| Age | Commit message (Collapse) | Author |
|---|
|
This is a maintenance release to fix a memory leak that was
introduced in 4.8.1.
It also includes an upgrade to zlib 1.2.11 to fix a number of low
severity CVEs that were present in zlib 1.2.8.
http://seclists.org/oss-sec/2016/q4/602
Notable changes:
* crypto:
- fix memory leak if certificate is revoked (Tom Atkinson)
https://github.com/nodejs/node/pull/12089
* deps:
- upgrade zlib to 1.2.11 (Sam Roberts)
https://github.com/nodejs/node/pull/10980
|
|
This is a special LTS to fix a number of regressions that were found
on the 6.10.x release line.
This includes:
* a fix for memory leak in the crypto module that
was introduced in 6.10.1
* a fix for a regression introduced to the windows repl in 6.10.0
* a backported fix for V8 to stop a segfault that could occur
when using spread syntax
It also includes an upgrade to zlib 1.2.11 to fix a numberof low
severity CVEs that were present in zlib 1.2.8.
http://seclists.org/oss-sec/2016/q4/602
Notable changes
* crypto:
- fix memory leak if certificate is revoked (Tom Atkinson)
https://github.com/nodejs/node/pull/12089
* deps:
- upgrade zlib to 1.2.11 (Sam Roberts)
https://github.com/nodejs/node/pull/10980
- backport V8 fixes for spread syntax regression causing segfaults
(Michaël Zasso) https://github.com/nodejs/node/pull/12037
* repl:
- Revert commit that broke REPL display on Windows (Myles Borins)
https://github.com/nodejs/node/pull/12123
|
|
Notable changes:
* buffer:
- do not segfault on out-of-range index (Timothy Gu)
https://github.com/nodejs/node/pull/11927
* crypto:
- Fix memory leak if certificate is revoked (Tom Atkinson)
https://github.com/nodejs/node/pull/12089
* deps:
* upgrade npm to 4.2.0 (Kat Marchán)
https://github.com/nodejs/node/pull/11389
* fix async await desugaring in V8 (Michaël Zasso)
https://github.com/nodejs/node/pull/12004
* readline:
- add option to stop duplicates in history (Danny Nemer)
https://github.com/nodejs/node/pull/2982
* src:
- add native URL class (James M Snell)
https://github.com/nodejs/node/pull/11801
PR-URL: https://github.com/nodejs/node/pull/12104
|
|
Notable changes:
* deps: Add node-inspect 1.10.6 (Jan Krems) https://github.com/nodejs/node/pull/11869
* inspector: proper WS URLs when bound to 0.0.0.0 (Eugene Ostroukhov) https://github.com/nodejs/node/pull/11850
* tls: fix segfault on destroy after partial read. (Ben Noordhuis) https://github.com/nodejs/node/pull/11898
PR-URL: https://github.com/nodejs/node/pull/11941
|
|
Notable changes
* performance: The performance of several APIs has been improved.
- `Buffer.compare()` is up to 35% faster on average. (Brian White)
https://github.com/nodejs/node/pull/10927
- `buffer.toJSON()` is up to 2859% faster on average. (Brian White)
https://github.com/nodejs/node/pull/10895
- `fs.*statSync()` functions are now up to 9.3% faster on average.
(Brian White) https://github.com/nodejs/node/pull/11522
- `os.loadavg` is up to 151% faster. (Brian White)
https://github.com/nodejs/node/pull/11516
- `process.memoryUsage()` is up to 34% faster. (Brian White)
https://github.com/nodejs/node/pull/11497
- `querystring.unescape()` for `Buffer`s is 15% faster on average.
(Brian White) https://github.com/nodejs/node/pull/10837
- `querystring.stringify()` is up to 7.8% faster on average.
(Brian White) https://github.com/nodejs/node/pull/10852
- `querystring.parse()` is up to 21% faster on average. (Brian White)
https://github.com/nodejs/node/pull/10874
* IPC:
- Batched writes have been enabled for process IPC on platforms that
support Unix Domain Sockets. (Alexey Orlenko)
https://github.com/nodejs/node/pull/10677
- Performance gains may be up to 40% for some workloads.
* child_process:
- `spawnSync` now returns a null `status` when child is terminated by
a signal. (cjihrig) https://github.com/nodejs/node/pull/11288
- This fixes the behavior to act like `spawn()` does.
* http:
- Control characters are now always rejected when using
`http.request()`. (Ben Noordhuis)
https://github.com/nodejs/node/pull/8923
- Debug messages have been added for cases when headers contain
invalid values. (Evan Lucas)
https://github.com/nodejs/node/pull/9195
* node:
- Heap statistics now support values larger than 4GB. (Ben Noordhuis)
https://github.com/nodejs/node/pull/10186
* timers:
- Timer callbacks now always maintain order when interacting with
domain error handling. (John Barboza)
https://github.com/nodejs/node/pull/10522
PR-URL: https://github.com/nodejs/node/pull/11759
|
|
Notable Changes:
* buffer:
- The performance of `.toJSON()` is now up to 2859% faster on average
(Brian White) https://github.com/nodejs/node/pull/10895
* IPC:
- Batched writes have been enabled for process IPC on platforms that
support Unix Domain Sockets. (Alexey Orlenko)
https://github.com/nodejs/node/pull/10677
- Performance gains may be up to 40% for some workloads.
* http:
- Control characters are now always rejected when using
`http.request()`. (Ben Noordhuis)
https://github.com/nodejs/node/pull/8923
* node:
- Heap statistics now support values larger than 4GB. (Ben Noordhuis)
https://github.com/nodejs/node/pull/10186
PR-URL: https://github.com/nodejs/node/pull/11760
|
|
Notable changes:
* module: The [module loading global fallback]
(https://nodejs.org/dist/latest-v6.x/docs/api/modules.html#modules_loading_from_the_global_folders)
to the Node executable's directory now works correctly on Windows.
(Richard Lau) [#9283](https://github.com/nodejs/node/pull/9283)
* net: `Socket.prototype.connect` now once again functions without
a callback. (Juwan Yoo) [#11762](https://github.com/nodejs/node/pull/11762)
* url: `URL.prototype.origin` now properly specified an opaque return of
`'null'` for `file://` URLs. (Brian White)
[#11691](https://github.com/nodejs/node/pull/11691)
PR-URL: https://github.com/nodejs/node/pull/11831
|
|
Notable changes:
* doc: add `Daijiro Wachi` to collaborators (Daijiro Wachi) https://github.com/nodejs/node/pull/11676
* tty: add ref() so process.stdin.ref() etc. work (Ben Schmidt) https://github.com/nodejs/node/pull/7360
* util: fix inspecting symbol key in string (Ali BARIN) https://github.com/nodejs/node/pull/11672
PR-URL: https://github.com/nodejs/node/pull/11745
|
|
Notable changes:
Node.js 7.7.0 contains a bug that will prevent all native modules
from building, this patch should fix the issue. Apologies to
everyone who was affected by 7.7.0.
PR-URL: https://github.com/nodejs/node/pull/11638
|
|
Notables changes:
* child_process: spawnSync() exit code now is null when the child is killed via signal (cjihrig)
[#11288](https://github.com/nodejs/node/pull/11288)
* http: new functions to access the headers for an outgoing HTTP message (Brian White)
[#11562](https://github.com/nodejs/node/pull/11562)
* lib: deprecate node --debug at runtime (Josh Gavant)
[#11275](https://github.com/nodejs/node/pull/11275)
* tls: new tls.TLSSocket() supports sec ctx options (Sam Roberts)
[#11005](https://github.com/nodejs/node/pull/11005)
* url: adding URL.prototype.toJSON support (Michaël Zasso)
[#11236](https://github.com/nodejs/node/pull/11236)
* doc: items in the API documentation may now have changelogs (Anna Henningsen)
[#11489](https://github.com/nodejs/node/pull/11489)
* crypto: adding support for OPENSSL_CONF again (Sam Roberts)
[#11006](https://github.com/nodejs/node/pull/11006)
* src: adding support for trace-event tracing (misterpoe)
[#11106](https://github.com/nodejs/node/pull/11106)
PR-URL: https://github.com/nodejs/node/pull/11553
|
|
Notable changes:
* deps:
* update V8 to 5.5 (Michaël Zasso) [#11029](https://github.com/nodejs/node/pull/11029)
* upgrade libuv to 1.11.0 (cjihrig) [#11094](https://github.com/nodejs/node/pull/11094)
* add node-inspect 1.10.4 (Jan Krems) [#10187](https://github.com/nodejs/node/pull/10187)
* upgrade zlib to 1.2.11 (Sam Roberts) [#10980](https://github.com/nodejs/node/pull/10980)
* lib: build `node inspect` into `node` (Anna Henningsen) [#10187](https://github.com/nodejs/node/pull/10187)
* crypto: Remove expired certs from CNNIC whitelist (Shigeki Ohtsu) [#9469](https://github.com/nodejs/node/pull/9469)
* inspector: add --inspect-brk (Josh Gavant) [#11149](https://github.com/nodejs/node/pull/11149)
* fs: allow WHATWG URL objects as paths (James M Snell) [#10739](https://github.com/nodejs/node/pull/10739)
* src: support UTF-8 in compiled-in JS source files (Ben Noordhuis) [#11129](https://github.com/nodejs/node/pull/11129)
* url: extend url.format to support WHATWG URL (James M Snell) [#10857](https://github.com/nodejs/node/pull/10857)
PR-URL: https://github.com/nodejs/node/pull/11185
|
|
Notable Changes:
The SEMVER-MINOR changes include:
* crypto: allow adding extra certs to well-known CAs (Sam Roberts)
https://github.com/nodejs/node/pull/9139
* deps: Upgrade INTL ICU to version 58 (Steven R. Loomis)
https://github.com/nodejs/node/pull/9234
* process: add `process.memoryUsage.external` (Fedor Indutny)
https://github.com/nodejs/node/pull/9587
* src: add wrapper for process.emitWarning() (Sam Roberts)
https://github.com/nodejs/node/pull/9139
Notable SEMVER-PATCH changes include:
* fs: cache non-symlinks in realpathSync. (Jeremy Yallop)
https://github.com/nodejs/node/pull/10253
* repl: allow autocompletion for scoped packages (Evan Lucas)
https://github.com/nodejs/node/pull/10296
PR-URL: https://github.com/nodejs/node/pull/10974
|
|
Notable Changes:
* child_process: add shell option to spawn() (cjihrig)
https://github.com/nodejs/node/pull/4598
* crypto:
* add ALPN Support (Shigeki Ohtsu)
https://github.com/nodejs/node/pull/2564
* allow adding extra certs to well-known CAs (Sam Roberts)
https://github.com/nodejs/node/pull/9139
* deps:
* v8: expose statistics about heap spaces (Ben Ripkens)
https://github.com/nodejs/node/pull/4463
* fs: add the fs.mkdtemp() function. (Florian MARGAINE)
https://github.com/nodejs/node/pull/5333
* process:
* add `externalMemory` to `process` (Fedor Indutny)
https://github.com/nodejs/node/pull/9587
* add process.cpuUsage() (Patrick Mueller)
https://github.com/nodejs/node/pull/10796
PR-URL: https://github.com/nodejs/node/pull/10973
|
|
Notable changes:
* crypto:
* ability to select cert store at runtime (Adam Majer) #8334
* Use system CAs instead of using bundled ones (Adam Majer) #8334
* deps:
* upgrade npm to 4.1.2 (Kat Marchán) #11020
* upgrade openssl sources to 1.0.2k (Shigeki Ohtsu) #11021
* doc: add basic documentation for WHATWG URL API (James M Snell) #10620
* process: add NODE_NO_WARNINGS environment variable (cjihrig) #10842
* url: allow use of URL with http.request and https.request (James M Snell) #10638
PR-URL: https://github.com/nodejs/node/pull/11062
|
|
This is a security release of the 'Boron' release line to upgrade
OpenSSL to version 1.0.2k
Although the OpenSSL team have determined a maximum severity rating
of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
and Fedor Indutny) have determined the impact to Node users is "low".
Details on this determination can be found on the Nodejs.org website
https://nodejs.org/en/blog/vulnerability/openssl-january-2017/
Notable Changes:
* deps:
- upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
https://github.com/nodejs/node/pull/11021
PR-URL: https://github.com/nodejs/node/pull/11083
|
|
This is a security release of the 'Boron' release line to upgrade
OpenSSL to version 1.0.2k
Although the OpenSSL team have determined a maximum severity rating
of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
and Fedor Indutny) have determined the impact to Node users is "low".
Details on this determination can be found on the Nodejs.org website
https://nodejs.org/en/blog/vulnerability/openssl-january-2017/
Notable Changes:
* deps:
- upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
https://github.com/nodejs/node/pull/11021
PR-URL: https://github.com/nodejs/node/pull/11081
|
|
* It had some minor errors in td/th html tags.
* Make it clear that v5, v0.10, and v0.12 are EOL and unsupported.
We probably don't want people seeing 'LTS' badge next to those
in the current Node.js repo and think that those are still supported.
Not everyone is aware of the nodejs/LTS repo.
This also includes the dates for v5, v0.10 and v0.12 EOL:
- 2016-07-01 for v5
- 2016-11-01 for v0.10
- 2017-01-01 for v0.12
* Make v5/v0.10/v0.12 not bold in CHANGELOG
Make v5, v0.10, v0.12 not bold in the CHANGELOG.md, as bold is said to
be an indication of the most recent actively supported release futher
on the same page.
PR-URL: https://github.com/nodejs/node/pull/10743
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
|
|
This is a special release that contains 0 commits. While promoting
additional platforms for v6.9.3 after the release, the tarballs on the
release server were overwritten and now have different shasums. In
order to remove any ambiguity around the release we have opted to do a
semver patch release with no changes.
|
|
This is a special release that contains 0 commits. While promoting
additional platforms for v4.7.1 after the release, the tarballs on the
release server were overwritten and now have different shasums. In
order to remove any ambiguity around the release we have opted to do a
semver patch release with no changes.
|
|
Notable changes:
* buffer:
- Improve performance of Buffer allocation by ~11% (Brian White) https://github.com/nodejs/node/pull/10443
- Improve performance of Buffer.from() by ~50% (Brian White) https://github.com/nodejs/node/pull/10443
* events: Improve performance of EventEmitter.once() by ~27% (Brian White) https://github.com/nodejs/node/pull/10445
* fs: Allow passing Uint8Array to fs methods where Buffers are supported. (Anna Henningsen) https://github.com/nodejs/node/pull/10382
* http: Improve performance of http server by ~7% (Brian White) https://github.com/nodejs/node/pull/6533
* npm: Upgrade to v4.0.5 (Kat Marchán) https://github.com/nodejs/node/pull/10330
PR-URL: https://github.com/nodejs/node/pull/10589
|
|
This LTS release comes with 180 commits. This includes 117 which are
test related, 34 which are doc related, 15 which are build / tool
related, and 1 commit which is an update to dependencies.
Notable Changes:
* build:
- shared library support is now working for AIX builds
(Stewart Addison) https://github.com/nodejs/node/pull/9675
* repl:
- Passing options to the repl will no longer overwrite defaults
(cjihrig) https://github.com/nodejs/node/pull/7826
* timers:
- Re canceling a cancelled timers will no longer throw
(Jeremiah Senkpiel) https://github.com/nodejs/node/pull/9685
PR-URL: https://github.com/nodejs/node/pull/10395
|
|
This LTS release comes with 312 commits. This includes 229 that are
test related, 62 that are docs related, 17 which are build / tools
related, and 4 commits which are updates to dependencies.
Notable Changes:
* build:
- shared library support is now working for AIX builds
(Stewart Addison) https://github.com/nodejs/node/pull/9675
* deps:
- *npm*: upgrade npm to 3.10.10 (Rebecca Turner)
https://github.com/nodejs/node/pull/9847
- *V8*: Destructuring of arrow function arguments via computed
property no longer throws (Michaël Zasso)
https://github.com/nodejs/node/pull/10386)
* inspector:
- /json/version returns object, not an object wrapped in an array
(Ben Noordhuis) https://github.com/nodejs/node/pull/9762
* module:
- using --debug-brk and --eval together now works as expected
(Kelvin Jin) https://github.com/nodejs/node/pull/8876
* process:
- improve performance of nextTick up to 20% (Evan Lucas)
https://github.com/nodejs/node/pull/8932
* repl:
- the division operator will no longer be accidentally parsed as
regex (Teddy Katz) https://github.com/nodejs/node/pull/10103
- improved support for generator functions (Teddy Katz)
https://github.com/nodejs/node/pull/9852
* timers:
- Re canceling a cancelled timers will no longer throw
(Jeremiah Senkpiel) https://github.com/nodejs/node/pull/9685
PR-URL: https://github.com/nodejs/node/pull/10394
|
|
Notable changes:
* npm: upgrade from v2.15.1 to v2.15.11, including accurate updated license (Jeremiah Senkpiel)
* process: `process.versions.ares` now outputs the c-ares version (Johan Bergström)
PR-URL: https://github.com/nodejs/node/pull/10352
|
|
Notable changes:
* buffer:
- buffer.fill() now works properly for the UCS2 encoding on
Big-Endian machines.
(Anna Henningsen) https://github.com/nodejs/node/pull/9837
* cluster:
- disconnect() now returns a reference to the disconnected
worker. (Sean Villars)
https://github.com/nodejs/node/pull/10019
* crypto:
- The built-in list of Well-Known CAs (Certificate Authorities)
can now be extended via a NODE_EXTRA_CA_CERTS environment
variable. (Sam Roberts)
https://github.com/nodejs/node/pull/9139
* http:
- Remove stale timeout listeners in order to prevent a memory leak
when using keep alive. (Karl Böhlmark)
https://github.com/nodejs/node/pull/9440
* tls:
- Allow obvious key/passphrase combinations. (Sam Roberts)
https://github.com/nodejs/node/pull/10294
* url:
- Including base argument in URL.originFor() to meet specification
compliance. (joyeecheung)
https://github.com/nodejs/node/pull/10021
- Improve URLSearchParams to meet specification compliance.
(Timothy Gu) https://github.com/nodejs/node/pull/9484
PR-URL: https://github.com/nodejs/node/pull/10277
|
|
Notable changes:
* buffer:
- Reverted the runtime deprecation of calling `Buffer()` without
`new`. (Anna Henningsen) https://github.com/nodejs/node/pull/9529
- Fixed `buffer.transcode()` for single-byte character
encodings to `UCS2`. (Anna Henningsen)
https://github.com/nodejs/node/pull/9838
* promise: `--trace-warnings` now produces useful stacktraces for
Promise warnings. (Anna Henningsen)
https://github.com/nodejs/node/pull/9525
* repl: Fixed a bug preventing correct parsing of generator functions.
(Teddy Katz) https://github.com/nodejs/node/pull/9852
* V8: Fixed a significant `instanceof` performance regression.
(Franziska Hinkelmann) https://github.com/nodejs/node/pull/9730
PR-URL: https://github.com/nodejs/node/pull/10127
|
|
This LTS release comes with 108 commits. This includes 30 which are doc
related, 28 which are test related, 16 which are build / tool related,
and 4 commits which are updates to dependencies.
Notable Changes:
The SEMVER-MINOR changes include:
* build:
- export openssl symbols on Windows making it possible to build
addons linked against the bundled version of openssl (Alex Hultman)
https://github.com/nodejs/node/pull/7576
* debugger:
- make listen address configurable in the debugger server
(Ben Noordhuis) https://github.com/nodejs/node/pull/3316
* dgram:
- generalized send queue to handle close fixing a potential throw
when dgram socket is closed in the listening event handler.
(Matteo Collina) https://github.com/nodejs/node/pull/7066
* http:
- Introduce the 451 status code "Unavailable For Legal Reasons"
(Max Barinov) https://github.com/nodejs/node/pull/4377
* tls:
- introduce `secureContext` for `tls.connect` which is useful for
caching client certificates, key, and CA certificates.
(Fedor Indutny) https://github.com/nodejs/node/pull/4246
Notable SEMVER-PATCH changes include:
* build:
- introduce the configure --shared option for embedders (sxa555)
https://github.com/nodejs/node/pull/6994
* gtest:
- the test reporter now outputs tap comments as yamlish
(Johan Bergström) https://github.com/nodejs/node/pull/9262
* src:
- node no longer aborts when c-ares initialization fails
(Ben Noordhuis) https://github.com/nodejs/node/pull/8710
* tls:
- fix memory leak when writing data to TLSWrap instance during
handshake (Fedor Indutny)
https://github.com/nodejs/node/pull/9586
PR-URL: https://github.com/nodejs/node/pull/9736
|
|
This LTS release comes with 144 commits. This includes 47 that are docs
related, 46 that are test related, 15 which are build / tools related,
and 9 commits which are updates to dependencies
Notable Changes:
* buffer:
- coerce slice parameters consistently
(Sakthipriyan Vairamani (thefourtheye))
https://github.com/nodejs/node/pull/9101
* deps:
- *npm*:
- upgrade npm to 3.10.9 (Kat Marchán)
https://github.com/nodejs/node/pull/9286
- *V8*:
- Various fixes to destructuring edge cases
- cherry-pick 3c39bac from V8 upstream (Cristian Cavalli)
https://github.com/nodejs/node/pull/9138
- cherry pick 7166503 from upstream v8 (Cristian Cavalli)
https://github.com/nodejs/node/pull/9173
* gtest:
- the test reporter now outputs tap comments as yamlish
(Johan Bergström) https://github.com/nodejs/node/pull/9262
* inspector:
- inspector now prompts user to use 127.0.0.1 rather than localhost
(Eugene Ostroukhov) https://github.com/nodejs/node/pull/9451
* tls:
- fix memory leak when writing data to TLSWrap instance during
handshake (Fedor Indutny)
https://github.com/nodejs/node/pull/9586
PR-URL: https://github.com/nodejs/node/pull/9735
|
|
This is a security release impacting Windows 10 users.
Notable changes:
* crypto: The `Decipher` methods `setAuthTag()` and `setAAD` now return
`this`. (Kirill Fomichev) https://github.com/nodejs/node/pull/9398
* dns: Implemented `{ttl: true}` for `resolve4()` and `resolve6()`.
(Ben Noordhuis) https://github.com/nodejs/node/pull/9296 &
https://github.com/nodejs/node/pull/9296
* libuv: Upgrade to v1.10.1 (cjihrig)
https://github.com/nodejs/node/pull/9647
- Fixed a potential buffer overflow when writing data to console on
Windows 10. (CVE-2016-9551)
* process: Added a new `external` property to the data returned by
`memoryUsage()`. (Fedor Indutny)
https://github.com/nodejs/node/pull/9587
* tls: Fixed a memory leak when writes were queued on TLS connection
that was destroyed during handshake. (Fedor Indutny)
https://github.com/nodejs/node/pull/9626
* V8 (dep): Upgrade to v5.4.500.43 (Michaël Zasso)
https://github.com/nodejs/node/pull/9697
* v8: The data returned by `getHeapStatistics()` now includes three new
fields: `malloced_memory`, `peak_malloced_memory`, and
`does_zap_garbage`. (Gareth Ellis)
https://github.com/nodejs/node/pull/8610
PR-URL: https://github.com/nodejs/node/pull/9745
|
|
Notable changes:
* buffer: add buffer.transcode to transcode a buffer's content from one
encoding to another primarily using ICU (James M Snell)
* child_process: add public API for IPC channel (cjihrig)
* icu
* Upgraded to ICU 58 - small icu (Steven R. Loomis)
* Add `cldr`, `tz`, and `unicode` to `process.versions` (Steven R. Loomis)
* lib: make `String(global) === '[object global]'` (Anna Henningsen)
* libuv: Upgraded to 1.10.0 (cjihrig)
* readline: use icu based string width calculation (James M Snell)
* src:
* add NODE_PRESERVE_SYMLINKS environment variable that has the same
effect as the `--preserve-symlinks` flag (Marc Udoff)
* Fix `String#toLocaleUpperCase()` and `String#toLocaleLowerCase()`
(Steven R. Loomis)
PR-URL: https://github.com/nodejs/node/pull/9438
|
|
This LTS release comes with 219 commits. This includes 80 commits that
are docs related, 58 commits that are test related, 20 commits that
are build / tool related, and 9 commits that are updates to
dependencies.
Notable Changes
* build:
- It is now possible to build the documentation from the release
tarball (Anna Henningsen)
https://github.com/nodejs/node/pull/8413
* buffer:
- Buffer.alloc() will no longer incorrectly return a zero filled
buffer when an encoding is passed (Teddy Katz)
https://github.com/nodejs/node/pull/9238
* deps:
- upgrade npm in LTS to 2.15.11 (Kat Marchán)
https://github.com/nodejs/node/pull/8928
* repl:
- Enable tab completion for global properties (Lance Ball)
https://github.com/nodejs/node/pull/7369
* url:
- `url.format()` will now encode all `#` in `search` (Ilkka Myller)
https://github.com/nodejs/node/pull/8072
PR-URL: https://github.com/nodejs/node/pull/9298
|
|
Notable Changes:
* Buffer
* Passing invalid input to Buffer.byteLength will now throw an error [#8946](https://github.com/nodejs/node/pull/8946).
* Calling Buffer without new is now deprecated and will emit a process warning [#8169](https://github.com/nodejs/node/pull/8169).
* Passing a negative number to allocUnsafe will now throw an error [#7079](https://github.com/nodejs/node/pull/7079).
* Child Process
* The fork and execFile methods now have stronger argument validation [#7399](https://github.com/nodejs/node/pull/7399).
* Cluster
* The worker.suicide method is deprecated and will emit a process warning [#3747](https://github.com/nodejs/node/pull/3747).
* Deps
* V8 has been updated to 5.4.500.36 [#8317](https://github.com/nodejs/node/pull/8317), [#8852](https://github.com/nodejs/node/pull/8852), [#9253](https://github.com/nodejs/node/pull/9253).
* NODE_MODULE_VERSION has been updated to 51 [#8808](https://github.com/nodejs/node/pull/8808).
* File System
* A process warning is emitted if a callback is not passed to async file system methods [#7897](https://github.com/nodejs/node/pull/7897).
* Intl
* Intl.v8BreakIterator constructor has been deprecated and will emit a process warning [#8908](https://github.com/nodejs/node/pull/8908).
* Promises
* Unhandled Promise rejections have been deprecated and will emit a process warning [#8217](https://github.com/nodejs/node/pull/8217).
* Punycode
* The `punycode` module has been deprecated [#7941](https://github.com/nodejs/node/pull/7941).
* URL
* An Experimental WHATWG URL Parser has been introduced [#7448](https://github.com/nodejs/node/pull/7448).
PR-URL: https://github.com/nodejs/node/pull/9099
|
|
Notable changes:
* streams: Fix a regression introduced in v6.8.0 in readable stream
that caused unpipe to remove the wrong stream (Anna Henningsen)
PR-URL: https://github.com/nodejs/node/pull/9186
|
|
PR-URL: https://github.com/nodejs/node/pull/9182
Reviewed-By: Claudio Rodriguez <cjrodr@yahoo.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/9183
Reviewed-By: Claudio Rodriguez <cjrodr@yahoo.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
|
|
This release marks the transition of Node.js v6 into Long Term Support
(LTS) with the codename 'Boron'. The v6 release line now moves in to
"Active LTS" and will remain so until April 2018. After that time it
will move in to "Maintenance" until end of life in April 2019.
This is also a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/
for details on patched vulnerabilities.
Notable changes:
* crypto: Don't automatically attempt to load an OpenSSL configuration
file, from the `OPENSSL_CONF` environment variable or from the
default location for the current platform. Always triggering a
configuration file load attempt may allow an attacker to load
compromised OpenSSL configuration into a Node.js process if they are
able to place a file in a default location. (Fedor Indutny, Rod Vagg)
* node: Introduce the `process.release.lts` property, set to `"Boron"`.
This value is `"Argon"` for v4 LTS releases and `undefined` for all
other releases. (Rod Vagg)
* V8: Backport fix for CVE-2016-5172, an arbitrary memory read.
The parser in V8 mishandled scopes, potentially allowing an attacker
to obtain sensitive information from arbitrary memory locations via
crafted JavaScript code. This vulnerability would require an
attacker to be able to execute arbitrary JavaScript code in a
Node.js process. (Rod Vagg)
* **v8_inspector**: Generate a UUID for each execution of the
inspector. This provides additional security to prevent unauthorized
clients from connecting to the Node.js process via the v8_inspector
port when running with `--inspect`. Since the debugging protocol
allows extensive access to the internals of a running process, and
the execution of arbitrary code, it is important to limit
connections to authorized tools only. Vulnerability originally
reported by Jann Horn. (Eugene Ostroukhov)
PR-URL: https://github.com/nodejs/node-private/pull/81
|
|
This is a security release. All Node.js users should consult the security
release summary at
https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/
for details on patched vulnerabilities.
Notable changes:
* c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more
information at https://c-ares.haxx.se/adv_20160929.html (Daniel Stenberg)
PR-URL: https://github.com/nodejs/node/pull/9153
|
|
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/
for details on patched vulnerabilities.
Notable changes:
* c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more
information at https://c-ares.haxx.se/adv_20160929.html
(Rod Vagg)
PR-URL: https://github.com/nodejs/node/pull/9154
|
|
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/
for details on patched vulnerabilities.
Notable changes:
* c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more
information at https://c-ares.haxx.se/adv_20160929.html
(Daniel Stenberg)
PR-URL: https://github.com/nodejs/node/pull/9147
|
|
* build: Fix building with shared zlib. (Bradley T. Hughes) [#9077](https://github.com/nodejs/node/pull/9077)
* stream: fix `Writable` subclass instanceof checks (Anna Henningsen) [#9088](https://github.com/nodejs/node/pull/9088)
* timers: fix regression with clearImmediate() (Brian White) [#9086](https://github.com/nodejs/node/pull/9086)
PR-URL: https://github.com/nodejs/node/pull/9104
|
|
* fs:
- `SyncWriteStream` now inherits from `Stream.Writable`. (Anna
Henningsen) https://github.com/nodejs/node/pull/8830
- Practically, this means that when stdio is piped to a file,
stdout and stderr will still be `Writable` streams.
- `fs.existsSync()` has been undeprecated. `fs.exists()` remains
deprecated. (Dan Fabulich) https://github.com/nodejs/node/pull/8364
* http: `http.request()` now accepts a `timeout` option. (Rene Weber)
https://github.com/nodejs/node/pull/8101
* module: The module loader now maintains its own realpath cache. (Anna
Henningsen) https://github.com/nodejs/node/pull/8100
* npm: Upgraded to 3.10.8 (Kat Marchán)
https://github.com/nodejs/node/pull/8706
* stream: `Duplex` streams now show proper `instanceof
Stream.Writable`. (Anna Henningsen)
https://github.com/nodejs/node/pull/8834
* timers: Improved `setTimeout`/`Interval` performance by up to 22%.
(Brian White) https://github.com/nodejs/node/pull/8661
PR-URL: https://github.com/nodejs/node/pull/9034
|
|
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.
Notable Changes
Semver Minor:
* openssl:
- Upgrade to 1.0.2i, fixes a number of defects impacting Node.js:
CVE-2016-6304 ("OCSP Status Request extension unbounded memory
growth", high severity), CVE-2016-2183, CVE-2016-2178, and CVE-2016-6306.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8714
- Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in
a crash when using CRLs, CVE-2016-7052.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8786
- Remove support for loading dynamic third-party engine modules.
An attacker may be able to hide malicious code to be inserted
into Node.js at runtime by masquerading as one of the dynamic
engine modules. Originally reported by Ahmed Zaki (Skype).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/73
* http: CVE-2016-5325 - Properly validate for allowable characters in
the `reason` argument in `ServerResponse#writeHead()`. Fixes a
possible response splitting attack vector. This introduces a new
case where `throw` may occur when configuring HTTP responses, users
should already be adopting try/catch here. Originally reported
independently by Evan Lucas and Romain Gaucher.
(Evan Lucas) https://github.com/nodejs/node-private/pull/60
Semver Patch:
* buffer: Zero-fill excess bytes in new `Buffer` objects created with
`Buffer.concat()` while providing a `totalLength` parameter that
exceeds the total length of the original `Buffer` objects being
concatenated.
(Сковорода Никита Андреевич) https://github.com/nodejs/node-private/pull/64
* src: Fix regression where passing an empty password and/or salt to
crypto.pbkdf2() would cause a fatal error
(Rich Trott) https://github.com/nodejs/node/pull/8572
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid wildcard
certificate for its hostname due to improper validation of `*.` in the
wildcard string. Originally reported by Alexander Minozhenko and
James Bunton (Atlassian).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/75
* v8: Fix regression where a regex on a frozen object was broken
(Myles Borins) https://github.com/nodejs/node/pull/8673
|
|
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.
Notable Changes
Semver Minor:
* openssl:
- Upgrade to 1.0.2i, fixes a number of defects impacting Node.js:
CVE-2016-6304 ("OCSP Status Request extension unbounded memory
growth", high severity), CVE-2016-2183, CVE-2016-6303,
CVE-2016-2178 and CVE-2016-6306.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8714
- Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in
a crash when using CRLs, CVE-2016-7052.
(Shigeki Ohtsu) https://github.com/nodejs/node/pull/8786
- Remove support for loading dynamic third-party engine modules.
An attacker may be able to hide malicious code to be inserted into
Node.js at runtime by masquerading as one of the dynamic engine
modules. Originally reported by Ahmed Zaki (Skype).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/70
* http: CVE-2016-5325 - Properly validate for allowable characters in
the `reason` argument in `ServerResponse#writeHead()`. Fixes a
possible response splitting attack vector. This introduces a new
case where `throw` may occur when configuring HTTP responses, users
should already be adopting try/catch here. Originally reported
independently by Evan Lucas and Romain Gaucher.
(Evan Lucas) https://github.com/nodejs/node-private/pull/46
Semver Patch:
* buffer: Zero-fill excess bytes in new `Buffer` objects created with
`Buffer.concat()` while providing a `totalLength` parameter that
exceeds the total length of the original `Buffer` objects being
concatenated.
(Сковорода Никита Андреевич) https://github.com/nodejs/node-private/pull/65
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid wildcard
certificate for its hostname due to improper validation of `*.` in
the wildcard string. Originally reported by Alexander Minozhenko and
James Bunton (Atlassian).
(Ben Noordhuis) https://github.com/nodejs/node-private/pull/63
PR-URL: https://github.com/nodejs/node-private/pull/74
|
|
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.
Notable changes:
* buffer: Zero-fill excess bytes in new `Buffer` objects created with
`Buffer.concat()` while providing a `totalLength` parameter that
exceeds the total length of the original `Buffer` objects being
concatenated. (Сковорода Никита Андреевич)
* http:
- CVE-2016-5325 - Properly validate for allowable characters in the
`reason` argument in `ServerResponse#writeHead()`. Fixes a
possible response splitting attack vector. This introduces a new
case where `throw` may occur when configuring HTTP responses,
users should already be adopting try/catch here. Originally
reported independently by Evan Lucas and Romain Gaucher.
(Evan Lucas)
- Invalid status codes can no longer be sent. Limited to 3 digit
numbers between 100 - 999. Lack of proper validation may also
serve as a potential response splitting attack vector. Backported
from v4.x. (Brian White)
* openssl:
- Upgrade to 1.0.1u, fixes a number of defects impacting Node.js:
CVE-2016-6304 ("OCSP Status Request extension unbounded memory
growth", high severity), CVE-2016-2183, CVE-2016-6303,
CVE-2016-2178 and CVE-2016-6306.
- Remove support for loading dynamic third-party engine modules.
An attacker may be able to hide malicious code to be inserted
into Node.js at runtime by masquerading as one of the dynamic
engine modules. Originally reported by Ahmed Zaki (Skype).
(Ben Noordhuis, Rod Vagg)
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid wildcard
certificate for its hostname due to improper validation of `*.` in
the wildcard string. Originally reported by Alexander Minozhenko
and James Bunton (Atlassian). (Ben Noordhuis)
PR-URL: https://github.com/nodejs/node-private/pull/72
|
|
This is a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
for details on patched vulnerabilities.
Notable changes:
* buffer: Zero-fill excess bytes in new `Buffer` objects created with
`Buffer.concat()` while providing a `totalLength` parameter that
exceeds the total length of the original `Buffer` objects being
concatenated. (Сковорода Никита Андреевич)
* http:
- CVE-2016-5325 - Properly validate for allowable characters in the
`reason` argument in `ServerResponse#writeHead()`. Fixes a
possible response splitting attack vector. This introduces a new
case where `throw` may occur when configuring HTTP responses,
users should already be adopting try/catch here. Originally
reported independently by Evan Lucas and Romain Gaucher.
(Evan Lucas)
- Invalid status codes can no longer be sent. Limited to 3 digit
numbers between 100 - 999. Lack of proper validation may also
serve as a potential response splitting attack vector. Backported
from v4.x. (Brian White)
* openssl: Upgrade to 1.0.1u, fixes a number of defects impacting
Node.js: CVE-2016-6304 ("OCSP Status Request extension unbounded
memory growth", high severity), CVE-2016-2183, CVE-2016-6303,
CVE-2016-2178 and CVE-2016-6306.
* tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid wildcard
certificate for its hostname due to improper validation of `*.` in
the wildcard string. Originally reported by Alexander Minozhenko
and James Bunton (Atlassian). (Ben Noordhuis)
PR-URL: https://github.com/nodejs/node-private/pull/71
|
|
Notable changes:
* crypto: Added `crypto.timingSafeEqual()`. (not-an-aardvark)
https://github.com/nodejs/node/pull/8304
* events: Made the "max event listeners" memory leak warning more
accessible. (Anna Henningsen) https://github.com/nodejs/node/pull/8298
* promises: Unhandled rejections now emit a process warning after the
first tick. (Benjamin Gruenbaum)
https://github.com/nodejs/node/pull/8223
* repl: Added auto alignment for `.editor` mode. (Prince J Wesley)
https://github.com/nodejs/node/pull/8241
* util: Some functionality has been added to `util.inspect()`:
- Returning `this` from a custom inspect function now works. (Anna
Henningsen) https://github.com/nodejs/node/pull/8174
- Added support for Symbol-based custom inspection methods. (Anna
Henningsen) https://github.com/nodejs/node/pull/8174
Refs: https://github.com/nodejs/node/issues/8428
Refs: https://github.com/nodejs/node/pull/8457
PR-URL: https://github.com/nodejs/node/pull/8466
|
|
Notable changes:
* **buffer**: Fix regression introduced in v6.4.0 that prevented .write() at buffer end (Anna Henningsen) https://github.com/nodejs/node/pull/8154
* **deps**: update V8 to 5.1.281.75 (Ali Ijaz Sheikh) https://github.com/nodejs/node/pull/8054
* **inspector**:
* fix inspector hang while disconnecting (Aleksei Koziatinskii) https://github.com/nodejs/node/pull/8021
* add support for uncaught exception (Aleksei Koziatinskii) https://github.com/nodejs/node/pull/8043
* **repl**: Fix saving editor mode text in `.save` (Prince J Wesley) https://github.com/nodejs/node/pull/8145
* ***Revert*** "**repl,util**: insert carriage returns in output" (Evan Lucas) https://github.com/nodejs/node/pull/8143
PR-URL: https://github.com/nodejs/node/pull/8253
|
|
Notable Changes:
Semver Minor:
* buffer:
* backport new buffer constructor APIs to v4.x
(Сковорода Никита Андреевич)
https://github.com/nodejs/node/pull/7562
* backport --zero-fill-buffers cli option (James M Snell)
https://github.com/nodejs/node/pull/5745
* build:
* add Intel Vtune profiling support (Chunyang Dai)
https://github.com/nodejs/node/pull/5527
* repl:
* copying tabs shouldn't trigger completion (Eugene Obrezkov)
https://github.com/nodejs/node/pull/5958
* src:
* add node::FreeEnvironment public API (Cheng Zhao)
https://github.com/nodejs/node/pull/3098
* test:
* run v8 tests from node tree (Bryon Leung)
https://github.com/nodejs/node/pull/4704
* V8:
* Add post mortem data to improve object inspection and function's
context variables inspection (Fedor Indutny)
https://github.com/nodejs/node/pull/3779
Semver Patch:
* **buffer**:
* ignore negative allocation lengths (Anna Henningsen)
https://github.com/nodejs/node/pull/7562
* **crypto**:
* update root certificates (Ben Noordhuis)
https://github.com/nodejs/node/pull/7363
* **libuv**:
* upgrade libuv to 1.9.1 (Saúl Ibarra Corretgé)
https://github.com/nodejs/node/pull/6796
* upgrade libuv to 1.9.0 (Saúl Ibarra Corretgé)
https://github.com/nodejs/node/pull/5994
* **npm**:
* upgrade to 2.15.9 (Kat Marchán)
https://github.com/nodejs/node/pull/7692
|
|
Notable changes:
* build: zlib symbols and additional OpenSSL symbols are now exposed on Windows platforms. (Alex Hultman) https://github.com/nodejs/node/pull/7983 and https://github.com/nodejs/node/pull/7576
* child_process, cluster: Forked child processes and cluster workers now support stdio configuration. (Colin Ihrig) https://github.com/nodejs/node/pull/7811 and https://github.com/nodejs/node/pull/7838
* child_process: argv[0] can now be set to arbitrary values in spawned processes. (Pat Pannuto) https://github.com/nodejs/node/pull/7696
* fs: fs.ReadStream now exposes the number of bytes it has read so far. (Linus Unnebäck) https://github.com/nodejs/node/pull/7942
* repl: The REPL now supports editor mode. (Prince J Wesley) https://github.com/nodejs/node/pull/7275
* util: inspect() can now be configured globally using util.inspect.defaultOptions. (Roman Reiss) https://github.com/nodejs/node/pull/8013
Refs: https://github.com/nodejs/node/issues/8020
PR-URL: https://github.com/nodejs/node/pull/8070
|
|
Notable changes:
* **buffer**:
* Improve performance of Buffer.from(str, 'hex') and Buffer#write(str, 'hex'). (Christopher Jeffrey) https://github.com/nodejs/node/pull/7602
* Fix creating from zero-length ArrayBuffer. (Ingvar Stepanyan) https://github.com/nodejs/node/pull/7176
* **deps**:
* Upgrade to V8 5.0.71.xx. (Ben Noordhuis) https://github.com/nodejs/node/pull/7531
* Backport V8 instanceof bugfix (Franziska Hinkelmann) https://github.com/nodejs/node/pull/7638
* **repl**: Fix issue with function redeclaration. (Prince J Wesley) https://github.com/nodejs/node/pull/7794
* **util**: Fix inspecting of boxed symbols. (Anna Henningsen) https://github.com/nodejs/node/pull/7641
PR-URL: https://github.com/nodejs/node/pull/7782
|
|
Notable changes:
* buffer: Added `buffer.swap64()` to compliment `swap16()` &
`swap32()`. (Zach Bjornson) https://github.com/nodejs/node/pull/7157
* build: New `configure` options have been added for building Node.js
as a shared library. (Stefan Budeanu)
https://github.com/nodejs/node/pull/6994
- The options are: `--shared`, `--without-v8-platform` &
`--without-bundled-v8`.
* crypto: Root certificates have been updated. (Ben Noordhuis)
https://github.com/nodejs/node/pull/7363
* debugger: The server address is now configurable via
`--debug=<address>:<port>`. (Ben Noordhuis)
https://github.com/nodejs/node/pull/3316
* npm: Upgraded npm to v3.10.3 (Kat Marchán)
https://github.com/nodejs/node/pull/7515 & (Rebecca Turner)
https://github.com/nodejs/node/pull/7410
* readline: Added the `prompt` option to the readline constructor.
(Evan Lucas) https://github.com/nodejs/node/pull/7125
* repl / vm: `sigint`/`ctrl+c` will now break out of infinite loops
without stopping the Node.js instance. (Anna Henningsen)
https://github.com/nodejs/node/pull/6635
* src:
- Added a `node::FreeEnvironment` public C++ API. (Cheng Zhao)
https://github.com/nodejs/node/pull/3098
- Refactored `require('constants')`, constants are now available
directly from their respective modules. (James M Snell)
https://github.com/nodejs/node/pull/6534
* stream: Improved `readable.read()` performance by up to 70%. (Brian
White) https://github.com/nodejs/node/pull/7077
* timers: `setImmediate()` is now up to 150% faster in some situations.
(Andras) https://github.com/nodejs/node/pull/6436
* util: Added a `breakLength` option to `util.inspect()` to control how
objects are formatted across lines. (cjihrig)
https://github.com/nodejs/node/pull/7499
* v8-inspector: Experimental support has been added for debugging
Node.js over the inspector protocol. (Ali Ijaz Sheikh)
https://github.com/nodejs/node/pull/6792
- *Note: This feature is experimental, and it could be altered or
removed.*
- You can try this feature by running Node.js with the `--inspect`
flag.
Refs: https://github.com/nodejs/node/pull/7441
PR-URL: https://github.com/nodejs/node/pull/7550
|
