have been removed.
PR-URL: https://github.com/nodejs-private/node-private/pull/113
* Older experimental APIs have been removed.
[[`d731369b1d`](https://github.com/nodejs/node/commit/d731369b1d)]
[#14414](https://github.com/nodejs/node/pull/14414)
* **Errors**
* Improvements have been made to `buffer` module error messages.
* The assignment of static error codes to Node.js error continues:
* `buffer`
* `child_process`
* `console`
* `crypto`
* `dns`
* `events`
* `fs`
* `http`
* `inspector`
* `net`
* `path`
* `process`
* `querystring`
* `readline`
* `repl`
* `streams`
* `string_decoder`
* `timers`
* `tls`
* `url`
* `util`
* `v8`
* `zlib`
* **Child Processes**
* Errors are emitted on process nextTick.
* **Domains**
* The long-deprecated `.dispose()` method has been removed.
* **fs**
* The `fs.ReadStream` and `fs.WriteStream` classes now use `destroy()`.
* `fs` module callbacks are now invoked with an undefined context.
* **HTTP/1**
* A 400 Bad Request response will now be sent when parsing fails.
* Socket timeout will be set when the socket connects.
* A bug causing the request `'error'` event to fire twice was fixed.
* HTTP clients may now use generic `Duplex` streams in addition to `net.Socket`.
* **Intl**
* The deprecated `Intl.v8BreakIterator` has been removed.
* **Modules**
* The `require.resolve()` method now supports using custom lookup paths.
* **OS**
* The `os.EOL` property is now read-only.
* **Timers**
* `setTimeout()` will emit a warning if the timeout is larger that the maximum
32-bit unsigned integer.
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/oct-2017-dos/
for details on patched vulnerabilities.
Notable Changes:
* zlib:
- CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an
error to be raised when a raw deflate stream is initialized with
windowBits set to 8. On some versions this crashes Node and you
cannot recover from it, while on some versions it throws an
exception. Node.js will now gracefully set windowBits to 9
replicating the legacy behavior to avoid a DOS vector.
https://github.com/nodejs-private/node-private/pull/95
PR-URL: https://github.com/nodejs-private/node-private/pull/97
This is a security release. All Node.js users should consult the
security release summary at:
https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
for details on patched vulnerabilities.
Notable Changes:
* build:
- Disable V8 snapshots - The hashseed embedded in the snapshot is
currently the same for all runs of the binary. This opens node
up to collision attacks which could result in a Denial of Service.
We have temporarily disabled snapshots until a more robust solution
is found (Ali Ijaz Sheikh)
* deps:
- CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(),
which is used for parsing NAPTR responses, could be triggered to
read memory outside of the given input buffer if the passed in DNS
response packet was crafted in a particular way. This patch checks
that there is enough data for the required elements of an NAPTR
record (2 int16, 3 bytes for string lengths) before processing a
record. (David Drysdale)
PR-URL: https://github.com/nodejs/node-private/pull/89
BUILDING.md
+ L122: Missing code-language flag
+ L170: Strong should use `*` as a marker
doc/changelogs/CHANGELOG_V6.md
+ L1494: Don't pad `emphasis` with inner spaces
doc/guides/maintaining-V8.md
+ L3: Don't use multiple top level headings
+ L16: Don't use multiple top level headings
+ L40: Don't use multiple top level headings
+ L124: Don't use multiple top level headings
+ L182: Missing code-language flag
+ L223: Don't use multiple top level headings
+ L288: Don't use multiple top level headings
+ L307: Don't use multiple top level headings
doc/guides/writing-tests.md
+ L322: Missing code-language flag
+ L329: Missing code-language flag
doc/releases.md
+ L299: Missing code-language flag
PR-URL: https://github.com/nodejs/node/pull/13270
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Alexey Orlenko <eaglexrlnk@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Make the style of "Note:" paragraphs consistent and document the
guidelines in `doc/STYLE_GUIDE.md`.
PR-URL: https://github.com/nodejs/node/pull/13133
Fixes: https://github.com/nodejs/node/issues/13131
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/12206
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Timothy Gu <timothygu99@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This is a special LTS to fix a number of regressions that were found
on the 6.10.x release line.
This includes:
* a fix for memory leak in the crypto module that
was introduced in 6.10.1
* a fix for a regression introduced to the windows repl in 6.10.0
* a backported fix for V8 to stop a segfault that could occur
when using spread syntax
It also includes an upgrade to zlib 1.2.11 to fix a numberof low
severity CVEs that were present in zlib 1.2.8.
http://seclists.org/oss-sec/2016/q4/602
Notable changes
* crypto:
- fix memory leak if certificate is revoked (Tom Atkinson)
https://github.com/nodejs/node/pull/12089
* deps:
- upgrade zlib to 1.2.11 (Sam Roberts)
https://github.com/nodejs/node/pull/10980
- backport V8 fixes for spread syntax regression causing segfaults
(Michaël Zasso) https://github.com/nodejs/node/pull/12037
* repl:
- Revert commit that broke REPL display on Windows (Myles Borins)
https://github.com/nodejs/node/pull/12123
This adds an anchor for v6.10.0 in the LTS column.
PR-URL: https://github.com/nodejs/node/pull/11534
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
This is a security release of the 'Boron' release line to upgrade
OpenSSL to version 1.0.2k
Although the OpenSSL team have determined a maximum severity rating
of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
and Fedor Indutny) have determined the impact to Node users is "low".
Details on this determination can be found on the Nodejs.org website
https://nodejs.org/en/blog/vulnerability/openssl-january-2017/
Notable Changes:
* deps:
- upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
https://github.com/nodejs/node/pull/11021
PR-URL: https://github.com/nodejs/node/pull/11081
Move the LTS releases for Node 6 to the `LTS` column in the
corresponding `CHANGELOG_V6.md`.
PR-URL: https://github.com/nodejs/node/pull/10827
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This is a special release that contains 0 commits. While promoting
additional platforms for v6.9.3 after the release, the tarballs on the
release server were overwritten and now have different shasums. In
order to remove any ambiguity around the release we have opted to do a
semver patch release with no changes.
