| Age | Commit message (Collapse) | Author |
|---|
|
Notable changes:
* fs:
* Reworked experimental recursive `rmdir()` (cjihrig)
https://github.com/nodejs/node/pull/30644
* The `maxBusyTries` option is renamed to `maxRetries`, and its
default is set to 0. The `emfileWait` option has been removed,
and `EMFILE` errors use the same retry logic as other errors.
The `retryDelay` option is now supported. `ENFILE` errors are
now retried.
* http:
* Make maximum header size configurable per-stream or per-server
(Anna Henningsen) https://github.com/nodejs/node/pull/30570
* http2:
* Make maximum tolerated rejected streams configurable (Denys
Otrishko) https://github.com/nodejs/node/pull/30534
* Allow to configure maximum tolerated invalid frames (Denys
Otrishko) https://github.com/nodejs/node/pull/30534
* wasi:
* Introduce initial WASI support (cjihrig)
https://github.com/nodejs/node/pull/30258
PR-URL: https://github.com/nodejs/node/pull/30774
|
|
Notable changes:
* addons:
* Deprecate one- and two-argument `AtExit()`. Use the three-argument
variant of `AtExit()` or `AddEnvironmentCleanupHook()` instead
(Anna Henningsen) https://github.com/nodejs/node/pull/30227
* child_process,cluster:
* The `serialization` option is added that allows child process
IPC to use the V8 serialization API (to e.g., pass through data
types like sets or maps) (Anna Henningsen)
https://github.com/nodejs/node/pull/30162
* deps:
* Update V8 to 7.9
* Update `npm` to 6.13.0 (Ruy Adorno)
https://github.com/nodejs/node/pull/30271
* embedder:
* Exposes the ability to pass cli flags / options through an API
as embedder (Shelley Vohr)
https://github.com/nodejs/node/pull/30466
* Allow adding linked bindings to Environment (Anna Henningsen)
https://github.com/nodejs/node/pull/30274
* esm:
* Unflag --experimental-modules (Guy Bedford)
https://github.com/nodejs/node/pull/29866
* stream:
* Add `writable.writableCorked` property (Robert Nagy)
https://github.com/nodejs/node/pull/29012
* worker:
* Allow specifying resource limits (Anna Henningsen)
https://github.com/nodejs/node/pull/26628
* v8:
* The Serialization API is now stable (Anna Henningsen)
https://github.com/nodejs/node/pull/30234
PR-URL: https://github.com/nodejs/node/pull/30547
|
|
Notable changes:
* Experimental support for building Node.js with Python 3 is improved.
* ICU time zone data is updated to version 2019c. This fixes the date
offset in Brazil.
PR-URL: https://github.com/nodejs/node/issues/30352
|
|
Notable changes:
* cli:
* Added a new flag (`--trace-uncaught`) that makes Node.js print the
stack trace at the time of throwing uncaught exceptions, rather than
at the creation of the `Error` object, if there is any. This is
disabled by default because it affects GC behavior.
https://github.com/nodejs/node/pull/30025
* crypto
* Added `Hash.prototype.copy()` method. It returns a new `Hash` object
with its internal state cloned from the original one.
https://github.com/nodejs/node/pull/29910
* dgram
* Added source-specific multicast support. This adds methods to
Datagram sockets to support RFC 4607
(https://tools.ietf.org/html/rfc4607) for IPv4 and IPv6.
https://github.com/nodejs/node/pull/15735
* fs
* Added a `bufferSize` option to `fs.opendir()`. It allows to control
the number of entries that are buffered internally when reading from
the directory. https://github.com/nodejs/node/pull/30114
* meta
* Added Chengzhong Wu (https://github.com/legendecas) to
collaborators. https://github.com/nodejs/node/pull/30115
PR-URL: https://github.com/nodejs/node/pull/30262
|
|
Notable changes:
* deps:
* Fixed a bug in npm 6.12.0 where warnings are emitted on Node.js
13.x. https://github.com/nodejs/node/pull/30079
* esm:
* Changed file extension resolution order of
`--es-module-specifier-resolution=node`to match that of the CommonJS
loader. https://github.com/nodejs/node/pull/29974
PR-URL: https://github.com/nodejs/node/pull/30081
|
|
Notable changes:
* crypto:
* add support for chacha20-poly1305 for AEAD (chux0519)
https://github.com/nodejs/node/pull/24081
* increase maxmem range from 32 to 53 bits (Tobias Nießen)
https://github.com/nodejs/node/pull/28799
* deps:
* update npm to 6.11.3 (claudiahdz)
https://github.com/nodejs/node/pull/29430
* upgrade openssl sources to 1.1.1d (Sam Roberts)
https://github.com/nodejs/node/pull/29921
* dns:
* remove dns.promises experimental warning (cjihrig)
https://github.com/nodejs/node/pull/26592
* fs:
* remove experimental warning for fs.promises (Anna Henningsen)
https://github.com/nodejs/node/pull/26581
* http:
* makes response.writeHead return the response (Mark S. Everitt)
https://github.com/nodejs/node/pull/25974
* http2:
* makes response.writeHead return the response (Mark S. Everitt)
https://github.com/nodejs/node/pull/25974
* n-api:
* make func argument of napi\_create\_threadsafe\_function optional
(legendecas)
https://github.com/nodejs/node/pull/27791
* mark version 5 N-APIs as stable (Gabriel Schulhof)
https://github.com/nodejs/node/pull/29401
* implement date object (Jarrod Connolly)
https://github.com/nodejs/node/pull/25917
* process:
* add --unhandled-rejections flag (Ruben Bridgewater)
https://github.com/nodejs/node/pull/26599
* stream:
* implement Readable.from async iterator utility (Guy Bedford)
https://github.com/nodejs/node/pull/27660
* make Symbol.asyncIterator support stable (Matteo Collina)
https://github.com/nodejs/node/pull/26989
PR-URL: https://github.com/nodejs/node/pull/29875
|
|
Notable changes:
* assert:
* If the validation function passed to `assert.throws()` or
`assert.rejects()` returns a value other than `true`, an assertion
error will be thrown instead of the original error to highlight the
programming mistake (Ruben Bridgewater).
https://github.com/nodejs/node/pull/28263
* If a constructor function is passed to validate the instance of
errors thrown in `assert.throws()` or `assert.reject()`, an
assertion error will be thrown instead of the original error
(Ruben Bridgewater).
https://github.com/nodejs/node/pull/28263
* build:
* Node.js releases are now built with default full-icu support. This
means that all locales supported by ICU are now included and
Intl-related APIs may return different values than before
(Richard Lau).
https://github.com/nodejs/node/pull/29887
* The minimum Xcode version supported for macOS was increased to 10.
It is still possible to build Node.js with Xcode 8 but this may no
longer be the case in a future v13.x release (Michael Dawson).
https://github.com/nodejs/node/pull/29622
* child_process:
* `ChildProcess._channel` (DEP0129) is now a Runtime deprecation
(cjihrig).
https://github.com/nodejs/node/pull/27949
* console:
* The output `console.timeEnd()` and `console.timeLog()` will now
automatically select a suitable time unit instead of always using
milliseconds (Xavier Stouder).
https://github.com/nodejs/node/pull/29251
* deps:
* The V8 engine was updated to version 7.8. This includes performance
improvements to object destructuring, memory usage and WebAssembly
startup time (Myles Borins).
https://github.com/nodejs/node/pull/29694)
* domain:
* The domain's error handler is now executed with the active domain
set to the domain's parent to prevent inner recursion
(Julien Gilli).
https://github.com/nodejs/node/pull/26211
* fs:
* The undocumented method `FSWatcher.prototype.start()` was removed
(Lucas Holmquist).
https://github.com/nodejs/node/pull/29905
* Calling the `open()` method on a `ReadStream` or `WriteStream` now
emits a runtime deprecation warning. The methods are supposed to be
internal and should not be called by user code (Robert Nagy).
https://github.com/nodejs/node/pull/29061
* `fs.read/write`, `fs.readSync/writeSync` and `fd.read/write` now
accept any safe integer as their `offset` parameter. The value of
`offset` is also no longer coerced, so a valid type must be passed
to the functions (Zach Bjornson).
https://github.com/nodejs/node/pull/26572
* http:
* Aborted requests no longer emit the `end` or `error` events after
`aborted` (Robert Nagy).
https://github.com/nodejs/node/pull/27984
https://github.com/nodejs/node/pull/20077
* Data will no longer be emitted after a socket error (Robert Nagy).
https://github.com/nodejs/node/pull/28711
* The legacy HTTP parser (previously available under the
`--http-parser=legacy` flag) was removed (Anna Henningsen).
https://github.com/nodejs/node/pull/29589
* The `host` option for HTTP requests is now validated to be a string
value (Giorgos Ntemiris).
https://github.com/nodejs/node/pull/29568
* The `request.connection` and `response.connection` properties are now
runtime deprecated. The equivalent `request.socket` and `response.socket`
should be used instead (Robert Nagy).
https://github.com/nodejs/node/pull/29015
* http, http2:
* The default server timeout was removed (Ali Ijaz Sheikh).
https://github.com/nodejs/node/pull/27558
* Brought 425 status code name into accordance with RFC 8470. The name
changed from "Unordered Collection" to "Too Early" (Sergei Osipov).
https://github.com/nodejs/node/pull/29880
* lib:
* The `error.errno` property will now always be a number. To get the
string value, use `error.code` instead (Joyee Cheung).
https://github.com/nodejs/node/pull/28140
* module:
* `module.createRequireFromPath()` is deprecated. Use
`module.createRequire()` instead (cjihrig).
https://github.com/nodejs/node/pull/27951
* src:
* Changing the value of `process.env.TZ` will now clear the tz cache.
This affects the default time zone used by methods such as
`Date.prototype.toString` (Ben Noordhuis).
https://github.com/nodejs/node/pull/20026
* stream:
* The timing and behavior of streams was consolidated for a number of
edge cases. Please look at the individual commits below for more
information.
PR-URL: https://github.com/nodejs/node/pull/29504
|
|
This release marks the transition of Node.js 12.x into Long Term Support
(LTS) with the codename 'Erbium'. The 12.x release line now moves into
"Active LTS" and will remain so until October 2020. After that time, it
will move into "Maintenance" until end of life in April 2022.
Notable changes:
npm was updated to 6.12.0. It now includes a version of `node-gyp` that
supports Python 3 for building native modules.
PR-URL: https://github.com/nodejs/node/pull/29981
|
|
Notable changes:
* build:
* Add `--force-context-aware` flag to prevent usage of native node
addons that aren't context aware
https://github.com/nodejs/node/pull/29631
* deprecations:
* Add documentation-only deprecation for `process._tickCallback()`
https://github.com/nodejs/node/pull/29781
* esm:
* Using JSON modules is experimental again
https://github.com/nodejs/node/pull/29754
* fs:
* Introduce `opendir()` and `fs.Dir` to iterate through directories
https://github.com/nodejs/node/pull/29349
* process:
* Add source-map support to stack traces by using
`--source-map-support` https://github.com/nodejs/node/pull/29564
* tls:
* Honor `pauseOnConnect` option
https://github.com/nodejs/node/pull/29635
* Add option for private keys for OpenSSL engines
https://github.com/nodejs/node/pull/28973
PR-URL: https://github.com/nodejs/node/pull/29919
|
|
Node.js 8 is due to go End-of-Life on 31st December 2019.
Notable changes:
- **deps**: upgrade openssl sources to 1.0.2s (Sam Roberts)
[#28230](https://github.com/nodejs/node/pull/28230)
PR-URL: https://github.com/nodejs/node/pull/29617
|
|
Notable changes:
* build:
* This release fixes a regression that prevented from building Node.js
using the official source tarball.
https://github.com/nodejs/node/pull/29712
* deps:
* Updated small-icu data to support "unit" style in the
`Intl.NumberFormat` API.
https://github.com/nodejs/node/pull/29735
PR-URL: https://github.com/nodejs/node/pull/29796
|
|
Notable changes:
* crypto:
* Add `oaepLabel` option https://github.com/nodejs/node/pull/29489
* deps:
* Update V8 to 7.7.299.11 https://github.com/nodejs/node/pull/28918
* More efficient memory handling
* Stack trace serialization got faster
* The `Intl.NumberFormat` API gained new functionality
* For more information: https://v8.dev/blog/v8-release-77
* events:
* Add support for `EventTarget` in `once`
https://github.com/nodejs/node/pull/29498
* fs:
* Expose memory file mapping flag `UV_FS_O_FILEMAP`
https://github.com/nodejs/node/pull/29260
* inspector:
* New API - `Session.connectToMainThread`
https://github.com/nodejs/node/pull/28870
* process:
* Initial SourceMap support via `env.NODE_V8_COVERAGE`
https://github.com/nodejs/node/pull/28960
* stream:
* Make `_write()` optional when `_writev()` is implemented
https://github.com/nodejs/node/pull/29639
* tls:
* Add option to override signature algorithms
https://github.com/nodejs/node/pull/29598
* util:
* Add `encodeInto` to `TextEncoder`
https://github.com/nodejs/node/pull/29524
* worker:
* The `worker_thread` module is now stable
https://github.com/nodejs/node/pull/29512
PR-URL: https://github.com/nodejs/node/pull/29695
|
|
Notable changes:
* deps:
* Update npm to 6.10.3 (isaacs)
https://github.com/nodejs/node/pull/29023
* fs:
* Add recursive option to rmdir() (cjihrig)
https://github.com/nodejs/node/pull/29168
* Allow passing true to emitClose option (Giorgos Ntemiris)
https://github.com/nodejs/node/pull/29212
* Add \*timeNs properties to BigInt Stats objects (Joyee Cheung)
https://github.com/nodejs/node/pull/21387
* net:
* Allow reading data into a static buffer (Brian White)
https://github.com/nodejs/node/pull/25436
PR-URL: https://github.com/nodejs/node/pull/29429
|
|
These are flagged by Markdownlint MD001 rule.
PR-URL: https://github.com/nodejs/node/pull/29331
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
Notable changes:
This release fixes two regressions in the http module:
* Fixes an event listener leak in the HTTP client. This resulted in lots
of warnings during npm/yarn installs.
https://github.com/nodejs/node/pull/29245
* Fixes a regression preventing the `'end'` event from being emitted for
keepalive requests in case the full body was not parsed.
https://github.com/nodejs/node/pull/29263
PR-URL: https://github.com/nodejs/node/pull/29321
|
|
Notable changes:
* crypto:
* Added an oaepHash option to asymmetric encryption which allows
users to specify a hash function when using OAEP padding.
https://github.com/nodejs/node/pull/28335
* deps:
* Updated V8 to 7.6.303.29. https://github.com/nodejs/node/pull/28955
* Improves the performance of various APIs such as `JSON.parse` and
methods called on frozen arrays.
* Adds the Promise.allSettled method.
* Improves support of `BigInt` in `Intl` methods.
* For more information: https://v8.dev/blog/v8-release-76
* Updated libuv to 1.31.0. https://github.com/nodejs/node/pull/29070
* `UV_FS_O_FILEMAP` has been added for faster access to memory
mapped files on Windows.
* `uv_fs_mkdir()` now returns `UV_EINVAL` for invalid filenames on
Windows. It previously returned `UV_ENOENT`.
* The `uv_fs_statfs()` API has been added.
* The `uv_os_environ()` and `uv_os_free_environ()` APIs have been
added.
* fs:
* Added `fs.writev`, `fs.writevSync` and `filehandle.writev` (promise
version) methods. They allow to write an array of `ArrayBufferView`s
to a file descriptor. https://github.com/nodejs/node/pull/25925
https://github.com/nodejs/node/pull/29186
* http:
* Added three properties to `OutgoingMessage.prototype`:
`writableObjectMode`, `writableLength` and `writableHighWaterMark`
https://github.com/nodejs/node/pull/29018
* stream:
* Added an new property `readableEnded` to readable streams. Its value
is set to `true` when the `'end'` event is emitted.
https://github.com/nodejs/node/pull/28814
* Added an new property `writableEnded` to writable streams. Its value
is set to `true` after `writable.end()` has been called.
https://github.com/nodejs/node/pull/28934
PR-URL: https://github.com/nodejs/node/pull/29210
|
|
This is a security release.
Notable changes:
Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.
Vulnerabilities fixed:
* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
data from a specified resource over multiple streams. They manipulate
window size and stream priority to force the server to queue the data
in 1-byte chunks. Depending on how efficiently this data is queued,
this can consume excess CPU, memory, or both, potentially leading to a
denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume
excess CPU, memory, or both, potentially leading to a denial of
service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way
that causes substantial churn to the priority tree. This can consume
excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
and sends an invalid request over each stream that should solicit a
stream of RST_STREAM frames from the peer. Depending on how the peer
queues the RST_STREAM frames, this can consume excess memory, CPU,or
both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
SETTINGS frames to the peer. Since the RFC requires that the peer
reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
frame is almost equivalent in behavior to a ping. Depending on how
efficiently this data is queued, this can consume excess CPU, memory,
or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
headers with a 0-length header name and 0-length header value,
optionally Huffman encoded into 1-byte or greater headers. Some
implementations allocate memory for these headers and keep the
allocation alive until the session dies. This can consume excess
memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
window so the peer can send without constraint; however, they leave
the TCP window closed so the peer cannot actually write (many of) the
bytes on the wire. The attacker then sends a stream of requests for a
large response object. Depending on how the servers queue the
responses, this can consume excess memory, CPU, or both, potentially
leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
frames with an empty payload and without the end-of-stream flag. These
frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
peer spends time processing each frame disproportionate to attack
bandwidth. This can consume excess CPU, potentially leading to a
denial of service. (Discovered by Piotr Sikora of Google)
PR-URL: https://github.com/nodejs/node/pull/29152
|
|
This is a security release.
Notable changes:
Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.
Vulnerabilities fixed:
* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
data from a specified resource over multiple streams. They manipulate
window size and stream priority to force the server to queue the data
in 1-byte chunks. Depending on how efficiently this data is queued,
this can consume excess CPU, memory, or both, potentially leading to a
denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume
excess CPU, memory, or both, potentially leading to a denial of
service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way
that causes substantial churn to the priority tree. This can consume
excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
and sends an invalid request over each stream that should solicit a
stream of RST_STREAM frames from the peer. Depending on how the peer
queues the RST_STREAM frames, this can consume excess memory, CPU,or
both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
SETTINGS frames to the peer. Since the RFC requires that the peer
reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
frame is almost equivalent in behavior to a ping. Depending on how
efficiently this data is queued, this can consume excess CPU, memory,
or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
headers with a 0-length header name and 0-length header value,
optionally Huffman encoded into 1-byte or greater headers. Some
implementations allocate memory for these headers and keep the
allocation alive until the session dies. This can consume excess
memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
window so the peer can send without constraint; however, they leave
the TCP window closed so the peer cannot actually write (many of) the
bytes on the wire. The attacker then sends a stream of requests for a
large response object. Depending on how the servers queue the
responses, this can consume excess memory, CPU, or both, potentially
leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
frames with an empty payload and without the end-of-stream flag. These
frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
peer spends time processing each frame disproportionate to attack
bandwidth. This can consume excess CPU, potentially leading to a
denial of service. (Discovered by Piotr Sikora of Google)
PR-URL: https://github.com/nodejs/node/pull/29148
|
|
This is a security release.
Notable changes:
Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.
Vulnerabilities fixed:
* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
data from a specified resource over multiple streams. They manipulate
window size and stream priority to force the server to queue the data
in 1-byte chunks. Depending on how efficiently this data is queued,
this can consume excess CPU, memory, or both, potentially leading to a
denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume
excess CPU, memory, or both, potentially leading to a denial of
service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way
that causes substantial churn to the priority tree. This can consume
excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
and sends an invalid request over each stream that should solicit a
stream of RST_STREAM frames from the peer. Depending on how the peer
queues the RST_STREAM frames, this can consume excess memory, CPU,or
both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
SETTINGS frames to the peer. Since the RFC requires that the peer
reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
frame is almost equivalent in behavior to a ping. Depending on how
efficiently this data is queued, this can consume excess CPU, memory,
or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
headers with a 0-length header name and 0-length header value,
optionally Huffman encoded into 1-byte or greater headers. Some
implementations allocate memory for these headers and keep the
allocation alive until the session dies. This can consume excess
memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
window so the peer can send without constraint; however, they leave
the TCP window closed so the peer cannot actually write (many of) the
bytes on the wire. The attacker then sends a stream of requests for a
large response object. Depending on how the servers queue the
responses, this can consume excess memory, CPU, or both, potentially
leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
frames with an empty payload and without the end-of-stream flag. These
frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
peer spends time processing each frame disproportionate to attack
bandwidth. This can consume excess CPU, potentially leading to a
denial of service. (Discovered by Piotr Sikora of Google)
PR-URL: https://github.com/nodejs/node/pull/29133
|
|
Notable changes:
This release patches a regression in the OpenSSL upgrade to 1.1.1c that
causes intermittent hangs in machines that have low entropy.
Refs: https://github.com/nodejs/node/issues/28932
PR-URL: https://github.com/nodejs/node/pull/29021
|
|
Notable changes:
* assert:
* Legacy mode deprecation (`DEP0089`) is revoked (Colin Ihrig)
https://github.com/nodejs/node/pull/28892
* crypto:
* The `outputLength` option is added to `crypto.createHash`
(Tobias Nießen) https://github.com/nodejs/node/pull/28805
* The `maxmem` range is increased from 32 to 53 bits (Tobias Nießen)
https://github.com/nodejs/node/pull/28799
* n-api:
* Added APIs for per-instance state management (Gabriel Schulhof)
https://github.com/nodejs/node/pull/28682
* report:
* Network interfaces get included in the report (cjihrig)
https://github.com/nodejs/node/pull/28911
* src:
* `v8.getHeapCodeStatistics()` is now exported
(Yuriy Vasiyarov) https://github.com/nodejs/node/pull/27978
PR-URL: https://github.com/nodejs/node/pull/29017
|
|
Notable changes:
- **deps**: upgrade openssl sources to 1.1.1c (Sam Roberts) [#28212](https://github.com/nodejs/node/pull/28212)
- **stream**: do not unconditionally call `\_read()` on `resume()` (Anna Henningsen) [#26965](https://github.com/nodejs/node/pull/26965)
- **worker**: fix nullptr deref after MessagePort deser failure (Anna Henningsen) [#25076](https://github.com/nodejs/node/pull/25076)
PR-URL: https://github.com/nodejs/node/pull/28731
|
|
Notable changes:
* deps:
* Updated nghttp2 to 1.39.1. https://github.com/nodejs/node/pull/28448
* Updated npm to 6.10.0. https://github.com/nodejs/node/pull/28525
* esm:
* Implemented experimental "pkg-exports" proposal. A new `"exports"`
field can be added to a module's `package.json` file to provide
custom subpath aliasing. See
https://github.com/jkrems/proposal-pkg-exports/ for more
information. https://github.com/nodejs/node/pull/28568
* http:
* Added `response.writableFinished`.
https://github.com/nodejs/node/pull/28681
* Exposed `headers`, `rawHeaders` and other fields on an
`http.ClientRequest` `"information"` event.
https://github.com/nodejs/node/pull/28459
* inspector:
* Added `inspector.waitForDebugger()`.
https://github.com/nodejs/node/pull/28453
* policy:
* Added `--policy-integrity=sri` CLI option to mitigate policy
tampering. If a policy integrity is specified and the policy does
not have that integrity, Node.js will error prior to running any
code. https://github.com/nodejs/node/pull/28734
* readline,tty:
* Exposed stream API from various methods which write characters.
https://github.com/nodejs/node/pull/28674
https://github.com/nodejs/node/pull/28721
* src:
* Use cgroups to get memory limits. This improves the way we set
the memory ceiling for a Node.js process. Previously we would use
the physical memory size to estimate the necessary V8
heap sizes. The physical memory size is not necessarily the correct
limit, e.g. if the process is running inside a docker container or
is otherwise constrained. This change adds the ability to get a
memory limit set by linux cgroups, which is used by docker
containers to set resource constraints.
https://docs.docker.com/config/containers/resource_constraints/
https://github.com/nodejs/node/pull/27508
PR-URL: https://github.com/nodejs/node/pull/28817
|
|
Notable changes:
* build:
* Experimental support for building Node.js on MIPS architecture
is back. https://github.com/nodejs/node/pull/27992
* child_process:
* The promisified versions of `child_process.exec` and
`child_process.execFile` now both return a `Promise` which has the
child instance attached to their `child` property.
https://github.com/nodejs/node/pull/28325
* deps:
* Updated libuv to 1.30.1. https://github.com/nodejs/node/pull/28449,
https://github.com/nodejs/node/pull/28511
* Support for the Haiku platform has been added.
* The maximum `UV_THREADPOOL_SIZE` has been increased from 128 to
1024.
* `uv_fs_copyfile()` now works properly when the source and
destination files are the same.
* process:
* A new method, `process.resourceUsage()` was added. It returns
resource usage for the current process, such as CPU time.
https://github.com/nodejs/node/pull/28018
* src:
* Fixed an issue related to stdio that could lead to a crash of the
process in some circumstances.
https://github.com/nodejs/node/pull/28490
* stream:
* Added a `writableFinished` property to writable streams. It
indicates that all the data has been flushed to the underlying
system. https://github.com/nodejs/node/pull/28007
* worker:
* Fixed an issue that prevented worker threads to listen for data on
stdin. https://github.com/nodejs/node/pull/28153
* meta:
* Added Jiawen Geng (https://github.com/gengjiawen) to collaborators.
https://github.com/nodejs/node/pull/28322
PR-URL: https://github.com/nodejs/node/pull/28508
|
|
Notable changes:
* build:
* The startup time is reduced by enabling V8 snapshots by default
https://github.com/nodejs/node/pull/28181
* deps:
* Updated `V8` to 7.5.288.22 https://github.com/nodejs/node/pull/27375
* The numeric separator (v8.dev/features/numeric-separators) feature is now
enabled by default
* Updated `OpenSSL` to 1.1.1c https://github.com/nodejs/node/pull/28211
* inspector:
* The `--inspect-publish-uid` flag was added to specify ways of the inspector
web socket url exposure https://github.com/nodejs/node/pull/27741
* n-api:
* Accessors on napi_define_* are now ECMAScript-compliant
https://github.com/nodejs/node/pull/27851
* report:
* The cpu info got added to the report output
https://github.com/nodejs/node/pull/28188
* src:
* Restore the original state of the stdio file descriptors on exit to prevent
leaving stdio in raw or non-blocking mode
https://github.com/nodejs/node/pull/24260
* tools,gyp:
* Introduce MSVS 2019 https://github.com/nodejs/node/pull/27375
* util:
* inspect:
* Array grouping became more compact and uses more columns than before
https://github.com/nodejs/node/pull/28059
https://github.com/nodejs/node/pull/28070
* Long strings will not be split at 80 characters anymore. Instead they will
be split on new lines https://github.com/nodejs/node/pull/28055
* worker:
* `worker.terminate()` now returns a promise and using the callback is
deprecated https://github.com/nodejs/node/pull/28021
PR-URL: https://github.com/nodejs/node/pull/28268
|
|
Update the changelog to mark Node.js 11 as End-of-Life. Remove the
column for Node.js 11 changelog entries from the table.
PR-URL: https://github.com/nodejs/node/pull/28076
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
|
|
Notable changes:
* doc:
* The JSON variant of the API documentation is no longer experimental
(Rich Trott) https://github.com/nodejs/node/pull/27842.
* esm:
* JSON module support is always enabled under
`--experimental-modules`. The `--experimental-json-modules` flag
has been removed (Myles Borins)
https://github.com/nodejs/node/pull/27752.
* http,http2:
* A new flag has been added for overriding the default HTTP server
socket timeout (which is two minutes). Pass
`--http-server-default-timeout=milliseconds`
or `--http-server-default-timeout=0` to respectively change or
disable the timeout. Starting with Node.js 13.0.0, the timeout will
be disabled by default
(Ali Ijaz Sheikh) https://github.com/nodejs/node/pull/27704.
* inspector:
* Added an experimental `--heap-prof` flag to start the V8 heap
profiler on startup and write the heap profile to disk before exit
(Joyee Cheung) https://github.com/nodejs/node/pull/27596.
* stream:
* The `readable.unshift()` method now correctly converts strings to
buffers. Additionally, a new optional argument is accepted to
specify the string's encoding, such as `'utf8'` or `'ascii'`
(Marcos Casagrande) https://github.com/nodejs/node/pull/27194.
* v8:
* The object returned by `v8.getHeapStatistics()` has two new
properties: `number_of_native_contexts` and
`number_of_detached_contexts` (Yuriy Vasiyarov)
https://github.com/nodejs/node/pull/27933.
PR-URL: https://github.com/nodejs/node/pull/28040
|
|
Notable changes:
- **deps**:
- update ICU to 64.2 (Ujjwal Sharma)
[#27361](https://github.com/nodejs/node/pull/27361)
- upgrade npm to 6.9.0 (Kat Marchán)
[#26244](https://github.com/nodejs/node/pull/26244)
- upgrade openssl sources to 1.1.1b (Sam Roberts)
[#26327](https://github.com/nodejs/node/pull/26327)
- upgrade to libuv 1.28.0 (cjihrig)
[#27241](https://github.com/nodejs/node/pull/27241)
- **events**:
- add once method to use promises with EventEmitter (Matteo Collina)
[#26078](https://github.com/nodejs/node/pull/26078)
- **n-api**:
- mark thread-safe function as stable (Gabriel Schulhof)
[#25556](https://github.com/nodejs/node/pull/25556)
- **repl**:
- support top-level for-await-of (Shelley Vohr)
[#23841](https://github.com/nodejs/node/pull/23841)
- **zlib**:
- add brotli support (Anna Henningsen)
[#24938](https://github.com/nodejs/node/pull/24938)
PR-URL: https://github.com/nodejs/node/pull/27514
|
|
Notable changes
* deps:
* Fix handling of +0/-0 when constant field tracking is enabled
(Michaël Zasso) https://github.com/nodejs/node/pull/27792
* Fix `os.freemem()` and `os.totalmem` correctness (cjihrig)
https://github.com/nodejs/node/pull/27718
* src:
* Fix v12.3.0 regression that prevents native addons from compiling
https://github.com/nodejs/node/pull/27804
PR-URL: https://github.com/nodejs/node/pull/27814
|
|
Notable changes:
* esm:
* Added the `--experimental-wasm-modules` flag to support
WebAssembly modules (Myles Borins & Guy Bedford)
https://github.com/nodejs/node/pull/27659
* process:
* Log errors using `util.inspect` in case of fatal exceptions
(Ruben Bridgewater) https://github.com/nodejs/node/pull/27243
* repl:
* Add `process.on('uncaughtException')` support (Ruben Bridgewater)
https://github.com/nodejs/node/pull/27151
* stream:
* Implemented `Readable.from` async iterator utility (Guy Bedford)
https://github.com/nodejs/node/pull/27660
* tls:
* Expose built-in root certificates (Ben Noordhuis)
https://github.com/nodejs/node/pull/26415
* Support `net.Server` options (Luigi Pinca)
https://github.com/nodejs/node/pull/27665
* Expose `keylog` event on TLSSocket (Alba Mendez)
https://github.com/nodejs/node/pull/27654
* worker:
* Added the ability to unshift messages from the `MessagePort`
(Anna Henningsen) https://github.com/nodejs/node/pull/27294
PR-URL: https://github.com/nodejs/node/pull/27799
|
|
PR-URL: https://github.com/nodejs/node/pull/27658
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
|
|
Notable changes:
* deps:
* Updated llhttp to 1.1.3. This fixes a bug that made Node.js' HTTP
parser refuse any request URL that contained the "|" (vertical bar)
character. https://github.com/nodejs/node/pull/27595
* tls:
* Added an `enableTrace()` method to `TLSSocket` and an `enableTrace`
option to `tls.createServer()`. When enabled, TSL packet trace
information is written to `stderr`. This can be used to debug TLS
connection problems. https://github.com/nodejs/node/pull/27497
https://github.com/nodejs/node/pull/27376
* cli:
* Added a `--trace-tls` command-line flag that enables tracing of TLS
connections without the need to modify existing application code.
https://github.com/nodejs/node/pull/27497
* Added a `--cpu-prof-interval` command-line flag. It can be used to
specify the sampling interval for the CPU profiles generated by
`--cpu-prof`. https://github.com/nodejs/node/pull/27535
* module:
* Added the `createRequire()` method. It allows to create a require
function from a file URL object, a file URL string or an absolute
path string. The existing `createRequireFromPath()` method is now
deprecated https://github.com/nodejs/node/pull/27405.
* Throw on `require('./path.mjs')`. This is technically a breaking
change that should have landed with Node.js 12.0.0. It is necessary
to have this to keep the possibility for a future minor version to
load ES Modules with the require function.
https://github.com/nodejs/node/pull/27417
* repl:
* The REPL now supports multi-line statements using `BigInt` literals
as well as public and private class fields and methods.
https://github.com/nodejs/node/pull/27400
* The REPL now supports tab autocompletion of file paths with `fs`
methods. https://github.com/nodejs/node/pull/26648
* meta:
* Added Christian Clauss (https://github.com/cclauss) to
collaborators. https://github.com/nodejs/node/pull/27554
PR-URL: https://github.com/nodejs/node/pull/27578
|
|
Notable changes:
* deps: add s390 asm rules for OpenSSL-1.1.1 (Shigeki Ohtsu) [#19794](https://github.com/nodejs/node/pull/19794)
* src: add .code and SSL specific error properties (Sam Roberts) [#25093](https://github.com/nodejs/node/pull/25093)
* tls:
* add --tls-min-v1.2 CLI switch (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
* supported shared openssl 1.1.0 (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
* revert default max toTLSv1.2 (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
* revert change to invalid protocol error type (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
* support TLSv1.3 (Sam Roberts) [#26209](https://github.com/nodejs/node/pull/26209)
* add code for ERR\_TLS\_INVALID\_PROTOCOL\_METHOD (Sam Roberts) [#24729](https://github.com/nodejs/node/pull/24729)
PR-URL: https://github.com/nodejs/node/pull/27314
|
|
Notable changes:
* intl:
* Update ICU to 64.2. This adds support for Japanese Era (Reiwa).
https://github.com/nodejs/node/pull/27361
* Fixes a bug in ICU that affected Node.js 12.0.0 in the case where
`new Date().toLocaleString()` was called with a non-default locale.
https://github.com/nodejs/node/pull/27415
* C++ API:
* Added an overload of `EmitAsyncDestroy` that can be used during
garbage collection.
https://github.com/nodejs/node/pull/27255
PR-URL: https://github.com/nodejs/node/pull/27440
|
|
PR-URL: https://github.com/nodejs/node/pull/27414
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
|
|
Notable changes:
* assert:
* validate required arguments (Ruben Bridgewater)
[#26641](https://github.com/nodejs/node/pull/26641)
* adjust loose assertions (Ruben Bridgewater)
[#25008](https://github.com/nodejs/node/pull/25008)
* async_hooks:
* remove deprecated `emitBefore` and `emitAfter` (Matteo Collina)
[#26530](https://github.com/nodejs/node/pull/26530)
* remove promise object from resource (Andreas Madsen)
[#23443](https://github.com/nodejs/node/pull/23443)
* bootstrap: make Buffer and process non-enumerable (Ruben Bridgewater)
[#24874](https://github.com/nodejs/node/pull/24874)
* buffer:
* use stricter range checks (Ruben Bridgewater)
[#27045](https://github.com/nodejs/node/pull/27045)
* harden `SlowBuffer` creation (ZYSzys)
[#26272](https://github.com/nodejs/node/pull/26272)
* harden validation of buffer allocation size (ZYSzys)
[#26162](https://github.com/nodejs/node/pull/26162)
* do proper error propagation in addon methods (Anna Henningsen)
[#23939](https://github.com/nodejs/node/pull/23939)
* child_process:
* remove `options.customFds` (cjihrig)
[#25279](https://github.com/nodejs/node/pull/25279)
* harden fork arguments validation (ZYSzys)
[#27039](https://github.com/nodejs/node/pull/27039)
* use non-infinite `maxBuffer` defaults (kohta ito)
[#23027](https://github.com/nodejs/node/pull/23027)
* console:
* don't use ANSI escape codes when `TERM=dumb` (Vladislav Kaminsky)
[#26261](https://github.com/nodejs/node/pull/26261)
* crypto:
* remove legacy native handles (Tobias Nießen)
[#27011](https://github.com/nodejs/node/pull/27011)
* decode missing passphrase errors (Tobias Nießen)
[#25208](https://github.com/nodejs/node/pull/25208)
* remove `Cipher.setAuthTag()` and `Decipher.getAuthTag()`
(Tobias Nießen)
[#26249](https://github.com/nodejs/node/pull/26249)
* remove deprecated `crypto._toBuf()` (Tobias Nießen)
[#25338](https://github.com/nodejs/node/pull/25338)
* set `DEFAULT\_ENCODING` property to non-enumerable
(Antoine du Hamel)
[#23222](https://github.com/nodejs/node/pull/23222)
* deps:
* update V8 to 7.4.288.13
(Michaël Zasso, cjihrig, Refael Ackermann)
(Anna Henningsen, Ujjwal Sharma)
[#26685](https://github.com/nodejs/node/pull/26685)
* bump minimum icu version to 63 (Ujjwal Sharma)
[#25852](https://github.com/nodejs/node/pull/25852)
* update OpenSSL to 1.1.1b (Sam Roberts, Shigeki Ohtsu)
[#26327](https://github.com/nodejs/node/pull/26327)
* errors:
* update error name (Ruben Bridgewater)
[#26738](https://github.com/nodejs/node/pull/26738)
* fs:
* use proper .destroy() implementation for SyncWriteStream
(Matteo Collina)
[#26690](https://github.com/nodejs/node/pull/26690)
* improve mode validation (Ruben Bridgewater)
[#26575](https://github.com/nodejs/node/pull/26575)
* harden validation of start option in `createWriteStream()`
(ZYSzys)
[#25579](https://github.com/nodejs/node/pull/25579)
* make writeFile consistent with readFile wrt fd
(Sakthipriyan Vairamani (thefourtheye))
[#23709](https://github.com/nodejs/node/pull/23709)
* http:
* validate timeout in `ClientRequest()` (cjihrig)
[#26214](https://github.com/nodejs/node/pull/26214)
* return HTTP 431 on `HPE_HEADER_OVERFLOW` error (Albert Still)
[#25605](https://github.com/nodejs/node/pull/25605)
* switch default parser to llhttp (Anna Henningsen)
[#24870](https://github.com/nodejs/node/pull/24870)
* Runtime-deprecate `outgoingMessage._headers` and
`outgoingMessage._headerNames` (Morgan Roderick)
[#24167](https://github.com/nodejs/node/pull/24167)
* lib:
* remove `Atomics.wake()` (Gus Caplan)
[#27033](https://github.com/nodejs/node/pull/27033)
* move DTRACE\_\* probes out of global scope (James M Snell)
[#26541](https://github.com/nodejs/node/pull/26541)
* deprecate `_stream_wrap` (Sam Roberts)
[#26245](https://github.com/nodejs/node/pull/26245)
* use ES6 class inheritance style (Ruben Bridgewater)
[#24755](https://github.com/nodejs/node/pull/24755)
* module:
* remove unintended access to deps/ (Anna Henningsen)
[#25138](https://github.com/nodejs/node/pull/25138)
* improve error message for MODULE\_NOT\_FOUND (Ali Ijaz Sheikh)
[#25690](https://github.com/nodejs/node/pull/25690)
* requireStack property for MODULE\_NOT\_FOUND (Ali Ijaz Sheikh)
[#25690](https://github.com/nodejs/node/pull/25690)
* remove dead code (Ruben Bridgewater)
[#26983](https://github.com/nodejs/node/pull/26983)
* make `require('.')` never resolve outside the current directory
(Ruben Bridgewater)
[#26973](https://github.com/nodejs/node/pull/26973)
* throw an error for invalid package.json main entries
(Ruben Bridgewater)
[#26823](https://github.com/nodejs/node/pull/26823)
* don't search in `require.resolve.paths` (cjihrig)
[#23683](https://github.com/nodejs/node/pull/23683)
* net:
* remove `Server.listenFD()` (cjihrig)
[#27127](https://github.com/nodejs/node/pull/27127)
* do not add `.host` and `.port` properties to DNS error
(Ruben Bridgewater)
[#26751](https://github.com/nodejs/node/pull/26751)
* emit "write after end" errors in the next tick (Ouyang Yadong)
[#24457](https://github.com/nodejs/node/pull/24457)
* deprecate `_setSimultaneousAccepts()` undocumented function
(James M Snell)
[#23760](https://github.com/nodejs/node/pull/23760)
* os:
* implement `os.type()` using `uv_os_uname()` (cjihrig)
[#25659](https://github.com/nodejs/node/pull/25659)
* remove `os.getNetworkInterfaces()` (cjihrig)
[#25280](https://github.com/nodejs/node/pull/25280)
* process:
* make global.process, global.Buffer getters (Guy Bedford)
[#26882](https://github.com/nodejs/node/pull/26882)
* move DEP0062 (node --debug) to end-of-life (Joyee Cheung)
[#25828](https://github.com/nodejs/node/pull/25828)
* exit on --debug and --debug-brk after option parsing
(Joyee Cheung)
[#25828](https://github.com/nodejs/node/pull/25828)
* improve `--redirect-warnings` handling (Ruben Bridgewater)
[#24965](https://github.com/nodejs/node/pull/24965)
* readline:
* support TERM=dumb (Vladislav Kaminsky)
[#26261](https://github.com/nodejs/node/pull/26261)
* repl:
* add welcome message (gengjiawen)
[#25947](https://github.com/nodejs/node/pull/25947)
* fix terminal default setting (Ruben Bridgewater)
[#26518](https://github.com/nodejs/node/pull/26518)
* check colors with `.getColorDepth()` (Vladislav Kaminsky)
[#26261](https://github.com/nodejs/node/pull/26261)
* deprecate REPLServer.rli (Ruben Bridgewater)
[#26260](https://github.com/nodejs/node/pull/26260)
* src:
* remove unused `INT_MAX` constant (Sam Roberts)
[#27078](https://github.com/nodejs/node/pull/27078)
* update `NODE_MODULE_VERSION` to 72 (Ujjwal Sharma)
[#26685](https://github.com/nodejs/node/pull/26685)
* remove `AddPromiseHook()` (Anna Henningsen)
[#26574](https://github.com/nodejs/node/pull/26574)
* clean up `MultiIsolatePlatform` interface (Anna Henningsen)
[#26384](https://github.com/nodejs/node/pull/26384)
* properly configure default heap limits (Ali Ijaz Sheikh)
[#25576](https://github.com/nodejs/node/pull/25576)
* remove `icuDataDir` from node config (GauthamBanasandra)
[#24780](https://github.com/nodejs/node/pull/24780)
* tls:
* support TLSv1.3 (Sam Roberts)
[#26209](https://github.com/nodejs/node/pull/26209)
* return correct version from `getCipher()` (Sam Roberts)
[#26625](https://github.com/nodejs/node/pull/26625)
* check arg types of renegotiate() (Sam Roberts)
[#25876](https://github.com/nodejs/node/pull/25876)
* add code for `ERR_TLS_INVALID_PROTOCOL_METHOD` (Sam Roberts)
[#24729](https://github.com/nodejs/node/pull/24729)
* emit a warning when servername is an IP address (Rodger Combs)
[#23329](https://github.com/nodejs/node/pull/23329)
* disable TLS v1.0 and v1.1 by default (Ben Noordhuis)
[#23814](https://github.com/nodejs/node/pull/23814)
* remove unused arg to createSecureContext() (Sam Roberts)
[#24241](https://github.com/nodejs/node/pull/24241)
* deprecate `Server.prototype.setOptions()` (cjihrig)
[#23820](https://github.com/nodejs/node/pull/23820)
* load `NODE_EXTRA_CA_CERTS` at startup (Ouyang Yadong)
[#23354](https://github.com/nodejs/node/pull/23354)
* util:
* remove `util.print()`, `util.puts()`, `util.debug()`
and `util.error()` (cjihrig)
[#25377](https://github.com/nodejs/node/pull/25377)
* change inspect compact and breakLength default
(Ruben Bridgewater)
[#27109](https://github.com/nodejs/node/pull/27109)
* improve inspect edge cases (Ruben Bridgewater)
[#27109](https://github.com/nodejs/node/pull/27109)
* only the first line of the error message (Simon Zünd)
[#26685](https://github.com/nodejs/node/pull/26685)
* don't set the prototype of callbackified functions
(Ruben Bridgewater)
[#26893](https://github.com/nodejs/node/pull/26893)
* rename callbackified function (Ruben Bridgewater)
[#26893](https://github.com/nodejs/node/pull/26893)
* increase function length when using `callbackify()`
(Ruben Bridgewater)
[#26893](https://github.com/nodejs/node/pull/26893)
* prevent tampering with internals in `inspect()`
(Ruben Bridgewater)
[#26577](https://github.com/nodejs/node/pull/26577)
* prevent Proxy traps being triggered by `.inspect()`
(Ruben Bridgewater)
[#26241](https://github.com/nodejs/node/pull/26241)
* prevent leaking internal properties (Ruben Bridgewater)
[#24971](https://github.com/nodejs/node/pull/24971)
* protect against monkeypatched Object prototype for inspect()
(Rich Trott)
[#25953](https://github.com/nodejs/node/pull/25953)
* treat format arguments equally (Roman Reiss)
[#23162](https://github.com/nodejs/node/pull/23162)
* win, fs:
* detect if symlink target is a directory (Bartosz Sosnowski)
[#23724](https://github.com/nodejs/node/pull/23724)
* zlib:
* throw TypeError if callback is missing (Anna Henningsen)
[#24929](https://github.com/nodejs/node/pull/24929)
* make “bare” constants un-enumerable (Anna Henningsen)
[#24824](https://github.com/nodejs/node/pull/24824)
PR-URL: https://github.com/nodejs/node/pull/26930
|
|
Notable Changes:
* n-api:
- add API for asynchronous functions (Gabriel Schulhof)
https://github.com/nodejs/node/pull/17887
- mark thread-safe function as stable (Gabriel Schulhof)
https://github.com/nodejs/node/pull/25556
PR-URL: https://github.com/nodejs/node/pull/26933
|
|
Notable changes:
- child_process: doc deprecate ChildProcess.\_channel (cjihrig)
[#26982](https://github.com/nodejs/node/pull/26982)
- deps: update nghttp2 to 1.37.0 (gengjiawen)
[#26990](https://github.com/nodejs/node/pull/26990)
- dns:
- make dns.promises enumerable (cjihrig)
[#26592](https://github.com/nodejs/node/pull/26592)
- remove dns.promises experimental warning (cjihrig)
[#26592](https://github.com/nodejs/node/pull/26592)
- fs: remove experimental warning for fs.promises (Anna Henningsen)
[#26581] (https://github.com/nodejs/node/pull/26581)
- stream: make Symbol.asyncIterator support stable (Matteo Collina)
[#26989](https://github.com/nodejs/node/pull/26989)
- worker: use copy of process.env (Anna Henningsen)
[#26544](https://github.com/nodejs/node/pull/26544)
PR-URL: https://github.com/nodejs/node/pull/27163
|
|
Notable changes:
- http:
- fix error check in `Execute()` (Brian White)
[#25939](https://github.com/nodejs/node/pull/25939)
PR-URL: https://github.com/nodejs/node/pull/26684
|
|
PR-URL: https://github.com/nodejs/node/pull/26931
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
|
|
Notable changes:
* crypto
* Allow deriving public from private keys (Tobias Nießen)
[#26278](https://github.com/nodejs/node/pull/26278).
* events
* Added a `once` function to use `EventEmitter` with promises
(Matteo Collina) [#26078](https://github.com/nodejs/node/pull/26078).
* tty
* Added a `hasColors` method to `WriteStream` (Ruben Bridgewater)
[#26247](https://github.com/nodejs/node/pull/26247).
* Added NO_COLOR and FORCE_COLOR support (Ruben Bridgewater)
[#26485](https://github.com/nodejs/node/pull/26485).
* v8
* Added `v8.getHeapSnapshot` and `v8.writeHeapSnapshot` to generate snapshots
in the format used by tools such as Chrome DevTools (James M Snell)
[#26501](https://github.com/nodejs/node/pull/26501).
* worker
* Added `worker.moveMessagePortToContext`. This enables using MessagePorts in
different vm.Contexts, aiding with the isolation that the vm module seeks to
provide (Anna Henningsen)
[#26497](https://github.com/nodejs/node/pull/26497).
* C++ API
* `AddPromiseHook` is now deprecated. This API was added to fill an use case
that is served by `async_hooks`, since that has `Promise` support
(Anna Henningsen) [#26529](https://github.com/nodejs/node/pull/26529).
* Added a `Stop` API to shut down Node.js while it is running
(Gireesh Punathil) [#21283](https://github.com/nodejs/node/pull/21283).
* meta
* [Gireesh Punathil](https://github.com/gireeshpunathil) is now a member of
the Technical Steering Committee
[#26657](https://github.com/nodejs/node/pull/26657).
* Added [Yongsheng Zhang](https://github.com/ZYSzys) to collaborators
[#26730](https://github.com/nodejs/node/pull/26730).
PR-URL: https://github.com/nodejs/node/pull/26949
|
|
Notable Changes
* bootstrap:
* Add experimental `--frozen-intrinsics` flag (Guy Bedford)
https://github.com/nodejs/node/pull/25685
* build:
* Enable v8's siphash for hash seed creation (Rod Vagg)
https://github.com/nodejs/node/pull/26367
* deps:
* Upgrade openssl to 1.1.1b (Sam Roberts)
https://github.com/nodejs/node/pull/26327
* process:
* Make `process[Symbol.toStringTag]` writable again
(Ruben Bridgewater) https://github.com/nodejs/node/pull/26488
* repl:
* Add `util.inspect.replDefaults` to customize the writer
(Ruben Bridgewater) https://github.com/nodejs/node/pull/26375
* report:
* Rename `triggerReport()` to `writeReport()` (Colin Ihrig)
https://github.com/nodejs/node/pull/26527
|
|
Notable Changes
* n-api:
* Implement date object (Jarrod Connolly)
https://github.com/nodejs/node/pull/25917
* util:
* Add compact depth mode for `util.inspect()` (Ruben Bridgewater)
https://github.com/nodejs/node/pull/26269
* worker:
* Improve integration with native addons (Anna Henningsen)
https://github.com/nodejs/node/pull/26175
* MessagePort.prototype.onmessage takes arguments closer to the Web
specification now (Anna Henningsen)
https://github.com/nodejs/node/pull/26082
|
|
Notable Changes
* **doc**
* add antsmartian to collaborators (Anto Aravinth)
[#24655](https://github.com/nodejs/node/pull/24655)
* **http**
* fix error check in Execute() (Brian White)
[#25863](https://github.com/nodejs/node/pull/25863)
* **stream**
* fix end-of-stream for HTTP/2 (Anna Henningsen)
[#24926](https://github.com/nodejs/node/pull/24926)
PR-URL: https://github.com/nodejs/node/pull/26063
|
|
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with keep-alive HTTP connections
(CVE-2019-5739)
* Node.js: Slowloris HTTP Denial of Service with keep-alive
(CVE-2019-5737)
* OpenSSL: 0-byte record padding oracle (CVE-2019-1559)
Notable Changes:
* deps: OpenSSL has been upgraded to 1.0.2r which contains a fix for
CVE-2019-1559 (https://www.openssl.org/news/secadv/20190226.txt). Under
certain circumstances, a TLS server can be forced to respond differently to
a client if a zero-byte record is received with an invalid padding
compared to a zero-byte record with an invalid MAC. This can be used as the
basis of a padding oracle attack to decrypt data.
* http:
- Backport `server.keepAliveTimeout` to prevent keep-alive HTTP and HTTPS
connections remaining open and inactive for an extended period of time,
leading to a potential Denial of Service (DoS).
(CVE-2019-5739 / Timur Shemsedinov, Matteo Collina)
- Further prevention of "Slowloris" attacks on HTTP and HTTPS
connections by consistently applying the receive timeout set by
`server.headersTimeout` to connections in keep-alive mode. Reported by
Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/169
|
|
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Slowloris HTTP Denial of Service with keep-alive
(CVE-2019-5737)
* OpenSSL: 0-byte record padding oracle (CVE-2019-1559)
Notable Changes:
* deps: OpenSSL has been upgraded to 1.0.2r which contains a fix for
CVE-2019-1559 (https://www.openssl.org/news/secadv/20190226.txt). Under
certain circumstances, a TLS server can be forced to respond differently to
a client if a zero-byte record is received with an invalid padding
compared to a zero-byte record with an invalid MAC. This can be used as the
basis of a padding oracle attack to decrypt data.
* http: Further prevention of "Slowloris" attacks on HTTP and HTTPS
connections by consistently applying the receive timeout set by
`server.headersTimeout` to connections in keep-alive mode. Reported by
Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/165
|
|
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
for details on patched vulnerabilities.
A fix for the following CVE is included in this release:
* Node.js: Slowloris HTTP Denial of Service with keep-alive
(CVE-2019-5737)
Notable Changes:
* http: Further prevention of "Slowloris" attacks on HTTP and HTTPS
connections by consistently applying the receive timeout set by
`server.headersTimeout` to connections in keep-alive mode. Reported by
Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/164
|
|
This is a security release. All Node.js users should consult the security
release summary at:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
for details on patched vulnerabilities.
A fix for the following CVE is included in this release:
* Node.js: Slowloris HTTP Denial of Service with keep-alive
(CVE-2019-5737)
Notable Changes:
* http: Further prevention of "Slowloris" attacks on HTTP and HTTPS
connections by consistently applying the receive timeout set by
`server.headersTimeout` to connections in keep-alive mode. Reported by
Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)
PR-URL: https://github.com/nodejs-private/node-private/pull/163
|
|
Notable changes:
deps:
* Updated libuv to 1.26.0.
* Updated npm to 6.7.0.
http, http2:
* `response.writeHead` now returns the response object.
perf_hooks:
* Implemented a histogram based API.
process:
* Exposed `process.features.inspector`.
repl:
* Added `repl.setupHistory` for programmatic repl.
tls:
* Introduced client "session" event.
PR-URL: https://github.com/nodejs/node/pull/26098
|
|
Notable changes:
* deps:
* OpenSSL has been updated to 1.1.1a, which is API/ABI compatible with
the previous OpenSSL 1.1.0j. Note that while OpenSSL 1.1.1a supports
TLS1.3, Node.js still does not.
https://github.com/nodejs/node/pull/25582
PR-URL: https://github.com/nodejs/node/pull/25802
|
