In a previous commit, the loader implementation was modified to be
protected against most prototype pollution, but was kept vulnerable to
`Array.prototype` pollution. This commit fixes that, the tradeoff is
that it modifies the `ESMLoader.prototype.import` return type from an
`Array` to an array-like object.
Refs: https://github.com/nodejs/node/pull/45044
PR-URL: https://github.com/nodejs/node/pull/45175
Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
The term `Environment` in `kAllowedInEnvironment` and
`kDisallowedInEnvironment` has nothing to do with the commonly used
term `node::Environment`. Rename the member to `kAllowedInEnvvar`
and `kDisallowedInEnvvar` respectively to reflect they are options
of `OptionEnvvarSettings`.
As `OptionEnvvarSettings` is part of the public embedder APIs, the
legacy names are still preserved.
PR-URL: https://github.com/nodejs/node/pull/45057
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
PR-URL: https://github.com/nodejs/node/pull/45170
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Daeyeon Jeong <daeyeon.dev@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
PR-URL: https://github.com/nodejs/node/pull/45165
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
i18n in the Windows installer was disabled in 2016 for Reasons and never
re-enabled.
There have been no complaints about lack of localization in the
intervening years, suggesting there isn't a huge demand for it either.
Let's remove the files because it was confusing at least one potential
contributor.
Refs: https://github.com/nodejs/node/issues/45090
PR-URL: https://github.com/nodejs/node/pull/45138
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Daeyeon Jeong <daeyeon.dev@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
After the stream has been marked as closed by the nghttp2 stack, there
might be still pending data to be sent: trailing headers is an example
of this. In that case, avoid reentering the nghttp2 stack synchronously
to allow the data to be written before actually closing the stream.
Fixes: https://github.com/nodejs/node/issues/42713
PR-URL: https://github.com/nodejs/node/pull/45153
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
This reverts commit 84d455e08e.
PR-URL: https://github.com/nodejs/node/pull/45162
Refs: https://github.com/nodejs/node/issues/45118
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Prior to this commit, beforeEach() and afterEach() hooks were
not called on test suites (describe()). This commit addresses that.
Fixes: https://github.com/nodejs/node/issues/45028
PR-URL: https://github.com/nodejs/node/pull/45161
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
When checking for the validity of the stdio file descriptors
(nodejs#875), ones which don't exist are intended to be remapped to
/dev/null (and, if that doesn't work, we abort).
This however doesn't work on all platforms and in all cases, and is not
anymore required by POSIX; instead, use the `dup2` syscall as a more
robust solution (conforms to POSIX.1).
Fixes: https://github.com/nodejs/help/issues/2411
Refs: https://github.com/nodejs/node/pull/875
PR-URL: https://github.com/nodejs/node/pull/44461
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
With the inclusion of the RISC-V 32-bit support in V8 the directory
src/heap/base/asm/riscv64 has been renamed to riscv.
PR-URL: https://github.com/nodejs/node/pull/45149
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Stewart X Addison <sxa@redhat.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
stream: fix web streams have no Symbol.toStringTag
stream: add unit tests
PR-URL: https://github.com/nodejs/node/pull/45117
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Don't destroy the socket when closing the session but let it end
gracefully.
Also, when destroying the session, on Windows, we would get ECONNRESET
errors, make sure we take those into account in our tests.
PR-URL: https://github.com/nodejs/node/pull/45115
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Many TAP reporters offer special-case handling of YAML objects
containing `expected`, `actual`, and `operator` fields, as produced by
`AssertionError` and similar userland Error classes.
PR-URL: https://github.com/nodejs/node/pull/44952
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: James M Snell <jasnell@gmail.com>
Notable changes:
This release marks the transition of Node.js 18.x into Long Term Support (LTS)
with the codename 'Hydrogen'. The 18.x release line now moves into "Active LTS"
and will remain so until October 2023. After that time, it will move into
"Maintenance" until end of life in April 2025.
PR-URL: https://github.com/nodejs/node/pull/45100
Previously the error message generation would throw if the port was of
type `"symbol"`.
PR-URL: https://github.com/nodejs/node/pull/45135
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
It can happen that the Http2Stream::session_ has already been deleted
when the Http2Stream destructor is called, causing `diagnostic_name()`
to crash. Observed when running some http2 tests on Windows with the
debug logs activated.
PR-URL: https://github.com/nodejs/node/pull/45123
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
So it actually logs something when debug is activated.
PR-URL: https://github.com/nodejs/node/pull/45129
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
WHATWG URL removes tab, new line, and carraige return characters before
processing URL strings. To narrow the differences between WHATWG URL and
url.parse(), and thus reduce opportunities for host spoofing etc. due to
differences between the two APIs, let's do the same with url.parse().
PR-URL: https://github.com/nodejs/node/pull/45116
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Updates the Release Guide to point to using `node-core-utils` for
creating the commit that marks a release line as LTS.
Signed-off-by: Ruy Adorno <ruyadorno@google.com>
PR-URL: https://github.com/nodejs/node/pull/45101
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
`contextify_global_private_symbol` is no longer used. It was used
to hold a new context's global object, but the approach has been
changed to hold a ContextifyContext wrapper using
`contextify_context_private_symbol`.
Signed-off-by: Daeyeon Jeong <daeyeon.dev@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/45128
Refs: https://github.com/nodejs/node/pull/44796
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Using a direct approach to create the readline async iterator
allowed an iteration over 20 to 58% faster.
**BREAKING CHANGE**: With that change, the async iteterator
obtained from the readline interface doesn't have the
property "stream" any longer. This happened because it's no
longer created through a Readable, instead, the async
iterator is created directly from the events of the readline
interface instance, so, if anyone is using that property,
this change will break their code.
Also, the Readable added a backpressure control that is
fairly compensated by the use of FixedQueue + monitoring
its size. This control wasn't really precise with readline
before, though, because it only pauses the reading of the
original stream, but the lines generated from the last
message received from it was still emitted. For example:
if the readable was paused at 1000 messages but the last one
received generated 10k lines, but no further messages were
emitted again until the queue was lower than the readable
highWaterMark. A similar behavior still happens with the
new implementation, but the highWaterMark used is fixed: 1024,
and the original stream is resumed again only after the queue
is cleared.
Before making that change, I created a package implementing
the same concept used here to validate it. You can find it
[here](https://github.com/Farenheith/faster-readline-iterator)
if this helps anyhow.
PR-URL: https://github.com/nodejs/node/pull/41276
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
V8 already parses the source map magic comments. Currently, only scripts
and functions expose the parsed source map URLs. It is unnecessary to
parse the source map magic comments again when the parsed information is
available.
PR-URL: https://github.com/nodejs/node/pull/44798
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Jan Krems <jan.krems@gmail.com>
Adding a note on how to properly edit the the `src/node_version.h` file
when working on the cherry-pick step of the Release Guide when working
on a new major version release.
Signed-off-by: Ruy Adorno <ruyadorno@google.com>
PR-URL: https://github.com/nodejs/node/pull/45054
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
closed promise is subscribed to first so will be
resolved first, before any read promise.
This causes data after EOF error to be thrown.
Remove the push null from the closed promise handler.
The push null gets done from the read handler
when it detects done.
PR-URL: https://github.com/nodejs/node/pull/45026
Fixes: https://github.com/nodejs/node/issues/42694
Reviewed-By: Daeyeon Jeong <daeyeon.dev@gmail.com>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/45070
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
When preparing output for a terminal that supports Unicode, Groff remaps
the following characters to typographically "fancier" versions:
^ (U+005E) -> ˆ (U+02C6)
~ (U+007E) -> ˜ (U+02DC)
- (U+002D) -> ‐ (U+2010)
` (U+0060) -> ‘ (U+2018)
' (U+0027) -> ’ (U+2019)
This transformation is normally desirable in high-quality typeset output
(PDF and PostScript), but frequently problematic in terminal display. As
described in groff_char(7), the following escape sequences are needed to
display the aforementioned characters as they appear in source code:
^ -> \(ha (Mnemonic: "hat")
~ -> \(ti (Mnemonic: "tilde")
- -> \-
` -> \(ga (Mnemonic: "grave accent")
' -> \(aq (Mnemonic: "apostrophe quote")
These constructs are cumbersome to write, obstruct readability of source
code, and are completely opaque to the majority of man page authors (who
only care about terminal display). A simpler solution is to use `.tr` to
translate these characters automatically.
PR-URL: https://github.com/nodejs/node/pull/44373
Reviewed-By: James M Snell <jasnell@gmail.com>
