This is a security release.
Notable changes:
Update to OpenSSL 1.1.1n, which addresses the following vulnerability:
- Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)(CVE-2022-0778)
More details are available at https://www.openssl.org/news/secadv/20220315.txt
Fix for building Node.js 12.x with Visual Studio 2019 to allow us to continue to
run CI tests.
PR-URL: https://github.com/nodejs/node/pull/42363
Notable changes:
Fixed regression in url.resolve()
This release fixes an issue introduced in Node.js v17.7.0 with some URLs
that contain `@`. This issue affected yarn 1. This version reverts the
change that introduced the regression.
PR-URL: https://github.com/nodejs/node/pull/42285
PR-URL: https://github.com/nodejs/node/pull/41808
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Mestery <mestery@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Notable changes:
Corepack:
Node.js now includes Corepack, a script that acts as a bridge between
Node.js projects and the package managers they are intended to be used
with during development.
In practical terms, Corepack will let you use Yarn and pnpm without
having to install them - just like what currently happens with npm,
which is shipped in Node.js by default.
Contributed by Maël Nison - https://github.com/nodejs/node/pull/39608
ICU updated:
ICU has been updated to 70.1. This updates timezone database to 2021a3,
including bringing forward the start for DST for Jordan from March to
February.
Contributed by Michaël Zasso - https://github.com/nodejs/node/pull/40658
New option to disable loading of native addons:
A new command line option `--no-addons` has been added to disallow
loading of native addons.
Contributed by Dominic Elm - https://github.com/nodejs/node/pull/39977
Updated Root Certificates:
Root certificates have been updated to those from Mozilla's Network
Security Services 3.71.
Contributed by Richard Lau - https://github.com/nodejs/node/pull/40280
Other Notable Changes:
crypto:
* (SEMVER-MINOR) make FIPS related options always available (Vít Ondruch) https://github.com/nodejs/node/pull/36341
lib:
* (SEMVER-MINOR) add unsubscribe method to non-active DC channels (simon-id) https://github.com/nodejs/node/pull/40433
* (SEMVER-MINOR) add return value for DC channel.unsubscribe (simon-id) https://github.com/nodejs/node/pull/40433
module:
* (SEMVER-MINOR) support pattern trailers (Guy Bedford) https://github.com/nodejs/node/pull/39635
src:
* (SEMVER-MINOR) make napi_create_reference accept symbol (JckXia) https://github.com/nodejs/node/pull/39926
PR-URL: https://github.com/nodejs/node/pull/41696
This is a security release.
Notable changes:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
is specifically defined to use a particular SAN type, can result in
bypassing name-constrained intermediates. Node.js was accepting URI SAN
types, which PKIs are often not defined to use. Additionally, when a
protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when
checking a certificate against a hostname. This behavior can be
reverted through the `--security-revert` command-line option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
- Node.js converts SANs (Subject Alternative Names) to a string format.
It uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate
chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the
problematic characters in order to prevent the injection. This
behavior can be reverted through the `--security-revert` command-line
option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
- Node.js did not handle multi-value Relative Distinguished Names
correctly. Attackers could craft certificate subjects containing a
single-value Relative Distinguished Name that would be interpreted as a
multi-value Relative Distinguished Name, for example, in order to inject
a Common Name that would allow bypassing the certificate subject
verification.
- Affected versions of Node.js do not accept multi-value Relative
Distinguished Names and are thus not vulnerable to such attacks
themselves. However, third-party code that uses node's ambiguous
presentation of certificate subjects may be vulnerable.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
- Due to the formatting logic of the `console.table()` function it was
not safe to allow user controlled input to be passed to the `properties`
parameter while simultaneously passing a plain object with at least one
property as the first parameter, which could be `__proto__`. The
prototype pollution has very limited control, in that it only allows an
empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the
object these properties are being assigned to.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
PR-URL: https://github.com/nodejs-private/node-private/pull/311
This is a security release.
Notable changes:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
is specifically defined to use a particular SAN type, can result in
bypassing name-constrained intermediates. Node.js was accepting URI SAN
types, which PKIs are often not defined to use. Additionally, when a
protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when
checking a certificate against a hostname. This behavior can be
reverted through the `--security-revert` command-line option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
- Node.js converts SANs (Subject Alternative Names) to a string format.
It uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate
chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the
problematic characters in order to prevent the injection. This
behavior can be reverted through the `--security-revert` command-line
option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
- Node.js did not handle multi-value Relative Distinguished Names
correctly. Attackers could craft certificate subjects containing a
single-value Relative Distinguished Name that would be interpreted as a
multi-value Relative Distinguished Name, for example, in order to inject
a Common Name that would allow bypassing the certificate subject
verification.
- Affected versions of Node.js do not accept multi-value Relative
Distinguished Names and are thus not vulnerable to such attacks
themselves. However, third-party code that uses node's ambiguous
presentation of certificate subjects may be vulnerable.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
- Due to the formatting logic of the `console.table()` function it was
not safe to allow user controlled input to be passed to the `properties`
parameter while simultaneously passing a plain object with at least one
property as the first parameter, which could be `__proto__`. The
prototype pollution has very limited control, in that it only allows an
empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the
object these properties are being assigned to.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
PR-URL: https://github.com/nodejs-private/node-private/pull/312
This is a security release.
Notable changes:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
is specifically defined to use a particular SAN type, can result in
bypassing name-constrained intermediates. Node.js was accepting URI SAN
types, which PKIs are often not defined to use. Additionally, when a
protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when
checking a certificate against a hostname. This behavior can be
reverted through the `--security-revert` command-line option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
- Node.js converts SANs (Subject Alternative Names) to a string format.
It uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate
chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the
problematic characters in order to prevent the injection. This
behavior can be reverted through the `--security-revert` command-line
option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
- Node.js did not handle multi-value Relative Distinguished Names
correctly. Attackers could craft certificate subjects containing a
single-value Relative Distinguished Name that would be interpreted as a
multi-value Relative Distinguished Name, for example, in order to inject
a Common Name that would allow bypassing the certificate subject
verification.
- Affected versions of Node.js do not accept multi-value Relative
Distinguished Names and are thus not vulnerable to such attacks
themselves. However, third-party code that uses node's ambiguous
presentation of certificate subjects may be vulnerable.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
- Due to the formatting logic of the `console.table()` function it was
not safe to allow user controlled input to be passed to the `properties`
parameter while simultaneously passing a plain object with at least one
property as the first parameter, which could be `__proto__`. The
prototype pollution has very limited control, in that it only allows an
empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the
object these properties are being assigned to.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
PR-URL: https://github.com/nodejs-private/node-private/pull/310
This is a security release.
Notable changes:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
is specifically defined to use a particular SAN type, can result in
bypassing name-constrained intermediates. Node.js was accepting URI SAN
types, which PKIs are often not defined to use. Additionally, when a
protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when
checking a certificate against a hostname. This behavior can be
reverted through the `--security-revert` command-line option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
- Node.js converts SANs (Subject Alternative Names) to a string format.
It uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate
chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the
problematic characters in order to prevent the injection. This
behavior can be reverted through the `--security-revert` command-line
option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
- Node.js did not handle multi-value Relative Distinguished Names
correctly. Attackers could craft certificate subjects containing a
single-value Relative Distinguished Name that would be interpreted as a
multi-value Relative Distinguished Name, for example, in order to inject
a Common Name that would allow bypassing the certificate subject
verification.
- Affected versions of Node.js do not accept multi-value Relative
Distinguished Names and are thus not vulnerable to such attacks
themselves. However, third-party code that uses node's ambiguous
presentation of certificate subjects may be vulnerable.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
- Due to the formatting logic of the `console.table()` function it was
not safe to allow user controlled input to be passed to the `properties`
parameter while simultaneously passing a plain object with at least one
property as the first parameter, which could be `__proto__`. The
prototype pollution has very limited control, in that it only allows an
empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the
object these properties are being assigned to.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
PR-URL: https://github.com/nodejs-private/node-private/pull/309
Notable changes
This release contains a c-ares update to fix a regression introduced in
Node.js 14.17.5 resolving CNAME records containing underscores
(https://github.com/nodejs/node/issues/39780).
Also included are commits to allow Node.js 14 to continue to build and
pass tests on our Jenkins CI, including adding Python 3.10 to the list
of allowable Python versions for building.
PR-URL: https://github.com/nodejs/node/pull/40969
Update mdast-util-to-markdown to 1.2.4 which reduces unnecessary
escaping of `_` and some other characters. Re-run markdown formatter.
PR-URL: https://github.com/nodejs/node/pull/40645
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Once the README and find-inactive-collaborators.mjs changes land here,
we can introduce markdown formatting as a step in the toolchain
somewhere.
Before this lands, https://github.com/nodejs/node-core-utils/pull/578
will need to land and be included in a node-core-utils release.
PR-URL: https://github.com/nodejs/node/pull/40645
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Notable changes:
This release marks the transition of Node.js 16.x into Long Term Support (LTS)
with the codename 'Gallium'. The 16.x release line now moves into "Active LTS"
and will remain so until October 2022. After that time, it will move into
"Maintenance" until end of life in April 2024.
PR-URL: https://github.com/nodejs/node/pull/40536
Notable changes:
Fixed distribution for native addon builds
This release fixes an issue introduced in Node.js v17.0.0, where some V8
headers were missing from the distributed tarball, making it impossible
to build native addons. These headers are now included.
https://github.com/nodejs/node/pull/40526
Fixed stream issues
* Fixed a regression in `stream.promises.pipeline`, which was introduced
in version 16.10.0, is fixed. It is now possible again to pass an
array of streams to the function.
https://github.com/nodejs/node/pull/40193
* Fixed a bug in `stream.Duplex.from`, which didn't work properly when
an async generator function was passed to it.
https://github.com/nodejs/node/pull/40499
PR-URL: https://github.com/nodejs/node/pull/40535
Notable Changes:
Experimental ESM Loader Hooks API:
Node.js ESM Loader hooks have been consolidated to represent the steps involved needed to facilitate future loader chaining:
1. `resolve`: `resolve` [+ `getFormat`]
2. `load`: `getFormat` + `getSource` + `transformSource`
For consistency, `getGlobalPreloadCode` has been renamed to `globalPreload`.
A loader exporting obsolete hook(s) will trigger a single deprecation warning (per loader) listing the errant hooks.
Contributed by Jacob Smith, Geoffrey Booth, and Bradley Farias - https://github.com/nodejs/node/pull/37468
Other Notable Changes:
deps:
* upgrade npm to 8.1.0 (npm team) https://github.com/nodejs/node/pull/40463
doc:
* deprecate (doc-only) http abort related (dr-js) https://github.com/nodejs/node/pull/36670
vm:
* (SEMVER-MINOR) add support for import assertions in dynamic imports (Antoine du Hamel) https://github.com/nodejs/node/pull/40249
PR-URL: https://github.com/nodejs/node/pull/40504
This is a security release.
Notable Changes:
* CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
* The http parser accepts requests with a space (SP) right after the
header name before the colon. This can lead to HTTP Request Smuggling
(HRS). More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22959
* CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
* The parse ignores chunk extensions when parsing the body of chunked
requests. This leads to HTTP Request Smuggling (HRS) under certain
conditions. More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22960
PR-URL: https://github.com/nodejs-private/node-private/pull/293
This is a security release.
Notable Changes:
* CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
* The http parser accepts requests with a space (SP) right after the
header name before the colon. This can lead to HTTP Request Smuggling
(HRS). More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22959
* CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
* The parse ignores chunk extensions when parsing the body of chunked requests.
requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.
More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22960
PR-URL: https://github.com/nodejs-private/node-private/pull/294
This is a security release.
Notable changes:
* CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
* The http parser accepts requests with a space (SP) right after the
header name before the colon. This can lead to HTTP Request Smuggling
(HRS). More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22959
* CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
* The parse ignores chunk extensions when parsing the body of chunked
requests. This leads to HTTP Request Smuggling (HRS) under certain
conditions. More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22960
PR-URL: https://github.com/nodejs-private/node-private/pull/295
Use the format-md task to format changelogs.
PR-URL: https://github.com/nodejs/node/pull/40388
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Zijian Liu <lxxyxzj@gmail.com>
Upcoming remark-based formatting/linting will add a blank line between
comments in markdown. This is in preparation for that change.
PR-URL: https://github.com/nodejs/node/pull/40160
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This is a security release.
Notable Changes:
- CVE-2021-3672/CVE-2021-22931:
Improper handling of untypical characters in domain names (High)
- CVE-2021-22930:
Use after free on close http2 on stream canceling (High)
- CVE-2021-22939:
Incomplete validation of rejectUnauthorized parameter (Low)
PR-URL: https://github.com/nodejs-private/node-private/pull/280
This is a security release.
Notable Changes:
- CVE-2021-3672/CVE-2021-22931:
Improper handling of untypical characters in domain names (High)
- CVE-2021-22930:
Use after free on close http2 on stream canceling (High)
- CVE-2021-22939:
Incomplete validation of rejectUnauthorized parameter (Low)
PR-URL: https://github.com/nodejs-private/node-private/pull/279
This is a security release.
Notable Changes:
- CVE-2021-3672/CVE-2021-22931:
Improper handling of untypical characters in domain names (High)
- CVE-2021-22930:
Use after free on close http2 on stream canceling (High)
- CVE-2021-22939:
Incomplete validation of rejectUnauthorized parameter (Low)
PR-URL: https://github.com/nodejs-private/node-private/pull/278
This is a security release.
Notable Changes:
- CVE-2021-22930: Use after free on close http2 on stream canceling (High)
This releases fixes some regressions with internationalization
introduced by the ICU updates in Node.js 14.17.0 and 14.17.1.
PR-URL: https://github.com/nodejs/node/pull/39466
This is a security release.
Notable changes:
- CVE-2021-22930: Use after free on close http2 on stream canceling (High)
PR-URL: https://github.com/nodejs/node/pull/39500
Notable changes:
Node.js 16.4.1 introduced a regression in the Windows installer on
non-English locales that is being fixed in this release. There is no
need to download this release if you are not using the Windows
installer.
PR-URL: https://github.com/nodejs/node/pull/39270
Notable changes:
Node.js 14.17.2 introduced a regression in the Windows installer on
non-English locales that is being fixed in this release. There is no
need to download this release if you are not using the Windows
installer.
PR-URL: https://github.com/nodejs/node/pull/39269
Notable changes:
Node.js 12.22.2 introduced a regression in the Windows installer on
non-English locales that is being fixed in this release. There is no
need to download this release if you are not using the Windows
installer.
PR-URL: https://github.com/nodejs/node/pull/39268
This is a security release.
Notable changes:
Vulnerabilities fixed:
- **CVE-2021-22918**: libuv upgrade - Out of bounds read (Medium)
- **CVE-2021-22921**: Windows installer - Node Installer Local Privilege Escalation (Medium)
PR-URL: https://github.com/nodejs-private/node-private/pull/271
This is a security release.
Notable changes:
Vulnerabilities fixed:
- **CVE-2021-22918**: libuv upgrade - Out of bounds read (Medium)
- **CVE-2021-22921**: Windows installer - Node Installer Local Privilege Escalation (Medium)
PR-URL: https://github.com/nodejs-private/node-private/pull/272
Notable Changes:
Diagnostics channel (experimental module):
`diagnostics_channel` is a new experimental module that provides an API
to create named channels to report arbitrary message data for
diagnostics purposes.
The module was initially introduced in Node.js v15.1.0 and is
backported to v14.17.0 to enable testing it at a larger scale.
With `diagnostics_channel`, Node.js core and module authors can publish
contextual data about what they are doing at a given time. This could
be the hostname and query string of a mysql query, for example. Just
create a named channel with `dc.channel(name)` and call
`channel.publish(data)` to send the data to any listeners to that
channel.
```js
const dc = require('diagnostics_channel');
const channel = dc.channel('mysql.query');
MySQL.prototype.query = function query(queryString, values, callback) {
// Broadcast query information whenever a query is made
channel.publish({
query: queryString,
host: this.hostname,
});
this.doQuery(queryString, values, callback);
};
```
Channels are like one big global event emitter but are split into
separate objects to ensure they get the best performance. If nothing is
listening to the channel, the publishing overhead should be as close to
zero as possible. Consuming channel data is as easy as using
`channel.subscribe(listener)` to run a function whenever a message is
published to that channel.
```js
const dc = require('diagnostics_channel');
const channel = dc.channel('mysql.query');
channel.subscribe(({ query, host }) => {
console.log(`mysql query to ${host}: ${query}`);
});
```
The data captured can be used to provide context for what an app is
doing at a given time. This can be used for things like augmenting
tracing data, tracking network and filesystem activity, logging
queries, and many other things. It's also a very useful data source
for diagnostics tools to provide a clearer picture of exactly what the
application is doing at a given point in the data they are presenting.
Contributed by Stephen Belanger (https://github.com/nodejs/node/pull/34895).
UUID support in the crypto module:
The new `crypto.randomUUID()` method now allows to generate random
[RFC 4122](https://www.rfc-editor.org/rfc/rfc4122.txt) Version 4
UUID strings:
```js
const { randomUUID } = require('crypto');
console.log(randomUUID());
// 'aa7c91a1-f8fc-4339-b9db-f93fc7233429'
```
Contributed by James M Snell (https://github.com/nodejs/node/pull/36729).
Experimental support for `AbortController` and `AbortSignal`:
Node.js 14.17.0 adds experimental partial support for `AbortController`
and `AbortSignal`.
Both constructors can be enabled globally using the
`--experimental-abortcontroller` flag.
Additionally, several Node.js APIs have been updated to support
`AbortSignal` for cancellation.
It is not mandatory to use the built-in constructors with them. Any
spec-compliant third-party alternatives should be compatible.
`AbortSignal` support was added to the following methods:
* `child_process.exec`
* `child_process.execFile`
* `child_process.fork`
* `child_process.spawn`
* `dgram.createSocket`
* `events.on`
* `events.once`
* `fs.readFile`
* `fs.watch`
* `fs.writeFile`
* `http.request`
* `https.request`
* `http2Session.request`
* The promisified variants of `setImmediate` and `setTimeout`
Other notable changes:
* doc:
* revoke deprecation of legacy url, change status to legacy (James M Snell) (https://github.com/nodejs/node/pull/37784)
* add legacy status to stability index (James M Snell) (https://github.com/nodejs/node/pull/37784)
* upgrade stability status of report API (Gireesh Punathil) (https://github.com/nodejs/node/pull/35654)
* deps:
* V8: Backport various patches for Apple Silicon support (BoHong Li) (https://github.com/nodejs/node/pull/38051)
* update ICU to 68.1 (Michaël Zasso) (https://github.com/nodejs/node/pull/36187)
* upgrade to libuv 1.41.0 (Colin Ihrig) (https://github.com/nodejs/node/pull/37360)
* http:
* add http.ClientRequest.getRawHeaderNames() (simov) (https://github.com/nodejs/node/pull/37660)
* report request start and end with diagnostics\_channel (Stephen Belanger) (https://github.com/nodejs/node/pull/34895)
* util:
* add getSystemErrorMap() impl (eladkeyshawn) (https://github.com/nodejs/node/pull/38101)
PR-URL: https://github.com/nodejs/node/pull/38507
Notable changes
The legacy HTTP parser is runtime deprecated:
- The legacy HTTP parser, selected by the `--http-parser=legacy` command line
option, is deprecated with the pending End-of-Life of Node.js 10.x (where it
is the only HTTP parser implementation provided) at the end of April 2021. It
will now warn on use but otherwise continue to function and may be removed in
a future Node.js 12.x release.
- The default HTTP parser based on llhttp is not affected. By default it is
stricter than the now deprecated legacy HTTP parser. If interoperability with
HTTP implementations that send invalid HTTP headers is required, the HTTP
parser can be started in a less secure mode with the `--insecure-http-parser`
command line option.
ES Modules:
- ES Modules are now considered stable.
node-api:
- Updated to node-api version 8 and added an experimental API to allow
retrieval of the add-on file name.
New API's to control code coverage data collection:
- `v8.stopCoverage()` and `v8.takeCoverage()` have been added.
New API to monitor event loop utilization by Worker threads
- `worker.performance.eventLoopUtilization()` has been added.
PR-URL: https://github.com/nodejs/node/pull/37797
This is a security release.
Notable changes
Vulnerabilities fixed:
- **CVE-2021-22883**: HTTP2 'unknownProtocol' cause Denial of Service by
resource exhaustion
- **CVE-2021-22884**: DNS rebinding in --inspect
- **CVE-2021-23840**: OpenSSL - Integer overflow in CipherUpdate
PR-URL: https://github.com/nodejs-private/node-private/pull/255
This is a security release.
Notable changes
Vulnerabilities fixed:
- **CVE-2021-22883**: HTTP2 'unknownProtocol' cause Denial of Service by
resource exhaustion
- **CVE-2021-22884**: DNS rebinding in --inspect
- **CVE-2021-23840**: OpenSSL - Integer overflow in CipherUpdate
PR-URL: https://github.com/nodejs-private/node-private/pull/256
This is a security release.
Notable changes:
Vulnerabilities fixed:
- **CVE-2021-22883**: HTTP2 'unknownProtocol' cause Denial of Service by
resource exhaustion
- **CVE-2021-22884**: DNS rebinding in --inspect
- **CVE-2021-23840**: OpenSSL - Integer overflow in CipherUpdate
PR-URL: https://github.com/nodejs-private/node-private/pull/254
This is a security release.
Notable changes:
Vulnerabilities fixed:
- **CVE-2021-22883**: HTTP2 'unknownProtocol' cause Denial of Service by
resource exhaustion
- **CVE-2021-22884**: DNS rebinding in --inspect
- **CVE-2021-23840**: OpenSSL - Integer overflow in CipherUpdate
PR-URL: https://github.com/nodejs-private/node-private/pull/253
PR-URL: https://github.com/nodejs/node/pull/37229
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Pooja D P <Pooja.D.P@ibm.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/36959
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Pooja D P <Pooja.D.P@ibm.com>
Reviewed-By: Harshitha K P <harshitha014@gmail.com>
Notable changes:
This is a security release.
Vulnerabilities fixed:
- CVE-2020-8265: use-after-free in TLSWrap (High)
Affected Node.js versions are vulnerable to a use-after-free bug in
its TLS implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method
does not return an error, this object is passed back to the caller
as part of a StreamWriteResult structure. This may be exploited to
corrupt memory leading to a Denial of Service or potentially other
exploits
- CVE-2020-8287: HTTP Request Smuggling in nodejs
Affected versions of Node.js allow two copies of a header field in
a http request. For example, two Transfer-Encoding header fields.
In this case Node.js identifies the first header field and ignores
the second. This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html).
- CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js.
You can read more about it in
https://www.openssl.org/news/secadv/20201208.txt
PR-URL: https://github.com/nodejs-private/node-private/pull/240
Notable changes:
This is a security release.
Vulnerabilities fixed:
- CVE-2020-8265: use-after-free in TLSWrap (High)
Affected Node.js versions are vulnerable to a use-after-free bug in
its TLS implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method
does not return an error, this object is passed back to the caller
as part of a StreamWriteResult structure. This may be exploited to
corrupt memory leading to a Denial of Service or potentially other
exploits
- CVE-2020-8287: HTTP Request Smuggling in nodejs
Affected versions of Node.js allow two copies of a header field in
a http request. For example, two Transfer-Encoding header fields.
In this case Node.js identifies the first header field and ignores
the second. This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html).
- CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js.
You can read more about it in
https://www.openssl.org/news/secadv/20201208.txt
PR-URL: https://github.com/nodejs-private/node-private/pull/239
This is a security release.
Notable changes:
Vulnerabilities fixed:
- **CVE-2020-1971**: OpenSSL - EDIPARTYNAME NULL pointer de-reference
(High)
- This is a vulnerability in OpenSSL which may be exploited through
Node.js. You can read more about it in
https://www.openssl.org/news/secadv/20201208.txt
- **CVE-2020-8265**: use-after-free in TLSWrap (High)
- Affected Node.js versions are vulnerable to a use-after-free bug in
its TLS implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method
does not return an error, this object is passed back to the caller as
part of a StreamWriteResult structure. This may be exploited to
corrupt memory leading to a Denial of Service or potentially other
exploits.
- **CVE-2020-8287**: HTTP Request Smuggling in nodejs (Low)
- Affected versions of Node.js allow two copies of a header field in
a http request. For example, two Transfer-Encoding header fields. In
this case Node.js identifies the first header field and ignores the
second. This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html).
PR-URL: https://github.com/nodejs-private/node-private/pull/242
This is a security release.
Notable changes:
Vulnerabilities fixed:
- **CVE-2020-8265**: use-after-free in TLSWrap (High)
* Affected Node.js versions are vulnerable to a use-after-free bug in
its TLS implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method
does not return an error, this object is passed back to the caller as
part of a StreamWriteResult structure. This may be exploited to
corrupt memory leading to a Denial of Service or potentially other
exploits.
- **CVE-2020-8287**: HTTP Request Smuggling in nodejs (Low)
* Affected versions of Node.js allow two copies of a header field in
a http request. For example, two Transfer-Encoding header fields. In
this case Node.js identifies the first header field and ignores the
second. This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html).
PR-URL: https://github.com/nodejs-private/node-private/pull/241
This is a security release.
Notable changes:
Vulnerabilities fixed:
* CVE-2020-8277: Denial of Service through DNS request (High). A Node.js
application that allows an attacker to trigger a DNS request for a
host of their choice could trigger a Denial of Service by getting the
application to resolve a DNS record with a larger number of responses.
PR-URL: https://github.com/nodejs-private/node-private/pull/233
This is a security release.
Notable changes:
Vulnerabilities fixed:
* CVE-2020-8277: Denial of Service through DNS request (High). A Node.js
application that allows an attacker to trigger a DNS request for a
host of their choice could trigger a Denial of Service by getting the
application to resolve a DNS record with a larger number of responses.
PR-URL: https://github.com/nodejs-private/node-private/pull/234
This is a security release.
Notable changes:
Vulnerabilities fixed:
* CVE-2020-8277: Denial of Service through DNS request (High). A Node.js
application that allows an attacker to trigger a DNS request for a
host of their choice could trigger a Denial of service by getting the
application to resolve a DNS record with a larger number of responses.
PR-URL: https://github.com/nodejs-private/node-private/pull/232
Notable changes:
This release marks the transition of Node.js 14.x into Long Term Support (LTS)
with the codename 'Fermium'. The 14.x release line now moves into "Active LTS"
and will remain so until October 2021. After that time, it will move into
"Maintenance" until end of life in April 2023.
PR-URL: https://github.com/nodejs/node/pull/35746
PR-URL: https://github.com/nodejs/node/pull/35217
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
This is a security release.
Notable changes:
Vulnerabilities fixed:
- CVE-2020-8251: Denial of Service by resource exhaustion CWE-400 due
to unfinished HTTP/1.1 requests (Critical).
- CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion
(High).
PR-URL: https://github.com/nodejs-private/node-private/pull/225
This is a security release.
Notable changes:
Vulnerabilities fixed:
- CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion (High).
- CVE-2020-8252: fs.realpath.native on may cause buffer overflow (Medium).
PR-URL: https://github.com/nodejs-private/node-private/pull/223
Notable changes:
Node.js 14.10.0 included a streams regression with async generators
and a docs rendering regression that are being fixed in this release.
PR-URL: https://github.com/nodejs/node/pull/35137
PR-URL: https://github.com/nodejs/node/pull/34158
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This is a security release.
Vulnerabilities fixed:
- CVE-2020-8174: napi_get_value_string_*() allows various kinds of
memory corruption (High).
- CVE-2020-10531: ICU-20958 Prevent SEGV_MAPERR in append (High).
- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
PR-URL: https://github.com/nodejs-private/node-private/pull/211
This is a security release.
Notable changes:
Vulnerabilities fixed:
CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
CVE-2020-8174: `napi_get_value_string_*()` allows various kinds of memory corruption (High).
PR-URL: https://github.com/nodejs-private/node-private/pull/213
This is a security release.
Notable changes:
Vulnerabilities fixed:
CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
CVE-2020-8174: `napi_get_value_string_*()` allows various kinds of memory corruption (High).
PR-URL: https://github.com/nodejs-private/node-private/pull/212
Notable changes:
* ECMAScript Modules - `--experimental-modules` flag removal
* AsyncLocalStorage API (experimental)
* REPL previews
* REPL reverse-i-search
* REPL substring-based search
* Error monitoring
* Monitoring `error` events
* Monitoring uncaught exceptions
* File system APIs
* New function: `fs.readv`
* Optional parameters in `fs.read`
* Console `groupIndentation` option
* `maxStringLength` option for `util.inspect()`
* Stable N-API release 6
* Stable diagnostic reports
* Increase of the default server headers timeout
* New `--trace-sigint` CLI flag
* Various crypto APIs now support Diffie-Hellman secrets
* Added support for the `dns.ALL` flag in `dns.lookup()`
* Added a new experimental API to interact with Source Map V3 data
* Added support for passing a `transferList` along with `workerData` to
the `Worker` constructor
PR-URL: https://github.com/nodejs/node/pull/33197
Deprecations:
- (SEMVER-MAJOR) crypto: move pbkdf2 without digest to EOL
(James M Snell) [#31166](https://github.com/nodejs/node/pull/31166)
- (SEMVER-MAJOR) fs: deprecate closing FileHandle on garbage collection
(James M Snell) [#28396](https://github.com/nodejs/node/pull/28396)
- (SEMVER-MAJOR) http: move OutboundMessage.prototype.flush to EOL
(James M Snell) [#31164](https://github.com/nodejs/node/pull/31164)
- (SEMVER-MAJOR) lib: move GLOBAL and root aliases to EOL
(James M Snell) [#31167](https://github.com/nodejs/node/pull/31167)
- (SEMVER-MAJOR) os: move tmpDir() to EOL
(James M Snell)[#31169](https://github.com/nodejs/node/pull/31169)
- (SEMVER-MAJOR) src: remove deprecated wasm type check
(Clemens Backes) [#32116](https://github.com/nodejs/node/pull/32116)
- (SEMVER-MAJOR) stream: move \_writableState.buffer to EOL
(James M Snell) [#31165](https://github.com/nodejs/node/pull/31165)
- (SEMVER-MINOR) doc: deprecate process.mainModule
(Antoine du HAMEL) [#32232](https://github.com/nodejs/node/pull/32232)
- (SEMVER-MINOR) doc: deprecate process.umask() with no arguments
(Colin Ihrig) [#32499](https://github.com/nodejs/node/pull/32499)
ECMAScript Modules - Experimental Warning Removal:
- module: remove experimental modules warning
(Guy Bedford) [#31974](https://github.com/nodejs/node/pull/31974)
In Node.js 13 we removed the need to include the --experimental-modules
flag, but when running EcmaScript Modules in Node.js, this would still
result in a warning ExperimentalWarning: The ESM module loader is
experimental.
As of Node.js 14 there is no longer this warning when using ESM in
Node.js. However, the ESM implementation in Node.js remains
experimental. As per our stability index: “The feature is not subject
to Semantic Versioning rules. Non-backward compatible changes or
removal may occur in any future release.” Users should be cautious when
using the feature in production environments.
Please keep in mind that the implementation of ESM in Node.js differs
from the developer experience you might be familiar with. Most
transpilation workflows support features such as optional file
extensions or JSON modules that the Node.js ESM implementation does not
support. It is highly likely that modules from transpiled environments
will require a certain degree of refactoring to work in Node.js. It is
worth mentioning that many of our design decisions were made with two
primary goals. Spec compliance and Web Compatibility. It is our belief
that the current implementation offers a future proof model to
authoring ESM modules that paves the path to Universal JavaScript.
Please read more in our documentation.
The ESM implementation in Node.js is still experimental but we do believe
that we are getting very close to being able to call ESM in Node.js
“stable”. Removing the warning is a huge step in that direction.
New V8 ArrayBuffer API:
* **src**: migrate to new V8 ArrayBuffer API
(Thang Tran) [#30782](https://github.com/nodejs/node/pull/30782)
Multiple ArrayBuffers pointing to the same base address are no longer
allowed by V8. This may impact native addons.
Toolchain and Compiler Upgrades:
- (SEMVER-MAJOR) build: update macos deployment target to 10.13 for 14.x
(AshCripps)[#32454](https://github.com/nodejs/node/pull/32454)
- (SEMVER-MAJOR) doc: update cross compiler machine for Linux armv7
(Richard Lau) [#32812](https://github.com/nodejs/node/pull/32812)
- (SEMVER-MAJOR) doc: update Centos/RHEL releases use devtoolset-8
(Richard Lau) [#32812](https://github.com/nodejs/node/pull/32812)
- (SEMVER-MAJOR) doc: remove SmartOS from official binaries
(Richard Lau) [#32812](https://github.com/nodejs/node/pull/32812)
- (SEMVER-MAJOR) win: block running on EOL Windows versions
(João Reis) [#31954](https://github.com/nodejs/node/pull/31954)
It is expected that there will be an ABI mismatch on ARM between the
Node.js binary and native addons. Native addons are only broken if they
interact with `std::shared_ptr`. This is expected to be fixed in a
later version of Node.js 14.
- [#30786](https://github.com/nodejs/node/issues/30786)
Update to V8 8.1:
- (SEMVER-MAJOR) deps: update V8 to 8.1.307.20
(Matheus Marchini) [#32116](https://github.com/nodejs/node/pull/32116)
Other Notable Changes:
- cli, report: move --report-on-fatalerror to stable
(Colin Ihrig) [#32496](https://github.com/nodejs/node/pull/32496)
- deps: upgrade to libuv 1.37.0
(Colin Ihrig) [#32866](https://github.com/nodejs/node/pull/32866)
- fs: add fs/promises alias module
(Gus Caplan) [#31553](https://github.com/nodejs/node/pull/31553)
PR-URL: https://github.com/nodejs/node/pull/32181
Notable changes:
Due to release process failures, Node.js v10.20.0 shipped with source
and header tarballs that did not properly match the final release
commit that was used to build the binaries. We recommend that Node.js
v10.20.0 not be used, particularly in any applications using native
add-ons or where compiling Node.js from source is involved.
Node.js v10.20.1 is a clean release with the correct sources and is
strongly recommended in place of v10.20.0.
PR-URL: https://github.com/nodejs/node/pull/32768
Notable changes:
In Node.js 13.9.0 deps/zlib was switched to the chromium maintained
implementation. This change had the unforseen consequence of breaking
building from the tarballs we release as we were too aggressively
removing `unneccessary files` from the `deps/zlib` folder. This release
includes a patch that ensures that individuals will once again be able
to build Node.js from source.
PR-URL: https://github.com/nodejs/node/pull/32099
There was a slight discrepancy between the build of 12.16.1 and what
landed on 12.x. This was only a couple spelling errors that didn't
get updated between machines I was working on. This change gets the
changelog up to date with what went out in the release vs what is
current on the 12.x release branch.
PR-URL: https://github.com/nodejs/node/pull/31854
Reviewed-By: Shelley Vohr <codebytere@gmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Notable changes:
Node.js 12.16.0 included 6 regressions that are being fixed in this
release
**Accidental Unflagging of Self Resolving Modules**:
12.16.0 included a large update to the ESM implementation. One of the
new features, Self Referential Modules, was accidentally released
without requiring the `--experimental-modules` flag. This release is
being made to appropriately flag the feature.
**Process Cleanup Changed Introduced WASM-Related Assertion**:
A change during Node.js process cleanup led to a crash in combination
with specific usage of WASM. This has been fixed by partially reverted
said change. A regression test and a full fix are being worked on and
will likely be included in future 12.x and 13.x releases.
**Use Largepages Runtime Option Introduced Linking Failure**:
A Semver-Minor change to introduce `--use-largepages` as a runtime
option introduced a linking failure. This had been fixed in master but
regressed as the fix has not yet gone out in a Current release. The
feature has been reverted, but will be able to reland with a fix in a
future Semver-Minor release.
**Async Hooks was Causing an Exception When Handling Errors**:
Changes in async hooks internals introduced a case where an internal
api call could be called with undefined causing a process to crash. The
change to async hooks was reverted. A regression test and fix has been
proposed and the change could re land in a future Semver-Patch release
if the regression is reliably fixed.
**New Enumerable Read-Only Property on EventEmitter breaks @types/extend**
A new property for enumerating events was added to the EventEmitter
class. This broke existing code that was using the `@types/extend`
module for extending classses as `@types/extend` was attemping to write
over the existing field which the new change made read-only. As this is
the first property on EventEmitter that is read-only this feature could
be considered Semver-Major. The new feature has been reverted but could
re land in a future Semver-Minor release if a non breaking way of
applying it is found.
**Exceptions in the HTTP parser were not emitting an uncaughtException**
A refactoring to Node.js interanls resulted in a bug where errors in
the HTTP parser were not being emitted by
`process.on('uncaughtException')`. The fix to this bug has been
included in this release.
PR-URL: https://github.com/nodejs/node/pull/31781
Notable changes:
New assert APIs
The `assert` module now provides experimental `assert.match()` and
`assert.doesNotMatch()` methods. They will validate that the first argument is a
string and matches (or does not match) the provided regular expression
This is an experimental feature.
Ruben Bridgewater [#30929](https://github.com/nodejs/node/pull/30929).
Advanced serialization for IPC
The `child_process` and `cluster` modules now support a `serialization` option
to change the serialization mechanism used for IPC. The option can have one of
two values:
* `'json'` (default): `JSON.stringify()` and `JSON.parse()` are used. This is
how message serialization was done before.
* `'advanced'`: The serialization API of the `v8` module is used. It is based on
the HTML structured clone algorithm.
and is able to serialize more built-in JavaScript object types, such as
`BigInt`, `Map`, `Set` etc. as well as circular data structures.
Anna Henningsen [#30162](https://github.com/nodejs/node/pull/30162).
CLI flags
The new `--trace-exit` CLI flag makes Node.js print a stack trace whenever the
Node.js environment is exited proactively (i.e. by invoking the `process.exit()`
function or pressing Ctrl+C).
legendecas [#30516](https://github.com/nodejs/node/pull/30516).
___
The new `--trace-uncaught` CLI flag makes Node.js print a stack trace at the
time of throwing uncaught exceptions, rather than at the creation of the `Error`
object, if there is any.
This option is not enabled by default because it may affect garbage collection
behavior negatively.
Anna Henningsen [#30025](https://github.com/nodejs/node/pull/30025).
___
The `--disallow-code-generation-from-strings` V8 CLI flag is now whitelisted in
the `NODE_OPTIONS` environment variable.
Shelley Vohr [#30094](https://github.com/nodejs/node/pull/30094).
New crypto APIs
For DSA and ECDSA, a new signature encoding is now supported in addition to the
existing one (DER). The `verify` and `sign` methods accept a `dsaEncoding`
option, which can have one of two values:
* `'der'` (default): DER-encoded ASN.1 signature structure encoding `(r, s)`.
* `'ieee-p1363'`: Signature format `r || s` as proposed in IEEE-P1363.
Tobias Nießen [#29292](https://github.com/nodejs/node/pull/29292).
___
A new method was added to `Hash`: `Hash.prototype.copy`. It makes it possible to
clone the internal state of a `Hash` object into a new `Hash` object, allowing
to compute the digest between updates.
Ben Noordhuis [#29910](https://github.com/nodejs/node/pull/29910).
Dependency updates
libuv was updated to 1.34.0. This includes fixes to `uv_fs_copyfile()` and
`uv_interface_addresses()` and adds two new functions: `uv_sleep()` and
`uv_fs_mkstemp()`.
Colin Ihrig [#30783](https://github.com/nodejs/node/pull/30783).
___
V8 was updated to 7.8.279.23. This includes performance improvements to object
destructuring, RegExp match failures and WebAssembly startup time.
The official release notes are available at https://v8.dev/blog/v8-release-78.
Michaël Zasso [#30109](https://github.com/nodejs/node/pull/30109).
New EventEmitter APIs
The new `EventEmitter.on` static method allows to async iterate over events.
Matteo Collina [#27994](https://github.com/nodejs/node/pull/27994).
___
It is now possible to monitor `'error'` events on an `EventEmitter` without
consuming the emitted error by installing a listener using the symbol
`EventEmitter.errorMonitor`.
Gerhard Stoebich [#30932](https://github.com/nodejs/node/pull/30932).
___
Using `async` functions with event handlers is problematic, because it
can lead to an unhandled rejection in case of a thrown exception.
The experimental `captureRejections` option in the `EventEmitter` constructor or
the global setting change this behavior, installing a
`.then(undefined, handler)` handler on the `Promise`. This handler routes the
exception asynchronously to the `Symbol.for('nodejs.rejection')` method if there
is one, or to the `'error'` event handler if there is none.
Setting `EventEmitter.captureRejections = true` will change the default for all
new instances of `EventEmitter`.
This is an experimental feature.
Matteo Collina [#27867](https://github.com/nodejs/node/pull/27867).
Performance Hooks are no longer experimental
The `perf_hooks` module is now considered a stable API.
legendecas [#31101](https://github.com/nodejs/node/pull/31101).
Introduction of experimental WebAssembly System Interface (WASI) support
A new core module, `wasi`, is introduced to provide an implementation of the
[WebAssembly System Interface](https://wasi.dev/) specification.
WASI gives sandboxed WebAssembly applications access to the
underlying operating system via a collection of POSIX-like functions.
This is an experimental feature.
Colin Ihrig [#30258](https://github.com/nodejs/node/pull/30258).
PR-URL: https://github.com/nodejs/node/pull/31691
This is a security release.
Vulnerabilities fixed:
* **CVE-2019-15606**:
HTTP header values do not have trailing OWS trimmed.
* **CVE-2019-15605**:
HTTP request smuggling using malformed Transfer-Encoding header.
* **CVE-2019-15604**:
Remotely trigger an assertion on a TLS server with a malformed
certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.
PR-URL: https://github.com/nodejs-private/node-private/pull/198
This is a security release.
Vulnerabilities fixed:
* **CVE-2019-15606**:
HTTP header values do not have trailing OWS trimmed.
* **CVE-2019-15605**:
HTTP request smuggling using malformed Transfer-Encoding header.
* **CVE-2019-15604**:
Remotely trigger an assertion on a TLS server with a malformed
certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.
PR-URL: https://github.com/nodejs-private/node-private/pull/197
This is a security release.
Vulnerabilities fixed:
* **CVE-2019-15606**:
HTTP header values do not have trailing OWS trimmed.
* **CVE-2019-15605**:
HTTP request smuggling using malformed Transfer-Encoding header.
* **CVE-2019-15604**:
Remotely trigger an assertion on a TLS server with a malformed
certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.
PR-URL: https://github.com/nodejs-private/node-private/pull/196
Notable changes:
* Experimental support for building Node.js with Python 3 is improved.
* ICU time zone data is updated to version 2019c. This fixes the date
offset in Brazil.
PR-URL: https://github.com/nodejs/node/issues/30352
Notable changes:
* assert:
* If the validation function passed to `assert.throws()` or
`assert.rejects()` returns a value other than `true`, an assertion
error will be thrown instead of the original error to highlight the
programming mistake (Ruben Bridgewater).
https://github.com/nodejs/node/pull/28263
* If a constructor function is passed to validate the instance of
errors thrown in `assert.throws()` or `assert.reject()`, an
assertion error will be thrown instead of the original error
(Ruben Bridgewater).
https://github.com/nodejs/node/pull/28263
* build:
* Node.js releases are now built with default full-icu support. This
means that all locales supported by ICU are now included and
Intl-related APIs may return different values than before
(Richard Lau).
https://github.com/nodejs/node/pull/29887
* The minimum Xcode version supported for macOS was increased to 10.
It is still possible to build Node.js with Xcode 8 but this may no
longer be the case in a future v13.x release (Michael Dawson).
https://github.com/nodejs/node/pull/29622
* child_process:
* `ChildProcess._channel` (DEP0129) is now a Runtime deprecation
(cjihrig).
https://github.com/nodejs/node/pull/27949
* console:
* The output `console.timeEnd()` and `console.timeLog()` will now
automatically select a suitable time unit instead of always using
milliseconds (Xavier Stouder).
https://github.com/nodejs/node/pull/29251
* deps:
* The V8 engine was updated to version 7.8. This includes performance
improvements to object destructuring, memory usage and WebAssembly
startup time (Myles Borins).
https://github.com/nodejs/node/pull/29694)
* domain:
* The domain's error handler is now executed with the active domain
set to the domain's parent to prevent inner recursion
(Julien Gilli).
https://github.com/nodejs/node/pull/26211
* fs:
* The undocumented method `FSWatcher.prototype.start()` was removed
(Lucas Holmquist).
https://github.com/nodejs/node/pull/29905
* Calling the `open()` method on a `ReadStream` or `WriteStream` now
emits a runtime deprecation warning. The methods are supposed to be
internal and should not be called by user code (Robert Nagy).
https://github.com/nodejs/node/pull/29061
* `fs.read/write`, `fs.readSync/writeSync` and `fd.read/write` now
accept any safe integer as their `offset` parameter. The value of
`offset` is also no longer coerced, so a valid type must be passed
to the functions (Zach Bjornson).
https://github.com/nodejs/node/pull/26572
* http:
* Aborted requests no longer emit the `end` or `error` events after
`aborted` (Robert Nagy).
https://github.com/nodejs/node/pull/27984https://github.com/nodejs/node/pull/20077
* Data will no longer be emitted after a socket error (Robert Nagy).
https://github.com/nodejs/node/pull/28711
* The legacy HTTP parser (previously available under the
`--http-parser=legacy` flag) was removed (Anna Henningsen).
https://github.com/nodejs/node/pull/29589
* The `host` option for HTTP requests is now validated to be a string
value (Giorgos Ntemiris).
https://github.com/nodejs/node/pull/29568
* The `request.connection` and `response.connection` properties are now
runtime deprecated. The equivalent `request.socket` and `response.socket`
should be used instead (Robert Nagy).
https://github.com/nodejs/node/pull/29015
* http, http2:
* The default server timeout was removed (Ali Ijaz Sheikh).
https://github.com/nodejs/node/pull/27558
* Brought 425 status code name into accordance with RFC 8470. The name
changed from "Unordered Collection" to "Too Early" (Sergei Osipov).
https://github.com/nodejs/node/pull/29880
* lib:
* The `error.errno` property will now always be a number. To get the
string value, use `error.code` instead (Joyee Cheung).
https://github.com/nodejs/node/pull/28140
* module:
* `module.createRequireFromPath()` is deprecated. Use
`module.createRequire()` instead (cjihrig).
https://github.com/nodejs/node/pull/27951
* src:
* Changing the value of `process.env.TZ` will now clear the tz cache.
This affects the default time zone used by methods such as
`Date.prototype.toString` (Ben Noordhuis).
https://github.com/nodejs/node/pull/20026
* stream:
* The timing and behavior of streams was consolidated for a number of
edge cases. Please look at the individual commits below for more
information.
PR-URL: https://github.com/nodejs/node/pull/29504
This release marks the transition of Node.js 12.x into Long Term Support
(LTS) with the codename 'Erbium'. The 12.x release line now moves into
"Active LTS" and will remain so until October 2020. After that time, it
will move into "Maintenance" until end of life in April 2022.
Notable changes:
npm was updated to 6.12.0. It now includes a version of `node-gyp` that
supports Python 3 for building native modules.
PR-URL: https://github.com/nodejs/node/pull/29981
For `www.cve.mitre.org` they don't seem to redirect www to naked.
PR-URL: https://github.com/nodejs/node/pull/29661
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
