| Age | Commit message (Collapse) | Author |
|---|
|
Notable changes:
* fs:
* Reworked experimental recursive `rmdir()` (cjihrig)
https://github.com/nodejs/node/pull/30644
* The `maxBusyTries` option is renamed to `maxRetries`, and its
default is set to 0. The `emfileWait` option has been removed,
and `EMFILE` errors use the same retry logic as other errors.
The `retryDelay` option is now supported. `ENFILE` errors are
now retried.
* http:
* Make maximum header size configurable per-stream or per-server
(Anna Henningsen) https://github.com/nodejs/node/pull/30570
* http2:
* Make maximum tolerated rejected streams configurable (Denys
Otrishko) https://github.com/nodejs/node/pull/30534
* Allow to configure maximum tolerated invalid frames (Denys
Otrishko) https://github.com/nodejs/node/pull/30534
* wasi:
* Introduce initial WASI support (cjihrig)
https://github.com/nodejs/node/pull/30258
PR-URL: https://github.com/nodejs/node/pull/30774
|
|
PR-URL: https://github.com/nodejs/node/pull/30587
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
|
|
Notable changes:
* addons:
* Deprecate one- and two-argument `AtExit()`. Use the three-argument
variant of `AtExit()` or `AddEnvironmentCleanupHook()` instead
(Anna Henningsen) https://github.com/nodejs/node/pull/30227
* child_process,cluster:
* The `serialization` option is added that allows child process
IPC to use the V8 serialization API (to e.g., pass through data
types like sets or maps) (Anna Henningsen)
https://github.com/nodejs/node/pull/30162
* deps:
* Update V8 to 7.9
* Update `npm` to 6.13.0 (Ruy Adorno)
https://github.com/nodejs/node/pull/30271
* embedder:
* Exposes the ability to pass cli flags / options through an API
as embedder (Shelley Vohr)
https://github.com/nodejs/node/pull/30466
* Allow adding linked bindings to Environment (Anna Henningsen)
https://github.com/nodejs/node/pull/30274
* esm:
* Unflag --experimental-modules (Guy Bedford)
https://github.com/nodejs/node/pull/29866
* stream:
* Add `writable.writableCorked` property (Robert Nagy)
https://github.com/nodejs/node/pull/29012
* worker:
* Allow specifying resource limits (Anna Henningsen)
https://github.com/nodejs/node/pull/26628
* v8:
* The Serialization API is now stable (Anna Henningsen)
https://github.com/nodejs/node/pull/30234
PR-URL: https://github.com/nodejs/node/pull/30547
|
|
Notable changes:
* Experimental support for building Node.js with Python 3 is improved.
* ICU time zone data is updated to version 2019c. This fixes the date
offset in Brazil.
PR-URL: https://github.com/nodejs/node/issues/30352
|
|
Notable changes:
* cli:
* Added a new flag (`--trace-uncaught`) that makes Node.js print the
stack trace at the time of throwing uncaught exceptions, rather than
at the creation of the `Error` object, if there is any. This is
disabled by default because it affects GC behavior.
https://github.com/nodejs/node/pull/30025
* crypto
* Added `Hash.prototype.copy()` method. It returns a new `Hash` object
with its internal state cloned from the original one.
https://github.com/nodejs/node/pull/29910
* dgram
* Added source-specific multicast support. This adds methods to
Datagram sockets to support RFC 4607
(https://tools.ietf.org/html/rfc4607) for IPv4 and IPv6.
https://github.com/nodejs/node/pull/15735
* fs
* Added a `bufferSize` option to `fs.opendir()`. It allows to control
the number of entries that are buffered internally when reading from
the directory. https://github.com/nodejs/node/pull/30114
* meta
* Added Chengzhong Wu (https://github.com/legendecas) to
collaborators. https://github.com/nodejs/node/pull/30115
PR-URL: https://github.com/nodejs/node/pull/30262
|
|
Notable changes:
* deps:
* Fixed a bug in npm 6.12.0 where warnings are emitted on Node.js
13.x. https://github.com/nodejs/node/pull/30079
* esm:
* Changed file extension resolution order of
`--es-module-specifier-resolution=node`to match that of the CommonJS
loader. https://github.com/nodejs/node/pull/29974
PR-URL: https://github.com/nodejs/node/pull/30081
|
|
Notable changes:
* crypto:
* add support for chacha20-poly1305 for AEAD (chux0519)
https://github.com/nodejs/node/pull/24081
* increase maxmem range from 32 to 53 bits (Tobias Nießen)
https://github.com/nodejs/node/pull/28799
* deps:
* update npm to 6.11.3 (claudiahdz)
https://github.com/nodejs/node/pull/29430
* upgrade openssl sources to 1.1.1d (Sam Roberts)
https://github.com/nodejs/node/pull/29921
* dns:
* remove dns.promises experimental warning (cjihrig)
https://github.com/nodejs/node/pull/26592
* fs:
* remove experimental warning for fs.promises (Anna Henningsen)
https://github.com/nodejs/node/pull/26581
* http:
* makes response.writeHead return the response (Mark S. Everitt)
https://github.com/nodejs/node/pull/25974
* http2:
* makes response.writeHead return the response (Mark S. Everitt)
https://github.com/nodejs/node/pull/25974
* n-api:
* make func argument of napi\_create\_threadsafe\_function optional
(legendecas)
https://github.com/nodejs/node/pull/27791
* mark version 5 N-APIs as stable (Gabriel Schulhof)
https://github.com/nodejs/node/pull/29401
* implement date object (Jarrod Connolly)
https://github.com/nodejs/node/pull/25917
* process:
* add --unhandled-rejections flag (Ruben Bridgewater)
https://github.com/nodejs/node/pull/26599
* stream:
* implement Readable.from async iterator utility (Guy Bedford)
https://github.com/nodejs/node/pull/27660
* make Symbol.asyncIterator support stable (Matteo Collina)
https://github.com/nodejs/node/pull/26989
PR-URL: https://github.com/nodejs/node/pull/29875
|
|
Notable changes:
* assert:
* If the validation function passed to `assert.throws()` or
`assert.rejects()` returns a value other than `true`, an assertion
error will be thrown instead of the original error to highlight the
programming mistake (Ruben Bridgewater).
https://github.com/nodejs/node/pull/28263
* If a constructor function is passed to validate the instance of
errors thrown in `assert.throws()` or `assert.reject()`, an
assertion error will be thrown instead of the original error
(Ruben Bridgewater).
https://github.com/nodejs/node/pull/28263
* build:
* Node.js releases are now built with default full-icu support. This
means that all locales supported by ICU are now included and
Intl-related APIs may return different values than before
(Richard Lau).
https://github.com/nodejs/node/pull/29887
* The minimum Xcode version supported for macOS was increased to 10.
It is still possible to build Node.js with Xcode 8 but this may no
longer be the case in a future v13.x release (Michael Dawson).
https://github.com/nodejs/node/pull/29622
* child_process:
* `ChildProcess._channel` (DEP0129) is now a Runtime deprecation
(cjihrig).
https://github.com/nodejs/node/pull/27949
* console:
* The output `console.timeEnd()` and `console.timeLog()` will now
automatically select a suitable time unit instead of always using
milliseconds (Xavier Stouder).
https://github.com/nodejs/node/pull/29251
* deps:
* The V8 engine was updated to version 7.8. This includes performance
improvements to object destructuring, memory usage and WebAssembly
startup time (Myles Borins).
https://github.com/nodejs/node/pull/29694)
* domain:
* The domain's error handler is now executed with the active domain
set to the domain's parent to prevent inner recursion
(Julien Gilli).
https://github.com/nodejs/node/pull/26211
* fs:
* The undocumented method `FSWatcher.prototype.start()` was removed
(Lucas Holmquist).
https://github.com/nodejs/node/pull/29905
* Calling the `open()` method on a `ReadStream` or `WriteStream` now
emits a runtime deprecation warning. The methods are supposed to be
internal and should not be called by user code (Robert Nagy).
https://github.com/nodejs/node/pull/29061
* `fs.read/write`, `fs.readSync/writeSync` and `fd.read/write` now
accept any safe integer as their `offset` parameter. The value of
`offset` is also no longer coerced, so a valid type must be passed
to the functions (Zach Bjornson).
https://github.com/nodejs/node/pull/26572
* http:
* Aborted requests no longer emit the `end` or `error` events after
`aborted` (Robert Nagy).
https://github.com/nodejs/node/pull/27984
https://github.com/nodejs/node/pull/20077
* Data will no longer be emitted after a socket error (Robert Nagy).
https://github.com/nodejs/node/pull/28711
* The legacy HTTP parser (previously available under the
`--http-parser=legacy` flag) was removed (Anna Henningsen).
https://github.com/nodejs/node/pull/29589
* The `host` option for HTTP requests is now validated to be a string
value (Giorgos Ntemiris).
https://github.com/nodejs/node/pull/29568
* The `request.connection` and `response.connection` properties are now
runtime deprecated. The equivalent `request.socket` and `response.socket`
should be used instead (Robert Nagy).
https://github.com/nodejs/node/pull/29015
* http, http2:
* The default server timeout was removed (Ali Ijaz Sheikh).
https://github.com/nodejs/node/pull/27558
* Brought 425 status code name into accordance with RFC 8470. The name
changed from "Unordered Collection" to "Too Early" (Sergei Osipov).
https://github.com/nodejs/node/pull/29880
* lib:
* The `error.errno` property will now always be a number. To get the
string value, use `error.code` instead (Joyee Cheung).
https://github.com/nodejs/node/pull/28140
* module:
* `module.createRequireFromPath()` is deprecated. Use
`module.createRequire()` instead (cjihrig).
https://github.com/nodejs/node/pull/27951
* src:
* Changing the value of `process.env.TZ` will now clear the tz cache.
This affects the default time zone used by methods such as
`Date.prototype.toString` (Ben Noordhuis).
https://github.com/nodejs/node/pull/20026
* stream:
* The timing and behavior of streams was consolidated for a number of
edge cases. Please look at the individual commits below for more
information.
PR-URL: https://github.com/nodejs/node/pull/29504
|
|
This release marks the transition of Node.js 12.x into Long Term Support
(LTS) with the codename 'Erbium'. The 12.x release line now moves into
"Active LTS" and will remain so until October 2020. After that time, it
will move into "Maintenance" until end of life in April 2022.
Notable changes:
npm was updated to 6.12.0. It now includes a version of `node-gyp` that
supports Python 3 for building native modules.
PR-URL: https://github.com/nodejs/node/pull/29981
|
|
Corrects "--source-map-support" to "--enable-source-maps".
Fixes: https://github.com/nodejs/node/issues/29959
PR-URL: https://github.com/nodejs/node/pull/29960
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
|
|
Notable changes:
* build:
* Add `--force-context-aware` flag to prevent usage of native node
addons that aren't context aware
https://github.com/nodejs/node/pull/29631
* deprecations:
* Add documentation-only deprecation for `process._tickCallback()`
https://github.com/nodejs/node/pull/29781
* esm:
* Using JSON modules is experimental again
https://github.com/nodejs/node/pull/29754
* fs:
* Introduce `opendir()` and `fs.Dir` to iterate through directories
https://github.com/nodejs/node/pull/29349
* process:
* Add source-map support to stack traces by using
`--source-map-support` https://github.com/nodejs/node/pull/29564
* tls:
* Honor `pauseOnConnect` option
https://github.com/nodejs/node/pull/29635
* Add option for private keys for OpenSSL engines
https://github.com/nodejs/node/pull/28973
PR-URL: https://github.com/nodejs/node/pull/29919
|
|
These can turn into links if reference links are added to the document
PR-URL: https://github.com/nodejs/node/pull/29809
Reviewed-By: Rich Trott <rtrott@gmail.com>
|
|
Node.js 8 is due to go End-of-Life on 31st December 2019.
Notable changes:
- **deps**: upgrade openssl sources to 1.0.2s (Sam Roberts)
[#28230](https://github.com/nodejs/node/pull/28230)
PR-URL: https://github.com/nodejs/node/pull/29617
|
|
It gets confused as a reference link otherwis
PR-URL: https://github.com/nodejs/node/pull/29558
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
|
|
PR-URL: https://github.com/nodejs/node/pull/29558
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
|
|
PR-URL: https://github.com/nodejs/node/pull/29558
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
|
|
Notable changes:
* build:
* This release fixes a regression that prevented from building Node.js
using the official source tarball.
https://github.com/nodejs/node/pull/29712
* deps:
* Updated small-icu data to support "unit" style in the
`Intl.NumberFormat` API.
https://github.com/nodejs/node/pull/29735
PR-URL: https://github.com/nodejs/node/pull/29796
|
|
PR-URL: https://github.com/nodejs/node/pull/29716
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
|
|
For `www.cve.mitre.org` they don't seem to redirect www to naked.
PR-URL: https://github.com/nodejs/node/pull/29661
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
Notable changes:
* crypto:
* Add `oaepLabel` option https://github.com/nodejs/node/pull/29489
* deps:
* Update V8 to 7.7.299.11 https://github.com/nodejs/node/pull/28918
* More efficient memory handling
* Stack trace serialization got faster
* The `Intl.NumberFormat` API gained new functionality
* For more information: https://v8.dev/blog/v8-release-77
* events:
* Add support for `EventTarget` in `once`
https://github.com/nodejs/node/pull/29498
* fs:
* Expose memory file mapping flag `UV_FS_O_FILEMAP`
https://github.com/nodejs/node/pull/29260
* inspector:
* New API - `Session.connectToMainThread`
https://github.com/nodejs/node/pull/28870
* process:
* Initial SourceMap support via `env.NODE_V8_COVERAGE`
https://github.com/nodejs/node/pull/28960
* stream:
* Make `_write()` optional when `_writev()` is implemented
https://github.com/nodejs/node/pull/29639
* tls:
* Add option to override signature algorithms
https://github.com/nodejs/node/pull/29598
* util:
* Add `encodeInto` to `TextEncoder`
https://github.com/nodejs/node/pull/29524
* worker:
* The `worker_thread` module is now stable
https://github.com/nodejs/node/pull/29512
PR-URL: https://github.com/nodejs/node/pull/29695
|
|
Convert to asterisks when there are mixed styles in document.
Addresses Markdownlint MD004 rule
PR-URL: https://github.com/nodejs/node/pull/29516
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
|
|
Child items not aligned to parent are flagged by list-item-bullet-indent
PR-URL: https://github.com/nodejs/node/pull/29488
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
|
|
Address markdownlint rule MD032.
Flagged a few mixed list styles.
PR-URL: https://github.com/nodejs/node/pull/29467
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/29452
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/29447
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
|
|
Notable changes:
* deps:
* Update npm to 6.10.3 (isaacs)
https://github.com/nodejs/node/pull/29023
* fs:
* Add recursive option to rmdir() (cjihrig)
https://github.com/nodejs/node/pull/29168
* Allow passing true to emitClose option (Giorgos Ntemiris)
https://github.com/nodejs/node/pull/29212
* Add \*timeNs properties to BigInt Stats objects (Joyee Cheung)
https://github.com/nodejs/node/pull/21387
* net:
* Allow reading data into a static buffer (Brian White)
https://github.com/nodejs/node/pull/25436
PR-URL: https://github.com/nodejs/node/pull/29429
|
|
Address Markdownlint MD007 rule.
Default suggestion is 2 space indenting for unordered list items.
PR-URL: https://github.com/nodejs/node/pull/29390
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
Address Markdownlint MD006 rule.
Can flag when list items aren't indented far enough.
PR-URL: https://github.com/nodejs/node/pull/29390
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
Addresses Markdownlint MD033 issues.
Altering changlog should usually be avoided, but they don't render
currently.
PR-URL: https://github.com/nodejs/node/pull/29374
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
|
|
These are rendered as single breaks.
Addresses Markdownlint MD012 rule.
PR-URL: https://github.com/nodejs/node/pull/29352
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
|
|
Items at same level should have consistent indentation level.
Addresses Markdownlint MD005 errors.
PR-URL: https://github.com/nodejs/node/pull/29330
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
Notable changes:
This release fixes two regressions in the http module:
* Fixes an event listener leak in the HTTP client. This resulted in lots
of warnings during npm/yarn installs.
https://github.com/nodejs/node/pull/29245
* Fixes a regression preventing the `'end'` event from being emitted for
keepalive requests in case the full body was not parsed.
https://github.com/nodejs/node/pull/29263
PR-URL: https://github.com/nodejs/node/pull/29321
|
|
Notable changes:
* crypto:
* Added an oaepHash option to asymmetric encryption which allows
users to specify a hash function when using OAEP padding.
https://github.com/nodejs/node/pull/28335
* deps:
* Updated V8 to 7.6.303.29. https://github.com/nodejs/node/pull/28955
* Improves the performance of various APIs such as `JSON.parse` and
methods called on frozen arrays.
* Adds the Promise.allSettled method.
* Improves support of `BigInt` in `Intl` methods.
* For more information: https://v8.dev/blog/v8-release-76
* Updated libuv to 1.31.0. https://github.com/nodejs/node/pull/29070
* `UV_FS_O_FILEMAP` has been added for faster access to memory
mapped files on Windows.
* `uv_fs_mkdir()` now returns `UV_EINVAL` for invalid filenames on
Windows. It previously returned `UV_ENOENT`.
* The `uv_fs_statfs()` API has been added.
* The `uv_os_environ()` and `uv_os_free_environ()` APIs have been
added.
* fs:
* Added `fs.writev`, `fs.writevSync` and `filehandle.writev` (promise
version) methods. They allow to write an array of `ArrayBufferView`s
to a file descriptor. https://github.com/nodejs/node/pull/25925
https://github.com/nodejs/node/pull/29186
* http:
* Added three properties to `OutgoingMessage.prototype`:
`writableObjectMode`, `writableLength` and `writableHighWaterMark`
https://github.com/nodejs/node/pull/29018
* stream:
* Added an new property `readableEnded` to readable streams. Its value
is set to `true` when the `'end'` event is emitted.
https://github.com/nodejs/node/pull/28814
* Added an new property `writableEnded` to writable streams. Its value
is set to `true` after `writable.end()` has been called.
https://github.com/nodejs/node/pull/28934
PR-URL: https://github.com/nodejs/node/pull/29210
|
|
Remove (SEMVER-MINOR) label from patch commit. Add link to table.
Refs: https://github.com/nodejs/node/pull/26990
PR-URL: https://github.com/nodejs/node/pull/29159
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
|
|
This is a security release.
Notable changes:
Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.
Vulnerabilities fixed:
* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
data from a specified resource over multiple streams. They manipulate
window size and stream priority to force the server to queue the data
in 1-byte chunks. Depending on how efficiently this data is queued,
this can consume excess CPU, memory, or both, potentially leading to a
denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume
excess CPU, memory, or both, potentially leading to a denial of
service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way
that causes substantial churn to the priority tree. This can consume
excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
and sends an invalid request over each stream that should solicit a
stream of RST_STREAM frames from the peer. Depending on how the peer
queues the RST_STREAM frames, this can consume excess memory, CPU,or
both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
SETTINGS frames to the peer. Since the RFC requires that the peer
reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
frame is almost equivalent in behavior to a ping. Depending on how
efficiently this data is queued, this can consume excess CPU, memory,
or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
headers with a 0-length header name and 0-length header value,
optionally Huffman encoded into 1-byte or greater headers. Some
implementations allocate memory for these headers and keep the
allocation alive until the session dies. This can consume excess
memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
window so the peer can send without constraint; however, they leave
the TCP window closed so the peer cannot actually write (many of) the
bytes on the wire. The attacker then sends a stream of requests for a
large response object. Depending on how the servers queue the
responses, this can consume excess memory, CPU, or both, potentially
leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
frames with an empty payload and without the end-of-stream flag. These
frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
peer spends time processing each frame disproportionate to attack
bandwidth. This can consume excess CPU, potentially leading to a
denial of service. (Discovered by Piotr Sikora of Google)
PR-URL: https://github.com/nodejs/node/pull/29152
|
|
This is a security release.
Notable changes:
Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.
Vulnerabilities fixed:
* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
data from a specified resource over multiple streams. They manipulate
window size and stream priority to force the server to queue the data
in 1-byte chunks. Depending on how efficiently this data is queued,
this can consume excess CPU, memory, or both, potentially leading to a
denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume
excess CPU, memory, or both, potentially leading to a denial of
service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way
that causes substantial churn to the priority tree. This can consume
excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
and sends an invalid request over each stream that should solicit a
stream of RST_STREAM frames from the peer. Depending on how the peer
queues the RST_STREAM frames, this can consume excess memory, CPU,or
both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
SETTINGS frames to the peer. Since the RFC requires that the peer
reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
frame is almost equivalent in behavior to a ping. Depending on how
efficiently this data is queued, this can consume excess CPU, memory,
or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
headers with a 0-length header name and 0-length header value,
optionally Huffman encoded into 1-byte or greater headers. Some
implementations allocate memory for these headers and keep the
allocation alive until the session dies. This can consume excess
memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
window so the peer can send without constraint; however, they leave
the TCP window closed so the peer cannot actually write (many of) the
bytes on the wire. The attacker then sends a stream of requests for a
large response object. Depending on how the servers queue the
responses, this can consume excess memory, CPU, or both, potentially
leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
frames with an empty payload and without the end-of-stream flag. These
frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
peer spends time processing each frame disproportionate to attack
bandwidth. This can consume excess CPU, potentially leading to a
denial of service. (Discovered by Piotr Sikora of Google)
PR-URL: https://github.com/nodejs/node/pull/29148
|
|
This is a security release.
Notable changes:
Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.
Vulnerabilities fixed:
* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
data from a specified resource over multiple streams. They manipulate
window size and stream priority to force the server to queue the data
in 1-byte chunks. Depending on how efficiently this data is queued,
this can consume excess CPU, memory, or both, potentially leading to a
denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume
excess CPU, memory, or both, potentially leading to a denial of
service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way
that causes substantial churn to the priority tree. This can consume
excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
and sends an invalid request over each stream that should solicit a
stream of RST_STREAM frames from the peer. Depending on how the peer
queues the RST_STREAM frames, this can consume excess memory, CPU,or
both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
SETTINGS frames to the peer. Since the RFC requires that the peer
reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
frame is almost equivalent in behavior to a ping. Depending on how
efficiently this data is queued, this can consume excess CPU, memory,
or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
headers with a 0-length header name and 0-length header value,
optionally Huffman encoded into 1-byte or greater headers. Some
implementations allocate memory for these headers and keep the
allocation alive until the session dies. This can consume excess
memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
window so the peer can send without constraint; however, they leave
the TCP window closed so the peer cannot actually write (many of) the
bytes on the wire. The attacker then sends a stream of requests for a
large response object. Depending on how the servers queue the
responses, this can consume excess memory, CPU, or both, potentially
leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
frames with an empty payload and without the end-of-stream flag. These
frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
peer spends time processing each frame disproportionate to attack
bandwidth. This can consume excess CPU, potentially leading to a
denial of service. (Discovered by Piotr Sikora of Google)
PR-URL: https://github.com/nodejs/node/pull/29133
|
|
Notable changes:
This release patches a regression in the OpenSSL upgrade to 1.1.1c that
causes intermittent hangs in machines that have low entropy.
Refs: https://github.com/nodejs/node/issues/28932
PR-URL: https://github.com/nodejs/node/pull/29021
|
|
Notable changes:
* assert:
* Legacy mode deprecation (`DEP0089`) is revoked (Colin Ihrig)
https://github.com/nodejs/node/pull/28892
* crypto:
* The `outputLength` option is added to `crypto.createHash`
(Tobias Nießen) https://github.com/nodejs/node/pull/28805
* The `maxmem` range is increased from 32 to 53 bits (Tobias Nießen)
https://github.com/nodejs/node/pull/28799
* n-api:
* Added APIs for per-instance state management (Gabriel Schulhof)
https://github.com/nodejs/node/pull/28682
* report:
* Network interfaces get included in the report (cjihrig)
https://github.com/nodejs/node/pull/28911
* src:
* `v8.getHeapCodeStatistics()` is now exported
(Yuriy Vasiyarov) https://github.com/nodejs/node/pull/27978
PR-URL: https://github.com/nodejs/node/pull/29017
|
|
Notable changes:
- **deps**: upgrade openssl sources to 1.1.1c (Sam Roberts) [#28212](https://github.com/nodejs/node/pull/28212)
- **stream**: do not unconditionally call `\_read()` on `resume()` (Anna Henningsen) [#26965](https://github.com/nodejs/node/pull/26965)
- **worker**: fix nullptr deref after MessagePort deser failure (Anna Henningsen) [#25076](https://github.com/nodejs/node/pull/25076)
PR-URL: https://github.com/nodejs/node/pull/28731
|
|
Notable changes:
* deps:
* Updated nghttp2 to 1.39.1. https://github.com/nodejs/node/pull/28448
* Updated npm to 6.10.0. https://github.com/nodejs/node/pull/28525
* esm:
* Implemented experimental "pkg-exports" proposal. A new `"exports"`
field can be added to a module's `package.json` file to provide
custom subpath aliasing. See
https://github.com/jkrems/proposal-pkg-exports/ for more
information. https://github.com/nodejs/node/pull/28568
* http:
* Added `response.writableFinished`.
https://github.com/nodejs/node/pull/28681
* Exposed `headers`, `rawHeaders` and other fields on an
`http.ClientRequest` `"information"` event.
https://github.com/nodejs/node/pull/28459
* inspector:
* Added `inspector.waitForDebugger()`.
https://github.com/nodejs/node/pull/28453
* policy:
* Added `--policy-integrity=sri` CLI option to mitigate policy
tampering. If a policy integrity is specified and the policy does
not have that integrity, Node.js will error prior to running any
code. https://github.com/nodejs/node/pull/28734
* readline,tty:
* Exposed stream API from various methods which write characters.
https://github.com/nodejs/node/pull/28674
https://github.com/nodejs/node/pull/28721
* src:
* Use cgroups to get memory limits. This improves the way we set
the memory ceiling for a Node.js process. Previously we would use
the physical memory size to estimate the necessary V8
heap sizes. The physical memory size is not necessarily the correct
limit, e.g. if the process is running inside a docker container or
is otherwise constrained. This change adds the ability to get a
memory limit set by linux cgroups, which is used by docker
containers to set resource constraints.
https://docs.docker.com/config/containers/resource_constraints/
https://github.com/nodejs/node/pull/27508
PR-URL: https://github.com/nodejs/node/pull/28817
|
|
Notable changes:
* build:
* Experimental support for building Node.js on MIPS architecture
is back. https://github.com/nodejs/node/pull/27992
* child_process:
* The promisified versions of `child_process.exec` and
`child_process.execFile` now both return a `Promise` which has the
child instance attached to their `child` property.
https://github.com/nodejs/node/pull/28325
* deps:
* Updated libuv to 1.30.1. https://github.com/nodejs/node/pull/28449,
https://github.com/nodejs/node/pull/28511
* Support for the Haiku platform has been added.
* The maximum `UV_THREADPOOL_SIZE` has been increased from 128 to
1024.
* `uv_fs_copyfile()` now works properly when the source and
destination files are the same.
* process:
* A new method, `process.resourceUsage()` was added. It returns
resource usage for the current process, such as CPU time.
https://github.com/nodejs/node/pull/28018
* src:
* Fixed an issue related to stdio that could lead to a crash of the
process in some circumstances.
https://github.com/nodejs/node/pull/28490
* stream:
* Added a `writableFinished` property to writable streams. It
indicates that all the data has been flushed to the underlying
system. https://github.com/nodejs/node/pull/28007
* worker:
* Fixed an issue that prevented worker threads to listen for data on
stdin. https://github.com/nodejs/node/pull/28153
* meta:
* Added Jiawen Geng (https://github.com/gengjiawen) to collaborators.
https://github.com/nodejs/node/pull/28322
PR-URL: https://github.com/nodejs/node/pull/28508
|
|
PR-URL: https://github.com/nodejs/node/pull/28450
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
|
|
Notable changes:
* build:
* The startup time is reduced by enabling V8 snapshots by default
https://github.com/nodejs/node/pull/28181
* deps:
* Updated `V8` to 7.5.288.22 https://github.com/nodejs/node/pull/27375
* The numeric separator (v8.dev/features/numeric-separators) feature is now
enabled by default
* Updated `OpenSSL` to 1.1.1c https://github.com/nodejs/node/pull/28211
* inspector:
* The `--inspect-publish-uid` flag was added to specify ways of the inspector
web socket url exposure https://github.com/nodejs/node/pull/27741
* n-api:
* Accessors on napi_define_* are now ECMAScript-compliant
https://github.com/nodejs/node/pull/27851
* report:
* The cpu info got added to the report output
https://github.com/nodejs/node/pull/28188
* src:
* Restore the original state of the stdio file descriptors on exit to prevent
leaving stdio in raw or non-blocking mode
https://github.com/nodejs/node/pull/24260
* tools,gyp:
* Introduce MSVS 2019 https://github.com/nodejs/node/pull/27375
* util:
* inspect:
* Array grouping became more compact and uses more columns than before
https://github.com/nodejs/node/pull/28059
https://github.com/nodejs/node/pull/28070
* Long strings will not be split at 80 characters anymore. Instead they will
be split on new lines https://github.com/nodejs/node/pull/28055
* worker:
* `worker.terminate()` now returns a promise and using the callback is
deprecated https://github.com/nodejs/node/pull/28021
PR-URL: https://github.com/nodejs/node/pull/28268
|
|
Notable changes:
* doc:
* The JSON variant of the API documentation is no longer experimental
(Rich Trott) https://github.com/nodejs/node/pull/27842.
* esm:
* JSON module support is always enabled under
`--experimental-modules`. The `--experimental-json-modules` flag
has been removed (Myles Borins)
https://github.com/nodejs/node/pull/27752.
* http,http2:
* A new flag has been added for overriding the default HTTP server
socket timeout (which is two minutes). Pass
`--http-server-default-timeout=milliseconds`
or `--http-server-default-timeout=0` to respectively change or
disable the timeout. Starting with Node.js 13.0.0, the timeout will
be disabled by default
(Ali Ijaz Sheikh) https://github.com/nodejs/node/pull/27704.
* inspector:
* Added an experimental `--heap-prof` flag to start the V8 heap
profiler on startup and write the heap profile to disk before exit
(Joyee Cheung) https://github.com/nodejs/node/pull/27596.
* stream:
* The `readable.unshift()` method now correctly converts strings to
buffers. Additionally, a new optional argument is accepted to
specify the string's encoding, such as `'utf8'` or `'ascii'`
(Marcos Casagrande) https://github.com/nodejs/node/pull/27194.
* v8:
* The object returned by `v8.getHeapStatistics()` has two new
properties: `number_of_native_contexts` and
`number_of_detached_contexts` (Yuriy Vasiyarov)
https://github.com/nodejs/node/pull/27933.
PR-URL: https://github.com/nodejs/node/pull/28040
|
|
Notable changes:
- **deps**:
- update ICU to 64.2 (Ujjwal Sharma)
[#27361](https://github.com/nodejs/node/pull/27361)
- upgrade npm to 6.9.0 (Kat Marchán)
[#26244](https://github.com/nodejs/node/pull/26244)
- upgrade openssl sources to 1.1.1b (Sam Roberts)
[#26327](https://github.com/nodejs/node/pull/26327)
- upgrade to libuv 1.28.0 (cjihrig)
[#27241](https://github.com/nodejs/node/pull/27241)
- **events**:
- add once method to use promises with EventEmitter (Matteo Collina)
[#26078](https://github.com/nodejs/node/pull/26078)
- **n-api**:
- mark thread-safe function as stable (Gabriel Schulhof)
[#25556](https://github.com/nodejs/node/pull/25556)
- **repl**:
- support top-level for-await-of (Shelley Vohr)
[#23841](https://github.com/nodejs/node/pull/23841)
- **zlib**:
- add brotli support (Anna Henningsen)
[#24938](https://github.com/nodejs/node/pull/24938)
PR-URL: https://github.com/nodejs/node/pull/27514
|
|
Notable changes
* deps:
* Fix handling of +0/-0 when constant field tracking is enabled
(Michaël Zasso) https://github.com/nodejs/node/pull/27792
* Fix `os.freemem()` and `os.totalmem` correctness (cjihrig)
https://github.com/nodejs/node/pull/27718
* src:
* Fix v12.3.0 regression that prevents native addons from compiling
https://github.com/nodejs/node/pull/27804
PR-URL: https://github.com/nodejs/node/pull/27814
|
|
Notable changes:
* esm:
* Added the `--experimental-wasm-modules` flag to support
WebAssembly modules (Myles Borins & Guy Bedford)
https://github.com/nodejs/node/pull/27659
* process:
* Log errors using `util.inspect` in case of fatal exceptions
(Ruben Bridgewater) https://github.com/nodejs/node/pull/27243
* repl:
* Add `process.on('uncaughtException')` support (Ruben Bridgewater)
https://github.com/nodejs/node/pull/27151
* stream:
* Implemented `Readable.from` async iterator utility (Guy Bedford)
https://github.com/nodejs/node/pull/27660
* tls:
* Expose built-in root certificates (Ben Noordhuis)
https://github.com/nodejs/node/pull/26415
* Support `net.Server` options (Luigi Pinca)
https://github.com/nodejs/node/pull/27665
* Expose `keylog` event on TLSSocket (Alba Mendez)
https://github.com/nodejs/node/pull/27654
* worker:
* Added the ability to unshift messages from the `MessagePort`
(Anna Henningsen) https://github.com/nodejs/node/pull/27294
PR-URL: https://github.com/nodejs/node/pull/27799
|
|
Notable changes:
* deps:
* Updated llhttp to 1.1.3. This fixes a bug that made Node.js' HTTP
parser refuse any request URL that contained the "|" (vertical bar)
character. https://github.com/nodejs/node/pull/27595
* tls:
* Added an `enableTrace()` method to `TLSSocket` and an `enableTrace`
option to `tls.createServer()`. When enabled, TSL packet trace
information is written to `stderr`. This can be used to debug TLS
connection problems. https://github.com/nodejs/node/pull/27497
https://github.com/nodejs/node/pull/27376
* cli:
* Added a `--trace-tls` command-line flag that enables tracing of TLS
connections without the need to modify existing application code.
https://github.com/nodejs/node/pull/27497
* Added a `--cpu-prof-interval` command-line flag. It can be used to
specify the sampling interval for the CPU profiles generated by
`--cpu-prof`. https://github.com/nodejs/node/pull/27535
* module:
* Added the `createRequire()` method. It allows to create a require
function from a file URL object, a file URL string or an absolute
path string. The existing `createRequireFromPath()` method is now
deprecated https://github.com/nodejs/node/pull/27405.
* Throw on `require('./path.mjs')`. This is technically a breaking
change that should have landed with Node.js 12.0.0. It is necessary
to have this to keep the possibility for a future minor version to
load ES Modules with the require function.
https://github.com/nodejs/node/pull/27417
* repl:
* The REPL now supports multi-line statements using `BigInt` literals
as well as public and private class fields and methods.
https://github.com/nodejs/node/pull/27400
* The REPL now supports tab autocompletion of file paths with `fs`
methods. https://github.com/nodejs/node/pull/26648
* meta:
* Added Christian Clauss (https://github.com/cclauss) to
collaborators. https://github.com/nodejs/node/pull/27554
PR-URL: https://github.com/nodejs/node/pull/27578
|
|
Notable changes:
* deps: add s390 asm rules for OpenSSL-1.1.1 (Shigeki Ohtsu) [#19794](https://github.com/nodejs/node/pull/19794)
* src: add .code and SSL specific error properties (Sam Roberts) [#25093](https://github.com/nodejs/node/pull/25093)
* tls:
* add --tls-min-v1.2 CLI switch (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
* supported shared openssl 1.1.0 (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
* revert default max toTLSv1.2 (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
* revert change to invalid protocol error type (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
* support TLSv1.3 (Sam Roberts) [#26209](https://github.com/nodejs/node/pull/26209)
* add code for ERR\_TLS\_INVALID\_PROTOCOL\_METHOD (Sam Roberts) [#24729](https://github.com/nodejs/node/pull/24729)
PR-URL: https://github.com/nodejs/node/pull/27314
|
