The `--security-revert={cvenum}` command line flag is a special purpose
flag to be used only in stable or LTS branches when a breaking change
is required to address a security vulnerability. Whenever a vulnerability
requires a breaking change, and a CVE has been assigned, the flag can
be used to force Node to revert to the insecure behavior that was
implemented before the fix was applied.
Note that this flag is intended to be used only as a last resort in the
case a security update breaks existing code. When used, a security
warning will be printed to stderr when Node launches.
The `--security-revert={cvenum}` flag takes a single CVE number as an
argument. Multiple instances of the `--security-revert={cvenum}` flag
can be used on the command line to revert multiple changes.
Whenever a new `--security-revert={cvenum}` is enabled, it should be
documented in the release notes and in the API docs.
Master and the first release of a new major (e.g. v6.0) should not have
any reverts available.
Every time a new `--security-revert={cvenum}` is added, there should be
a semver-minor bump in the stable and LTS branch.
PR-URL: https://github.com/nodejs/node-private/pull/26
Reviewed-By: Rod Vagg <r@va.gg>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: https://github.com/nodejs/node/pull/4841
Reviewed-By: Benjamin Gruenbaum <inglor@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
isLegalPort can be used in more places than just net.js. This change
moves it to a new internal net module in preparation for using it in
the dns module.
PR-URL: https://github.com/nodejs/node/pull/4882
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Using the tick processor no longer creates temporary files or spawns a
child process.
PR-URL: https://github.com/nodejs/node/pull/4224
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: jasnell - James M Snell <jasnell@gmail.com>
This change cleans up outstanding comments on #3032. It improves error
handling when no isolate file is provided and adds the --prof-process
flag to the node binary which executes the tick processor on the
provided isolate file.
PR-URL: https://github.com/nodejs/node/pull/4021
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Evan Lucas <evanlucas@me.com>
This feature supports the Intel Vtune profiling support for JITted
JavaScript on IA32 / X64 / X32 platform. The advantage of this profiling
is that the user / developer of NodeJS application can get the detailed
profiling information for every line of the JavaScript source code.
This information will be very useful for the owner to optimize their
applications.
This feature is a compile-time option. For windows platform, the user
needs to pass the following parameter to vcbuild.bat: "enable-vtune"
For other OS, the user needs to pass the following parameter to
./configure command: "--enable-vtune-profiling"
PR-URL: https://github.com/nodejs/node/pull/3785
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This commit moves several of readline's undocumented functions
into an internal module. Specifically, isFullWidthCodePoint,
stripVTControlCharacters, getStringWidth, and emitKeys are
moved to the internal module. The existing public exports
of the first three functions are given a deprecation notice.
Refs: https://github.com/nodejs/node/pull/3847
Fixes: https://github.com/nodejs/node/issues/3836
PR-URL: https://github.com/nodejs/node/pull/3862
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
The freelist module was deprecated in io.js and moved to an
internal module. This commit removes public access to freelist,
while leaving the internal module, which is still in use.
Fixes: https://github.com/nodejs/node/issues/569
PR-URL: https://github.com/nodejs/node/pull/3738
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Due to the race window between the master's "disconnect" message and the
worker's "handle received" message, connections sometimes got stuck in
the pending handles queue when calling `worker.disconnect()` in the
master process.
The observable effect from the client's perspective was a TCP or HTTP
connection that simply stalled. This commit fixes that by closing open
handles in the master when the "disconnect" message is sent.
Fixes: https://github.com/nodejs/node/issues/3551
PR-URL: https://github.com/nodejs/node/pull/3677
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This PR is the first step enabling support for native modules
for AIX. The main issue is that unlike linux where all
symbols within the Node executable are available to the shared
library for a native module (npm), on AIX the symbols must
be explicitly exported. In addition, when the shared library is
built it must be linked using a list of the available symbols.
This patch covers the changes need to:
1) Export the symbols when building the node executable
2) Generate the file listing the symbols that can be used when
building the shared library.
For AIX, it breaks the build process into 2 steps. The first builds
a static library and then generates a node.exp file which contains
the symbols from that library. The second builds the node executable
and uses the node.exp file to specify which symbols should be
exported. In addition, it save the node.exp file so that it can
later be used in the creation of the shared library when building
a native module.
The following additional steps will be required in dependent projects
to fully enable AIX for native modules and are being worked
separately:
- Updates to node-gyp to use node.exp when creating the
shared library for a native module
- Fixes to gyp related to copying files as covered in
https://codereview.chromium.org/1368133002/patch/1/10001
- Pulling in updated gyp versions to Node and node-gyp
- Pulling latest libuv
These changes were done to minimize the change to other platforms
by working within the existing structure to add the 2 step process
for AIX without changing the process for other platforms.
PR-URL: https://github.com/nodejs/node/pull/3114
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Deprecate _linklist and add test to confirm internal linklist and
public _linklist are the same.
PR-URL: https://github.com/nodejs/node/pull/3078
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Adds the string search implementation from v8
which uses naive search if pattern length < 8
or to a specific badness then uses Boyer-Moore-Horspool
Added benchmark shows the expected improvements
Added option to use ucs2 encoding with Buffer::IndexOf
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/2539
Previously, a MapIterator or SetIterator would
not be inspected properly. This change makes it possible
to inspect them by creating a Debug Mirror and previewing
the iterators to not consume the actual iterator that
we are trying to inspect.
This change also adds a node_util binding that uses
v8's Value::IsSetIterator and Value::IsMapIterator
to verify that the values passed in are actual iterators.
Fixes: https://github.com/nodejs/node/issues/3107
PR-URL: https://github.com/nodejs/node/pull/3119
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: https://github.com/nodejs/node/pull/2411
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Evan Lucas <evanlucas@me.com>
These are the core changes that allow AIX to compile. There
are still some test failures as there are some patches needed for
libuv and npm that we'll need to contribute through those
communities but this set allows node to be built on AIX and
pass most of the core tests
The change in js2c is because AIX does not support $ in
identifier names. See the discussion/agreement in
https://github.com/nodejs/node/issues/2272
PR-URL: https://github.com/nodejs/node/pull/2364
Reviewed-By: Ben Noordhuis <ben@strongloop.com>
Reviewed-By: Rod Vagg <r@va.gg>
This commit refactors LazyTransform from the crypto implementation
(lib/crypto.js) into an internal module (not publicy accessible) in
internal/streams/lazy_transform.js. This promotes a more modular core
design and removes code bloat in crypto, as LazyTransform didn't
specifically have anything to do with cryptography, but rather a fast
way to support two APIs on a stream.
PR-URL: https://github.com/nodejs/node/pull/2566
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Turn on V8 API deprecation warnings. Fix up the no-arg Isolate::New()
calls in src/node.cc and src/debug-agent.cc.
PR-URL: https://github.com/nodejs/io.js/pull/2091
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Previously, V8::SetFlagsFromString was called on every launch even if
NODE_V8_OPTIONS was an empty string. This patch only defines
NODE_V8_OPTIONS if node_v8_options is not an empty string.
PR-URL: https://github.com/nodejs/node/pull/2532
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rod Vagg <rod@vagg.org>
This commit replaces instances of io.js with Node.js, based on the
recent convergence. There are some remaining instances of io.js,
related to build and the installer.
Fixes: https://github.com/nodejs/node/issues/2361
PR-URL: https://github.com/nodejs/node/pull/2367
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: João Reis <reis@janeasystems.com>
The old smalloc-based implementation has been removed, the typed array
implementation is the only one that is left now.
PR-URL: https://github.com/nodejs/io.js/pull/2022
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Upgrade the bundled V8 and update code in src/ and lib/ to the new API.
Notable backwards incompatible changes are the removal of the smalloc
module and dropped support for CESU-8 decoding. CESU-8 support can be
brought back if necessary by doing UTF-8 decoding ourselves.
This commit includes https://codereview.chromium.org/1192973004 to fix
a build error on python 2.6 systems. The original commit log follows:
Use optparse in js2c.py for python compatibility
Without this change, V8 won't build on RHEL/CentOS 6 because the
distro python is too old to know about the argparse module.
PR-URL: https://github.com/nodejs/io.js/pull/2022
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
With V8 4.4 removing the external array data API currently used by
Buffer, the new implementation uses the Uint8Array to back Buffer.
Buffers now have a maximum size of Smi::kMaxLength, as defined by V8.
Which is ~2 GB on 64 bit and ~1 GB on 32 bit.
The flag --use-old-buffer allows using the old Buffer implementation.
This flag will be removed once V8 4.4 has landed.
The two JS Buffer implementations have been split into two files for
simplicity.
Use getter to return expected .parent/.offset values for backwards
compatibility.
PR-URL: https://github.com/nodejs/io.js/pull/1825
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Support building and running with FIPS-compliant OpenSSL. The process is
following:
1. Download and verify `openssl-fips-x.x.x.tar.gz` from
https://www.openssl.org/source/
2. Extract source to `openssl-fips` folder
3. ``cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out``
(NOTE: On OS X, you may want to run
``./Configure darwin64-x86_64-cc --prefix=`pwd`/out`` if you are going to
build x64-mode io.js)
4. `make -j && make install`
5. Get into io.js checkout folder
6. `./configure --openssl-fips=/path/to/openssl-fips/out`
7. Build io.js with `make -j`
8. Verify with `node -p "process.versions.openssl"` (`1.0.2a-fips`)
Fix: https://github.com/joyent/node/issues/25463
PR-URL: https://github.com/nodejs/io.js/pull/1890
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
`printDeprecationMessage` is used to deprecate modules
and execution branches.
PR-URL: https://github.com/nodejs/io.js/pull/1822
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This reverts commit c0e7bf2d8c.
There are a few edge cases that can cause a crash
and need to be properly handled.
PR-URL: https://github.com/nodejs/io.js/pull/1862
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Options have been moved into the NodeOptions class.
A new global, node_options now exists and is used
to access the options after the command line arguments
have been parsed.
PR-URL: https://github.com/nodejs/io.js/pull/1804
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Creates two new internal modules (child_process and socket_list) for
better readability.
Exposes the ChildProcess constructor from the child_process module so
one can now `require(‘child_process’).ChildProcess`
Fixes: https://github.com/nodejs/io.js/issues/1751
PR-URL: https://github.com/nodejs/io.js/pull/1760
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
Use the --trace-sync-io flag to print a stack trace whenever a sync
method is used after the first tick, excluding during the process exit
event. (e.g. fs.readFileSync()) It does not track if the warning has
occurred at a specific location in the past and so will print the
warning every time.
Reason for not printing during the first tick of the appication is so
all necessary resources can be required. Also by excluding synchronous
calls during exit is necessary in case any data needs to be logged out
by the application before it shuts down.
Fixes: https://github.com/nodejs/io.js/issues/1674
PR-URL: https://github.com/nodejs/io.js/pull/1707
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Petka Antonov <petka_antonov@hotmail.com>
this creates a new internal module responsible for providing
the repl created via "iojs" or "iojs -i," and adds the following
options to the readline and repl subsystems:
* "repl mode" - determine whether a repl is strict mode, sloppy mode,
or auto-detect mode.
* historySize - determine the maximum number of lines a repl will store
as history.
The built-in repl gains persistent history support when the
NODE_REPL_HISTORY_FILE environment variable is set. This functionality
is not exposed to userland repl instances.
PR-URL: https://github.com/iojs/io.js/pull/1513
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Upcoming V8 changes will make it impossible to keep supporting the
smalloc module so deprecate it now and tell people to switch to
typed arrays.
The module is used in core in a few places so this commit makes the
public module private and replaces the public part with wrappers that
print deprecation notices.
PR-URL: https://github.com/iojs/io.js/pull/1564
Reviewed-By: Domenic Denicola <domenic@domenicdenicola.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
One static library could not be bundled into another, that's why
it's necessary to skip `-force_load` and `--whole-archive` linker
options to build io.js itself as a static library.
`node_target_type` variable has been added to node.gyp, along
with `--enable-static` option in configure script.
Fixes: https://github.com/iojs/io.js/issues/686
PR-URL: https://github.com/iojs/io.js/pull/1341
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This action is to encourage packagers to not build against a
shared V8 library since even minor bumps of V8 can create issues.
PR-URL: https://github.com/iojs/io.js/pull/1331
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Drop the homegrown thread pool that was introduced in commit 50839a0
("v8_platform: provide default v8::Platform impl") and use one from
V8's libplatform library. Performance is comparable and it removes
a few hundred lines of code.
The calls to v8::platform::PumpMessageLoop() are currently no-ops
because V8 does not (yet?) use v8::Platform::CallOnForegroundThread().
Packagers that link against a shared libv8 now also need to make
libv8_platform available.
PR-URL: https://github.com/iojs/io.js/pull/1329
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Internal modules can be used to share private code between
public modules without risk to expose private APIs to the
user.
PR-URL: https://github.com/iojs/io.js/pull/848
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
After upgrading to a newer v8 mdb is pretty much broken - even if using
the latest updates from nodejs. If nodejs decides to update their v8 we
can give it another go, but for now it's better to remove it than have
it in our tree unsupported.
PR-URL: https://github.com/iojs/io.js/pull/1023
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rod Vagg <rod@vagg.org>
Move JS methods to the stream_base-inl.h and thus define them on each
use of `StreamBase::AddMethods`. Inline `AddMethods` itself, so that
there won't be any need in a static declaration in stream_base.cc.
NOTE: This basically allows using this API in user-land, though, some
polishing is required before releasing it.
PR-URL: https://github.com/iojs/io.js/pull/957
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
Introduce a way to wrap plain-js `stream.Duplex` streams into C++
StreamBase's child class. With such method at hand it is now possible to
pass `stream.Duplex` instance as a `socket` parameter to
`tls.connect()`.
PR-URL: https://github.com/iojs/io.js/pull/926
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
StreamBase is an improved way to write C++ streams. The class itself is
for separting `StreamWrap` (with the methods like `.writeAsciiString`,
`.writeBuffer`, `.writev`, etc) from the `HandleWrap` class, making
possible to write abstract C++ streams that are not bound to any uv
socket.
The following methods are important part of the abstraction (which
mimics libuv's stream API):
* Events:
* `OnAlloc(size_t size, uv_buf_t*)`
* `OnRead(ssize_t nread, const uv_buf_t*, uv_handle_type pending)`
* `OnAfterWrite(WriteWrap*)`
* Wrappers:
* `DoShutdown(ShutdownWrap*)`
* `DoTryWrite(uv_buf_t** bufs, size_t* count)`
* `DoWrite(WriteWrap*, uv_buf_t*, size_t count, uv_stream_t* handle)`
* `Error()`
* `ClearError()`
The implementation should provide all of these methods, thus providing
the access to the underlying resource (be it uv handle, TLS socket, or
anything else).
A C++ stream may consume the input of another stream by replacing the
event callbacks and proxying the writes. This kind of API is actually
used now for the TLSWrap implementation, making it possible to wrap TLS
stream into another TLS stream. Thus legacy API calls are no longer
required in `_tls_wrap.js`.
PR-URL: https://github.com/iojs/io.js/pull/840
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Chris Dickinson <christopher.s.dickinson@gmail.com>
It has been obsoleted by the previous commit. Now it's time to say
goodbye.
PR-URL: https://github.com/iojs/io.js/pull/667
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
This commit also breaks up req_wrap.h into req-wrap.h and req-wrap-inl.h
to work around a circular dependency issue in env.h.
PR-URL: https://github.com/iojs/io.js/pull/667
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
This commit adds the ability to enable userspace tracing with lttng
in io.js. It adds tracepoints for all the equivalent dtrace and ETW
tracepoints. To use these tracepoints enable --with-lttng on linux.
PR-URL: https://github.com/iojs/io.js/pull/702
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Ryan Graham <ryan@strongloop.com>
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
Snapshots speed up start-up by a few milliseconds but are potentially
dangerous because of the fixed hash seed that is used for strings and
dictionaries, making collision denial-of-service attacks possible.
Release builds on iojs.org have snapshots disabled but source builds
did not, until now.
The risk for individual source builds is low; the binary gets a random
32 bits hash seed that should be hard to guess by an external attacker.
It's when binaries are distributed by, for example, a distro vendor
that the fixed hash seed becomes a vulnerability, because then it's
possible to target a large group of people at once.
People that really need the faster start-up time can use the new
--with-snapshot configure flag.
PR-URL: https://github.com/iojs/io.js/pull/585
Reviewed-By: Bert Belder <bertbelder@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Rod Vagg <rod@vagg.org>
Chrome still runs on Windows XP, so there is no reason that iojs
couldn't.
PR: https://github.com/iojs/io.js/pull/512
Reviewed-by: Ben Noordhuis <info@bnoordhuis.nl>
e1fe270 introduces the NODE_PLATFORM macro which had to be redefined in
node.gyp for `process.platform` to return expected values.
PR-URL: https://github.com/iojs/io.js/pull/271
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Bert Belder <bertbelder@gmail.com>
