This is a security release.
Notable changes:
Update to OpenSSL 1.1.1n, which addresses the following vulnerability:
- Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)(CVE-2022-0778)
More details are available at https://www.openssl.org/news/secadv/20220315.txt
Fix for building Node.js 12.x with Visual Studio 2019 to allow us to continue to
run CI tests.
PR-URL: https://github.com/nodejs/node/pull/42363
Notable changes:
Fixed regression in url.resolve()
This release fixes an issue introduced in Node.js v17.7.0 with some URLs
that contain `@`. This issue affected yarn 1. This version reverts the
change that introduced the regression.
PR-URL: https://github.com/nodejs/node/pull/42285
PR-URL: https://github.com/nodejs/node/pull/41808
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Mestery <mestery@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Notable changes:
Corepack:
Node.js now includes Corepack, a script that acts as a bridge between
Node.js projects and the package managers they are intended to be used
with during development.
In practical terms, Corepack will let you use Yarn and pnpm without
having to install them - just like what currently happens with npm,
which is shipped in Node.js by default.
Contributed by Maël Nison - https://github.com/nodejs/node/pull/39608
ICU updated:
ICU has been updated to 70.1. This updates timezone database to 2021a3,
including bringing forward the start for DST for Jordan from March to
February.
Contributed by Michaël Zasso - https://github.com/nodejs/node/pull/40658
New option to disable loading of native addons:
A new command line option `--no-addons` has been added to disallow
loading of native addons.
Contributed by Dominic Elm - https://github.com/nodejs/node/pull/39977
Updated Root Certificates:
Root certificates have been updated to those from Mozilla's Network
Security Services 3.71.
Contributed by Richard Lau - https://github.com/nodejs/node/pull/40280
Other Notable Changes:
crypto:
* (SEMVER-MINOR) make FIPS related options always available (Vít Ondruch) https://github.com/nodejs/node/pull/36341
lib:
* (SEMVER-MINOR) add unsubscribe method to non-active DC channels (simon-id) https://github.com/nodejs/node/pull/40433
* (SEMVER-MINOR) add return value for DC channel.unsubscribe (simon-id) https://github.com/nodejs/node/pull/40433
module:
* (SEMVER-MINOR) support pattern trailers (Guy Bedford) https://github.com/nodejs/node/pull/39635
src:
* (SEMVER-MINOR) make napi_create_reference accept symbol (JckXia) https://github.com/nodejs/node/pull/39926
PR-URL: https://github.com/nodejs/node/pull/41696
This is a security release.
Notable changes:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
is specifically defined to use a particular SAN type, can result in
bypassing name-constrained intermediates. Node.js was accepting URI SAN
types, which PKIs are often not defined to use. Additionally, when a
protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when
checking a certificate against a hostname. This behavior can be
reverted through the `--security-revert` command-line option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
- Node.js converts SANs (Subject Alternative Names) to a string format.
It uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate
chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the
problematic characters in order to prevent the injection. This
behavior can be reverted through the `--security-revert` command-line
option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
- Node.js did not handle multi-value Relative Distinguished Names
correctly. Attackers could craft certificate subjects containing a
single-value Relative Distinguished Name that would be interpreted as a
multi-value Relative Distinguished Name, for example, in order to inject
a Common Name that would allow bypassing the certificate subject
verification.
- Affected versions of Node.js do not accept multi-value Relative
Distinguished Names and are thus not vulnerable to such attacks
themselves. However, third-party code that uses node's ambiguous
presentation of certificate subjects may be vulnerable.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
- Due to the formatting logic of the `console.table()` function it was
not safe to allow user controlled input to be passed to the `properties`
parameter while simultaneously passing a plain object with at least one
property as the first parameter, which could be `__proto__`. The
prototype pollution has very limited control, in that it only allows an
empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the
object these properties are being assigned to.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
PR-URL: https://github.com/nodejs-private/node-private/pull/311
This is a security release.
Notable changes:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
is specifically defined to use a particular SAN type, can result in
bypassing name-constrained intermediates. Node.js was accepting URI SAN
types, which PKIs are often not defined to use. Additionally, when a
protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when
checking a certificate against a hostname. This behavior can be
reverted through the `--security-revert` command-line option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
- Node.js converts SANs (Subject Alternative Names) to a string format.
It uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate
chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the
problematic characters in order to prevent the injection. This
behavior can be reverted through the `--security-revert` command-line
option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
- Node.js did not handle multi-value Relative Distinguished Names
correctly. Attackers could craft certificate subjects containing a
single-value Relative Distinguished Name that would be interpreted as a
multi-value Relative Distinguished Name, for example, in order to inject
a Common Name that would allow bypassing the certificate subject
verification.
- Affected versions of Node.js do not accept multi-value Relative
Distinguished Names and are thus not vulnerable to such attacks
themselves. However, third-party code that uses node's ambiguous
presentation of certificate subjects may be vulnerable.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
- Due to the formatting logic of the `console.table()` function it was
not safe to allow user controlled input to be passed to the `properties`
parameter while simultaneously passing a plain object with at least one
property as the first parameter, which could be `__proto__`. The
prototype pollution has very limited control, in that it only allows an
empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the
object these properties are being assigned to.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
PR-URL: https://github.com/nodejs-private/node-private/pull/312
This is a security release.
Notable changes:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
is specifically defined to use a particular SAN type, can result in
bypassing name-constrained intermediates. Node.js was accepting URI SAN
types, which PKIs are often not defined to use. Additionally, when a
protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when
checking a certificate against a hostname. This behavior can be
reverted through the `--security-revert` command-line option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
- Node.js converts SANs (Subject Alternative Names) to a string format.
It uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate
chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the
problematic characters in order to prevent the injection. This
behavior can be reverted through the `--security-revert` command-line
option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
- Node.js did not handle multi-value Relative Distinguished Names
correctly. Attackers could craft certificate subjects containing a
single-value Relative Distinguished Name that would be interpreted as a
multi-value Relative Distinguished Name, for example, in order to inject
a Common Name that would allow bypassing the certificate subject
verification.
- Affected versions of Node.js do not accept multi-value Relative
Distinguished Names and are thus not vulnerable to such attacks
themselves. However, third-party code that uses node's ambiguous
presentation of certificate subjects may be vulnerable.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
- Due to the formatting logic of the `console.table()` function it was
not safe to allow user controlled input to be passed to the `properties`
parameter while simultaneously passing a plain object with at least one
property as the first parameter, which could be `__proto__`. The
prototype pollution has very limited control, in that it only allows an
empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the
object these properties are being assigned to.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
PR-URL: https://github.com/nodejs-private/node-private/pull/310
This is a security release.
Notable changes:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
is specifically defined to use a particular SAN type, can result in
bypassing name-constrained intermediates. Node.js was accepting URI SAN
types, which PKIs are often not defined to use. Additionally, when a
protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when
checking a certificate against a hostname. This behavior can be
reverted through the `--security-revert` command-line option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
- Node.js converts SANs (Subject Alternative Names) to a string format.
It uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate
chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the
problematic characters in order to prevent the injection. This
behavior can be reverted through the `--security-revert` command-line
option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
- Node.js did not handle multi-value Relative Distinguished Names
correctly. Attackers could craft certificate subjects containing a
single-value Relative Distinguished Name that would be interpreted as a
multi-value Relative Distinguished Name, for example, in order to inject
a Common Name that would allow bypassing the certificate subject
verification.
- Affected versions of Node.js do not accept multi-value Relative
Distinguished Names and are thus not vulnerable to such attacks
themselves. However, third-party code that uses node's ambiguous
presentation of certificate subjects may be vulnerable.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
- Due to the formatting logic of the `console.table()` function it was
not safe to allow user controlled input to be passed to the `properties`
parameter while simultaneously passing a plain object with at least one
property as the first parameter, which could be `__proto__`. The
prototype pollution has very limited control, in that it only allows an
empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the
object these properties are being assigned to.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
PR-URL: https://github.com/nodejs-private/node-private/pull/309
Notable changes
This release contains a c-ares update to fix a regression introduced in
Node.js 14.17.5 resolving CNAME records containing underscores
(https://github.com/nodejs/node/issues/39780).
Also included are commits to allow Node.js 14 to continue to build and
pass tests on our Jenkins CI, including adding Python 3.10 to the list
of allowable Python versions for building.
PR-URL: https://github.com/nodejs/node/pull/40969
Update mdast-util-to-markdown to 1.2.4 which reduces unnecessary
escaping of `_` and some other characters. Re-run markdown formatter.
PR-URL: https://github.com/nodejs/node/pull/40645
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Once the README and find-inactive-collaborators.mjs changes land here,
we can introduce markdown formatting as a step in the toolchain
somewhere.
Before this lands, https://github.com/nodejs/node-core-utils/pull/578
will need to land and be included in a node-core-utils release.
PR-URL: https://github.com/nodejs/node/pull/40645
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Notable changes:
This release marks the transition of Node.js 16.x into Long Term Support (LTS)
with the codename 'Gallium'. The 16.x release line now moves into "Active LTS"
and will remain so until October 2022. After that time, it will move into
"Maintenance" until end of life in April 2024.
PR-URL: https://github.com/nodejs/node/pull/40536
Notable changes:
Fixed distribution for native addon builds
This release fixes an issue introduced in Node.js v17.0.0, where some V8
headers were missing from the distributed tarball, making it impossible
to build native addons. These headers are now included.
https://github.com/nodejs/node/pull/40526
Fixed stream issues
* Fixed a regression in `stream.promises.pipeline`, which was introduced
in version 16.10.0, is fixed. It is now possible again to pass an
array of streams to the function.
https://github.com/nodejs/node/pull/40193
* Fixed a bug in `stream.Duplex.from`, which didn't work properly when
an async generator function was passed to it.
https://github.com/nodejs/node/pull/40499
PR-URL: https://github.com/nodejs/node/pull/40535
Notable Changes:
Experimental ESM Loader Hooks API:
Node.js ESM Loader hooks have been consolidated to represent the steps involved needed to facilitate future loader chaining:
1. `resolve`: `resolve` [+ `getFormat`]
2. `load`: `getFormat` + `getSource` + `transformSource`
For consistency, `getGlobalPreloadCode` has been renamed to `globalPreload`.
A loader exporting obsolete hook(s) will trigger a single deprecation warning (per loader) listing the errant hooks.
Contributed by Jacob Smith, Geoffrey Booth, and Bradley Farias - https://github.com/nodejs/node/pull/37468
Other Notable Changes:
deps:
* upgrade npm to 8.1.0 (npm team) https://github.com/nodejs/node/pull/40463
doc:
* deprecate (doc-only) http abort related (dr-js) https://github.com/nodejs/node/pull/36670
vm:
* (SEMVER-MINOR) add support for import assertions in dynamic imports (Antoine du Hamel) https://github.com/nodejs/node/pull/40249
PR-URL: https://github.com/nodejs/node/pull/40504
This is a security release.
Notable Changes:
* CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
* The http parser accepts requests with a space (SP) right after the
header name before the colon. This can lead to HTTP Request Smuggling
(HRS). More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22959
* CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
* The parse ignores chunk extensions when parsing the body of chunked
requests. This leads to HTTP Request Smuggling (HRS) under certain
conditions. More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22960
PR-URL: https://github.com/nodejs-private/node-private/pull/293
This is a security release.
Notable Changes:
* CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
* The http parser accepts requests with a space (SP) right after the
header name before the colon. This can lead to HTTP Request Smuggling
(HRS). More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22959
* CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
* The parse ignores chunk extensions when parsing the body of chunked requests.
requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.
More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22960
PR-URL: https://github.com/nodejs-private/node-private/pull/294
This is a security release.
Notable changes:
* CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
* The http parser accepts requests with a space (SP) right after the
header name before the colon. This can lead to HTTP Request Smuggling
(HRS). More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22959
* CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
* The parse ignores chunk extensions when parsing the body of chunked
requests. This leads to HTTP Request Smuggling (HRS) under certain
conditions. More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22960
PR-URL: https://github.com/nodejs-private/node-private/pull/295
Use the format-md task to format changelogs.
PR-URL: https://github.com/nodejs/node/pull/40388
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Zijian Liu <lxxyxzj@gmail.com>
Upcoming remark-based formatting/linting will add a blank line between
comments in markdown. This is in preparation for that change.
PR-URL: https://github.com/nodejs/node/pull/40160
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This is a security release.
Notable Changes:
- CVE-2021-3672/CVE-2021-22931:
Improper handling of untypical characters in domain names (High)
- CVE-2021-22930:
Use after free on close http2 on stream canceling (High)
- CVE-2021-22939:
Incomplete validation of rejectUnauthorized parameter (Low)
PR-URL: https://github.com/nodejs-private/node-private/pull/280
This is a security release.
Notable Changes:
- CVE-2021-3672/CVE-2021-22931:
Improper handling of untypical characters in domain names (High)
- CVE-2021-22930:
Use after free on close http2 on stream canceling (High)
- CVE-2021-22939:
Incomplete validation of rejectUnauthorized parameter (Low)
PR-URL: https://github.com/nodejs-private/node-private/pull/279
This is a security release.
Notable Changes:
- CVE-2021-3672/CVE-2021-22931:
Improper handling of untypical characters in domain names (High)
- CVE-2021-22930:
Use after free on close http2 on stream canceling (High)
- CVE-2021-22939:
Incomplete validation of rejectUnauthorized parameter (Low)
PR-URL: https://github.com/nodejs-private/node-private/pull/278
This is a security release.
Notable Changes:
- CVE-2021-22930: Use after free on close http2 on stream canceling (High)
This releases fixes some regressions with internationalization
introduced by the ICU updates in Node.js 14.17.0 and 14.17.1.
PR-URL: https://github.com/nodejs/node/pull/39466
This is a security release.
Notable changes:
- CVE-2021-22930: Use after free on close http2 on stream canceling (High)
PR-URL: https://github.com/nodejs/node/pull/39500
Notable changes:
Node.js 16.4.1 introduced a regression in the Windows installer on
non-English locales that is being fixed in this release. There is no
need to download this release if you are not using the Windows
installer.
PR-URL: https://github.com/nodejs/node/pull/39270
Notable changes:
Node.js 14.17.2 introduced a regression in the Windows installer on
non-English locales that is being fixed in this release. There is no
need to download this release if you are not using the Windows
installer.
PR-URL: https://github.com/nodejs/node/pull/39269
Notable changes:
Node.js 12.22.2 introduced a regression in the Windows installer on
non-English locales that is being fixed in this release. There is no
need to download this release if you are not using the Windows
installer.
PR-URL: https://github.com/nodejs/node/pull/39268
This is a security release.
Notable changes:
Vulnerabilities fixed:
- **CVE-2021-22918**: libuv upgrade - Out of bounds read (Medium)
- **CVE-2021-22921**: Windows installer - Node Installer Local Privilege Escalation (Medium)
PR-URL: https://github.com/nodejs-private/node-private/pull/271
This is a security release.
Notable changes:
Vulnerabilities fixed:
- **CVE-2021-22918**: libuv upgrade - Out of bounds read (Medium)
- **CVE-2021-22921**: Windows installer - Node Installer Local Privilege Escalation (Medium)
PR-URL: https://github.com/nodejs-private/node-private/pull/272
Notable Changes:
Diagnostics channel (experimental module):
`diagnostics_channel` is a new experimental module that provides an API
to create named channels to report arbitrary message data for
diagnostics purposes.
The module was initially introduced in Node.js v15.1.0 and is
backported to v14.17.0 to enable testing it at a larger scale.
With `diagnostics_channel`, Node.js core and module authors can publish
contextual data about what they are doing at a given time. This could
be the hostname and query string of a mysql query, for example. Just
create a named channel with `dc.channel(name)` and call
`channel.publish(data)` to send the data to any listeners to that
channel.
```js
const dc = require('diagnostics_channel');
const channel = dc.channel('mysql.query');
MySQL.prototype.query = function query(queryString, values, callback) {
// Broadcast query information whenever a query is made
channel.publish({
query: queryString,
host: this.hostname,
});
this.doQuery(queryString, values, callback);
};
```
Channels are like one big global event emitter but are split into
separate objects to ensure they get the best performance. If nothing is
listening to the channel, the publishing overhead should be as close to
zero as possible. Consuming channel data is as easy as using
`channel.subscribe(listener)` to run a function whenever a message is
published to that channel.
```js
const dc = require('diagnostics_channel');
const channel = dc.channel('mysql.query');
channel.subscribe(({ query, host }) => {
console.log(`mysql query to ${host}: ${query}`);
});
```
The data captured can be used to provide context for what an app is
doing at a given time. This can be used for things like augmenting
tracing data, tracking network and filesystem activity, logging
queries, and many other things. It's also a very useful data source
for diagnostics tools to provide a clearer picture of exactly what the
application is doing at a given point in the data they are presenting.
Contributed by Stephen Belanger (https://github.com/nodejs/node/pull/34895).
UUID support in the crypto module:
The new `crypto.randomUUID()` method now allows to generate random
[RFC 4122](https://www.rfc-editor.org/rfc/rfc4122.txt) Version 4
UUID strings:
```js
const { randomUUID } = require('crypto');
console.log(randomUUID());
// 'aa7c91a1-f8fc-4339-b9db-f93fc7233429'
```
Contributed by James M Snell (https://github.com/nodejs/node/pull/36729).
Experimental support for `AbortController` and `AbortSignal`:
Node.js 14.17.0 adds experimental partial support for `AbortController`
and `AbortSignal`.
Both constructors can be enabled globally using the
`--experimental-abortcontroller` flag.
Additionally, several Node.js APIs have been updated to support
`AbortSignal` for cancellation.
It is not mandatory to use the built-in constructors with them. Any
spec-compliant third-party alternatives should be compatible.
`AbortSignal` support was added to the following methods:
* `child_process.exec`
* `child_process.execFile`
* `child_process.fork`
* `child_process.spawn`
* `dgram.createSocket`
* `events.on`
* `events.once`
* `fs.readFile`
* `fs.watch`
* `fs.writeFile`
* `http.request`
* `https.request`
* `http2Session.request`
* The promisified variants of `setImmediate` and `setTimeout`
Other notable changes:
* doc:
* revoke deprecation of legacy url, change status to legacy (James M Snell) (https://github.com/nodejs/node/pull/37784)
* add legacy status to stability index (James M Snell) (https://github.com/nodejs/node/pull/37784)
* upgrade stability status of report API (Gireesh Punathil) (https://github.com/nodejs/node/pull/35654)
* deps:
* V8: Backport various patches for Apple Silicon support (BoHong Li) (https://github.com/nodejs/node/pull/38051)
* update ICU to 68.1 (Michaël Zasso) (https://github.com/nodejs/node/pull/36187)
* upgrade to libuv 1.41.0 (Colin Ihrig) (https://github.com/nodejs/node/pull/37360)
* http:
* add http.ClientRequest.getRawHeaderNames() (simov) (https://github.com/nodejs/node/pull/37660)
* report request start and end with diagnostics\_channel (Stephen Belanger) (https://github.com/nodejs/node/pull/34895)
* util:
* add getSystemErrorMap() impl (eladkeyshawn) (https://github.com/nodejs/node/pull/38101)
PR-URL: https://github.com/nodejs/node/pull/38507
Notable changes
The legacy HTTP parser is runtime deprecated:
- The legacy HTTP parser, selected by the `--http-parser=legacy` command line
option, is deprecated with the pending End-of-Life of Node.js 10.x (where it
is the only HTTP parser implementation provided) at the end of April 2021. It
will now warn on use but otherwise continue to function and may be removed in
a future Node.js 12.x release.
- The default HTTP parser based on llhttp is not affected. By default it is
stricter than the now deprecated legacy HTTP parser. If interoperability with
HTTP implementations that send invalid HTTP headers is required, the HTTP
parser can be started in a less secure mode with the `--insecure-http-parser`
command line option.
ES Modules:
- ES Modules are now considered stable.
node-api:
- Updated to node-api version 8 and added an experimental API to allow
retrieval of the add-on file name.
New API's to control code coverage data collection:
- `v8.stopCoverage()` and `v8.takeCoverage()` have been added.
New API to monitor event loop utilization by Worker threads
- `worker.performance.eventLoopUtilization()` has been added.
PR-URL: https://github.com/nodejs/node/pull/37797
This is a security release.
Notable changes
Vulnerabilities fixed:
- **CVE-2021-22883**: HTTP2 'unknownProtocol' cause Denial of Service by
resource exhaustion
- **CVE-2021-22884**: DNS rebinding in --inspect
- **CVE-2021-23840**: OpenSSL - Integer overflow in CipherUpdate
PR-URL: https://github.com/nodejs-private/node-private/pull/255
This is a security release.
Notable changes
Vulnerabilities fixed:
- **CVE-2021-22883**: HTTP2 'unknownProtocol' cause Denial of Service by
resource exhaustion
- **CVE-2021-22884**: DNS rebinding in --inspect
- **CVE-2021-23840**: OpenSSL - Integer overflow in CipherUpdate
PR-URL: https://github.com/nodejs-private/node-private/pull/256
This is a security release.
Notable changes:
Vulnerabilities fixed:
- **CVE-2021-22883**: HTTP2 'unknownProtocol' cause Denial of Service by
resource exhaustion
- **CVE-2021-22884**: DNS rebinding in --inspect
- **CVE-2021-23840**: OpenSSL - Integer overflow in CipherUpdate
PR-URL: https://github.com/nodejs-private/node-private/pull/254
This is a security release.
Notable changes:
Vulnerabilities fixed:
- **CVE-2021-22883**: HTTP2 'unknownProtocol' cause Denial of Service by
resource exhaustion
- **CVE-2021-22884**: DNS rebinding in --inspect
- **CVE-2021-23840**: OpenSSL - Integer overflow in CipherUpdate
PR-URL: https://github.com/nodejs-private/node-private/pull/253
PR-URL: https://github.com/nodejs/node/pull/37229
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Pooja D P <Pooja.D.P@ibm.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/36959
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Pooja D P <Pooja.D.P@ibm.com>
Reviewed-By: Harshitha K P <harshitha014@gmail.com>
Notable changes:
This is a security release.
Vulnerabilities fixed:
- CVE-2020-8265: use-after-free in TLSWrap (High)
Affected Node.js versions are vulnerable to a use-after-free bug in
its TLS implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method
does not return an error, this object is passed back to the caller
as part of a StreamWriteResult structure. This may be exploited to
corrupt memory leading to a Denial of Service or potentially other
exploits
- CVE-2020-8287: HTTP Request Smuggling in nodejs
Affected versions of Node.js allow two copies of a header field in
a http request. For example, two Transfer-Encoding header fields.
In this case Node.js identifies the first header field and ignores
the second. This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html).
- CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js.
You can read more about it in
https://www.openssl.org/news/secadv/20201208.txt
PR-URL: https://github.com/nodejs-private/node-private/pull/240
Notable changes:
This is a security release.
Vulnerabilities fixed:
- CVE-2020-8265: use-after-free in TLSWrap (High)
Affected Node.js versions are vulnerable to a use-after-free bug in
its TLS implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method
does not return an error, this object is passed back to the caller
as part of a StreamWriteResult structure. This may be exploited to
corrupt memory leading to a Denial of Service or potentially other
exploits
- CVE-2020-8287: HTTP Request Smuggling in nodejs
Affected versions of Node.js allow two copies of a header field in
a http request. For example, two Transfer-Encoding header fields.
In this case Node.js identifies the first header field and ignores
the second. This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html).
- CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js.
You can read more about it in
https://www.openssl.org/news/secadv/20201208.txt
PR-URL: https://github.com/nodejs-private/node-private/pull/239
This is a security release.
Notable changes:
Vulnerabilities fixed:
- **CVE-2020-1971**: OpenSSL - EDIPARTYNAME NULL pointer de-reference
(High)
- This is a vulnerability in OpenSSL which may be exploited through
Node.js. You can read more about it in
https://www.openssl.org/news/secadv/20201208.txt
- **CVE-2020-8265**: use-after-free in TLSWrap (High)
- Affected Node.js versions are vulnerable to a use-after-free bug in
its TLS implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method
does not return an error, this object is passed back to the caller as
part of a StreamWriteResult structure. This may be exploited to
corrupt memory leading to a Denial of Service or potentially other
exploits.
- **CVE-2020-8287**: HTTP Request Smuggling in nodejs (Low)
- Affected versions of Node.js allow two copies of a header field in
a http request. For example, two Transfer-Encoding header fields. In
this case Node.js identifies the first header field and ignores the
second. This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html).
PR-URL: https://github.com/nodejs-private/node-private/pull/242
This is a security release.
Notable changes:
Vulnerabilities fixed:
- **CVE-2020-8265**: use-after-free in TLSWrap (High)
* Affected Node.js versions are vulnerable to a use-after-free bug in
its TLS implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method
does not return an error, this object is passed back to the caller as
part of a StreamWriteResult structure. This may be exploited to
corrupt memory leading to a Denial of Service or potentially other
exploits.
- **CVE-2020-8287**: HTTP Request Smuggling in nodejs (Low)
* Affected versions of Node.js allow two copies of a header field in
a http request. For example, two Transfer-Encoding header fields. In
this case Node.js identifies the first header field and ignores the
second. This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html).
PR-URL: https://github.com/nodejs-private/node-private/pull/241
This is a security release.
Notable changes:
Vulnerabilities fixed:
* CVE-2020-8277: Denial of Service through DNS request (High). A Node.js
application that allows an attacker to trigger a DNS request for a
host of their choice could trigger a Denial of Service by getting the
application to resolve a DNS record with a larger number of responses.
PR-URL: https://github.com/nodejs-private/node-private/pull/233
This is a security release.
Notable changes:
Vulnerabilities fixed:
* CVE-2020-8277: Denial of Service through DNS request (High). A Node.js
application that allows an attacker to trigger a DNS request for a
host of their choice could trigger a Denial of Service by getting the
application to resolve a DNS record with a larger number of responses.
PR-URL: https://github.com/nodejs-private/node-private/pull/234
This is a security release.
Notable changes:
Vulnerabilities fixed:
* CVE-2020-8277: Denial of Service through DNS request (High). A Node.js
application that allows an attacker to trigger a DNS request for a
host of their choice could trigger a Denial of service by getting the
application to resolve a DNS record with a larger number of responses.
PR-URL: https://github.com/nodejs-private/node-private/pull/232
Notable changes:
This release marks the transition of Node.js 14.x into Long Term Support (LTS)
with the codename 'Fermium'. The 14.x release line now moves into "Active LTS"
and will remain so until October 2021. After that time, it will move into
"Maintenance" until end of life in April 2023.
PR-URL: https://github.com/nodejs/node/pull/35746
PR-URL: https://github.com/nodejs/node/pull/35217
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
This is a security release.
Notable changes:
Vulnerabilities fixed:
- CVE-2020-8251: Denial of Service by resource exhaustion CWE-400 due
to unfinished HTTP/1.1 requests (Critical).
- CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion
(High).
PR-URL: https://github.com/nodejs-private/node-private/pull/225
This is a security release.
Notable changes:
Vulnerabilities fixed:
- CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion (High).
- CVE-2020-8252: fs.realpath.native on may cause buffer overflow (Medium).
PR-URL: https://github.com/nodejs-private/node-private/pull/223
Notable changes:
Node.js 14.10.0 included a streams regression with async generators
and a docs rendering regression that are being fixed in this release.
PR-URL: https://github.com/nodejs/node/pull/35137
PR-URL: https://github.com/nodejs/node/pull/34158
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This is a security release.
Vulnerabilities fixed:
- CVE-2020-8174: napi_get_value_string_*() allows various kinds of
memory corruption (High).
- CVE-2020-10531: ICU-20958 Prevent SEGV_MAPERR in append (High).
- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
PR-URL: https://github.com/nodejs-private/node-private/pull/211
This is a security release.
Notable changes:
Vulnerabilities fixed:
CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
CVE-2020-8174: `napi_get_value_string_*()` allows various kinds of memory corruption (High).
PR-URL: https://github.com/nodejs-private/node-private/pull/213
This is a security release.
Notable changes:
Vulnerabilities fixed:
CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
CVE-2020-8174: `napi_get_value_string_*()` allows various kinds of memory corruption (High).
PR-URL: https://github.com/nodejs-private/node-private/pull/212
Notable changes:
* ECMAScript Modules - `--experimental-modules` flag removal
* AsyncLocalStorage API (experimental)
* REPL previews
* REPL reverse-i-search
* REPL substring-based search
* Error monitoring
* Monitoring `error` events
* Monitoring uncaught exceptions
* File system APIs
* New function: `fs.readv`
* Optional parameters in `fs.read`
* Console `groupIndentation` option
* `maxStringLength` option for `util.inspect()`
* Stable N-API release 6
* Stable diagnostic reports
* Increase of the default server headers timeout
* New `--trace-sigint` CLI flag
* Various crypto APIs now support Diffie-Hellman secrets
* Added support for the `dns.ALL` flag in `dns.lookup()`
* Added a new experimental API to interact with Source Map V3 data
* Added support for passing a `transferList` along with `workerData` to
the `Worker` constructor
PR-URL: https://github.com/nodejs/node/pull/33197
