Commit Graph

666 Commits

Author SHA1 Message Date
Michaël Zasso
02db7fc2cd
2023-11-14, Version 21.2.0 (Current)
Notable changes:

doc:
  * add MrJithil to collaborators (Jithil P Ponnan) https://github.com/nodejs/node/pull/50666
  * add Ethan-Arrowood as a collaborator (Ethan Arrowood) https://github.com/nodejs/node/pull/50393
esm:
  * (SEMVER-MINOR) add import.meta.dirname and import.meta.filename (James Sumners) https://github.com/nodejs/node/pull/48740
fs:
  * add stacktrace to fs/promises (翠 / green) https://github.com/nodejs/node/pull/49849
lib:
  * (SEMVER-MINOR) add `--no-experimental-global-navigator` CLI flag (Antoine du Hamel) https://github.com/nodejs/node/pull/50562
  * (SEMVER-MINOR) add navigator.language & navigator.languages (Aras Abbasi) https://github.com/nodejs/node/pull/50303
  * (SEMVER-MINOR) add navigator.platform (Aras Abbasi) https://github.com/nodejs/node/pull/50385
stream:
  * (SEMVER-MINOR) add support for `deflate-raw` format to webstreams compression (Damian Krzeminski) https://github.com/nodejs/node/pull/50097
  * use Array for Readable buffer (Robert Nagy) https://github.com/nodejs/node/pull/50341
  * optimize creation (Robert Nagy) https://github.com/nodejs/node/pull/50337
test_runner:
  * (SEMVER-MINOR) adds built in lcov reporter (Phil Nash) https://github.com/nodejs/node/pull/50018
  * (SEMVER-MINOR) add Date to the supported mock APIs (Lucas Santos) https://github.com/nodejs/node/pull/48638
test_runner, cli:
  * (SEMVER-MINOR) add --test-timeout flag (Shubham Pandey) https://github.com/nodejs/node/pull/50443

PR-URL: https://github.com/nodejs/node/pull/50681
2023-11-14 19:00:59 +01:00
Richard Lau
2c4a332a9f
2023-10-24, Version 20.9.0 'Iron' (LTS)
Notable changes:

This release marks the transition of Node.js 20.x into Long Term Support (LTS)
with the codename 'Iron'. The 20.x release line now moves into "Active LTS"
and will remain so until October 2024. After that time, it will move into
"Maintenance" until end of life in April 2026.

PR-URL: https://github.com/nodejs/node/pull/50298
2023-10-24 10:12:56 -04:00
Michaël Zasso
7c1b1f41c3
2023-10-24, Version 21.1.0 (Current)
Notable changes:

doc:
  * add H4ad to collaborators (Vinícius Lourenço) https://github.com/nodejs/node/pull/50217
esm:
  * (SEMVER-MINOR) detect ESM syntax in ambiguous JavaScript (Geoffrey Booth) https://github.com/nodejs/node/pull/50096
fs:
  * (SEMVER-MINOR) add flush option to appendFile() functions (Colin Ihrig) https://github.com/nodejs/node/pull/50095
lib:
  * (SEMVER-MINOR) add `navigator.userAgent` (Yagiz Nizipli) https://github.com/nodejs/node/pull/50200
stream:
  * (SEMVER-MINOR) allow pass stream class to `stream.compose` (Alex Yang) https://github.com/nodejs/node/pull/50187
  * call helper function from push and unshift (Raz Luvaton) https://github.com/nodejs/node/pull/50173

PR-URL: https://github.com/nodejs/node/pull/50335
2023-10-24 15:13:00 +02:00
RafaelGSS
ed16a46481 2023-10-17, Version 21.0.0 (Current)
Notable Changes:

doc:
  * promote fetch/webstreams from experimental to stable (Steven) https://github.com/nodejs/node/pull/45684
esm:
  * use import attributes instead of import assertions (Antoine du Hamel) https://github.com/nodejs/node/pull/50140
  * --experimental-default-type flag to flip module defaults (Geoffrey Booth) https://github.com/nodejs/node/pull/49869
  * remove `globalPreload` hook (superseded by `initialize`) (Jacob Smith) https://github.com/nodejs/node/pull/49144
fs:
  * add flush option to writeFile() functions (Colin Ihrig) https://github.com/nodejs/node/pull/50009
  * (SEMVER-MAJOR) add globSync implementation (Moshe Atlow) https://github.com/nodejs/node/pull/47653
http:
  * (SEMVER-MAJOR) reduce parts in chunked response when corking (Robert Nagy) https://github.com/nodejs/node/pull/50167
lib:
  * (SEMVER-MINOR) add WebSocket client (Matthew Aitken) https://github.com/nodejs/node/pull/49830
  * (SEMVER-MAJOR) add `navigator.hardwareConcurrency` (Yagiz Nizipli) https://github.com/nodejs/node/pull/47769
stream:
  * optimize Writable (Robert Nagy) https://github.com/nodejs/node/pull/50012
test_runner:
  * (SEMVER-MAJOR) support passing globs (Moshe Atlow) https://github.com/nodejs/node/pull/47653
vm:
  * use default HDO when importModuleDynamically is not set (Joyee Cheung) https://github.com/nodejs/node/pull/49950

Semver-Major Commits:

* (SEMVER-MAJOR) build: drop support for Visual Studio 2019 (Michaël Zasso) https://github.com/nodejs/node/pull/49051
* (SEMVER-MAJOR) build: bump supported macOS and Xcode versions (Michaël Zasso) https://github.com/nodejs/node/pull/49164
* (SEMVER-MAJOR) crypto: do not overwrite \_writableState.defaultEncoding (Tobias Nießen) https://github.com/nodejs/node/pull/49140
* (SEMVER-MAJOR) deps: bump minimum ICU version to 73 (Michaël Zasso) https://github.com/nodejs/node/pull/49639
* (SEMVER-MAJOR) deps: update V8 to 11.8.172.13 (Michaël Zasso) https://github.com/nodejs/node/pull/49639
* (SEMVER-MAJOR) deps: update llhttp to 9.1.2 (Paolo Insogna) https://github.com/nodejs/node/pull/48981
* (SEMVER-MAJOR) events: validate options of `on` and `once` (Deokjin Kim) https://github.com/nodejs/node/pull/46018
* (SEMVER-MAJOR) fs: adjust `position` validation in reading methods (Livia Medeiros) https://github.com/nodejs/node/pull/42835
* (SEMVER-MAJOR) fs: add globSync implementation (Moshe Atlow) https://github.com/nodejs/node/pull/47653
* (SEMVER-MAJOR) http: reduce parts in chunked response when corking (Robert Nagy) https://github.com/nodejs/node/pull/50167
* (SEMVER-MAJOR) lib: mark URL/URLSearchParams as uncloneable and untransferable (Chengzhong Wu) https://github.com/nodejs/node/pull/47497
* (SEMVER-MAJOR) lib: remove aix directory case for package reader (Yagiz Nizipli) https://github.com/nodejs/node/pull/48605
* (SEMVER-MAJOR) lib: add `navigator.hardwareConcurrency` (Yagiz Nizipli) https://github.com/nodejs/node/pull/47769
* (SEMVER-MAJOR) lib: runtime deprecate punycode (Yagiz Nizipli) https://github.com/nodejs/node/pull/47202
* (SEMVER-MAJOR) module: harmonize error code between ESM and CJS (Antoine du Hamel) https://github.com/nodejs/node/pull/48606
* (SEMVER-MAJOR) net: do not treat `server.maxConnections=0` as `Infinity` (ignoramous) https://github.com/nodejs/node/pull/48276
* (SEMVER-MAJOR) net: only defer \_final call when connecting (Jason Zhang) https://github.com/nodejs/node/pull/47385
* (SEMVER-MAJOR) node-api: rename internal NAPI\_VERSION definition (Chengzhong Wu) https://github.com/nodejs/node/pull/48501
* (SEMVER-MAJOR) src: update NODE\_MODULE\_VERSION to 120 (Michaël Zasso) https://github.com/nodejs/node/pull/49639
* (SEMVER-MAJOR) src: throw DOMException on cloning non-serializable objects (Chengzhong Wu) https://github.com/nodejs/node/pull/47839
* (SEMVER-MAJOR) src: throw DataCloneError on transfering untransferable objects (Chengzhong Wu) https://github.com/nodejs/node/pull/47604
* (SEMVER-MAJOR) stream: use private properties for strategies (Yagiz Nizipli) https://github.com/nodejs/node/pull/47218
* (SEMVER-MAJOR) stream: use private properties for encoding (Yagiz Nizipli) https://github.com/nodejs/node/pull/47218
* (SEMVER-MAJOR) stream: use private properties for compression (Yagiz Nizipli) https://github.com/nodejs/node/pull/47218
* (SEMVER-MAJOR) test\_runner: disallow array in `run` options (Raz Luvaton) https://github.com/nodejs/node/pull/49935
* (SEMVER-MAJOR) test\_runner: support passing globs (Moshe Atlow) https://github.com/nodejs/node/pull/47653
* (SEMVER-MAJOR) tls: use `validateNumber` for `options.minDHSize` (Deokjin Kim) https://github.com/nodejs/node/pull/49973
* (SEMVER-MAJOR) tls: use validateFunction for `options.checkServerIdentity` (Deokjin Kim) https://github.com/nodejs/node/pull/49896
* (SEMVER-MAJOR) util: runtime deprecate `promisify`-ing a function returning a `Promise` (Antoine du Hamel) https://github.com/nodejs/node/pull/49609
* (SEMVER-MAJOR) vm: freeze `dependencySpecifiers` array (Antoine du Hamel) https://github.com/nodejs/node/pull/49720

PR-URL: https://github.com/nodejs/node/pull/49870
Co-authored-by: Michaël Zasso <targos@protonmail.com>
2023-10-17 12:45:37 -03:00
RafaelGSS
937ea06fd5 2023-10-13, Version 18.18.2 'Hydrogen' (LTS)
This is a security release.

Notable changes:

* [CVE-2023-44487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487): `nghttp2` Security Release (High)
* [CVE-2023-45143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45143): `undici` Security Release (High)
* [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium)
* [CVE-2023-39333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39333): Code injection via WebAssembly export names (Low)

PR-URL: https://github.com/nodejs-private/node-private/pull/492
2023-10-13 17:52:15 -03:00
RafaelGSS
deeffa0388 2023-10-13, Version 20.8.1 (Current)
This is a security release.

Notable changes:

* CVE-2023-44487: `nghttp2` Security Release (High)
* CVE-2023-45143: `undici` Security Release (High)
* CVE-2023-39332: Path traversal through path stored in Uint8Array (High)
* CVE-2023-39331: Permission model improperly protects against path traversal (High)
* CVE-2023-38552:  Integrity checks according to policies can be circumvented (Medium)
* CVE-2023-39333: Code injection via WebAssembly export names (Low)

PR-URL: https://github.com/nodejs-private/node-private/pull/491
2023-10-13 17:25:50 -03:00
Richard Lau
11f95dd12f
2023-10-10, Version 18.18.1 'Hydrogen' (LTS)
Notable changes:

This release addresses some regressions that appeared in Node.js 18.18.0:

- (Windows) FS can not handle certain characters in file name
  https://github.com/nodejs/node/issues/48673
- 18 and 20 node images give error - Text file busy (after re-build images)
  https://github.com/nodejs/docker-node/issues/1968
- libuv update in 18.18.0 breaks webpack's thread-loader
  https://github.com/nodejs/node/issues/49911

The libuv 1.45.0 and 1.46.0 updates that were released in Node.js 18.18.0
have been temporarily reverted.

PR-URL: https://github.com/nodejs/node/pull/50066
2023-10-10 11:38:44 -04:00
Ruy Adorno
5570c29780
2023-09-28, Version 20.8.0 (Current)
Notable changes:

deps:
  * add v8::Object::SetInternalFieldForNodeCore() (Joyee Cheung) https://github.com/nodejs/node/pull/49874
doc:
  * deprecate `fs.F_OK`, `fs.R_OK`, `fs.W_OK`, `fs.X_OK` (Livia Medeiros) https://github.com/nodejs/node/pull/49683
  * deprecate `util.toUSVString` (Yagiz Nizipli) https://github.com/nodejs/node/pull/49725
  * deprecate calling `promisify` on a function that returns a promise (Antoine du Hamel) https://github.com/nodejs/node/pull/49647
esm:
  * set all hooks as release candidate (Geoffrey Booth) https://github.com/nodejs/node/pull/49597
module:
  * fix the leak in SourceTextModule and ContextifySript (Joyee Cheung) https://github.com/nodejs/node/pull/48510
  * fix leak of vm.SyntheticModule (Joyee Cheung) https://github.com/nodejs/node/pull/48510
  * use symbol in WeakMap to manage host defined options (Joyee Cheung) https://github.com/nodejs/node/pull/48510
src:
  * (SEMVER-MINOR) allow embedders to override NODE_MODULE_VERSION (Cheng Zhao) https://github.com/nodejs/node/pull/49279
stream:
  * use bitmap in writable state (Raz Luvaton) https://github.com/nodejs/node/pull/49834
  * use bitmap in readable state (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/49745
  * improve webstream readable async iterator performance (Raz Luvaton) https://github.com/nodejs/node/pull/49662
test_runner:
  * (SEMVER-MINOR) accept `testOnly` in `run` (Moshe Atlow) https://github.com/nodejs/node/pull/49753
  * (SEMVER-MINOR) add junit reporter (Moshe Atlow) https://github.com/nodejs/node/pull/49614

PR-URL: https://github.com/nodejs/node/pull/49932
2023-09-28 23:14:36 -04:00
Ruy Adorno
78ab0eebd1
2023-09-18, Version 18.18.0 'Hydrogen' (LTS)
Notable changes:

build:
  * sync libuv header change (Jiawen Geng) https://github.com/nodejs/node/pull/48078
crypto:
  * update root certificates to NSS 3.93 (Node.js GitHub Bot) https://github.com/nodejs/node/pull/49341
  * update root certificates to NSS 3.90 (Node.js GitHub Bot) https://github.com/nodejs/node/pull/48416
deps:
  * add missing thread-common.c in uv.gyp (Santiago Gimeno) https://github.com/nodejs/node/pull/48078
  * upgrade to libuv 1.46.0 (Santiago Gimeno) https://github.com/nodejs/node/pull/48078
  * upgrade to libuv 1.45.0 (Santiago Gimeno) https://github.com/nodejs/node/pull/48078
doc:
  * add atlowChemi to collaborators (atlowChemi) https://github.com/nodejs/node/pull/48757
  * add vmoroz to collaborators (Vladimir Morozov) https://github.com/nodejs/node/pull/48527
  * add kvakil to collaborators (Keyhan Vakil) https://github.com/nodejs/node/pull/48449
esm:
  * (SEMVER-MINOR) add `--import` flag (Moshe Atlow) https://github.com/nodejs/node/pull/43942
events:
  * (SEMVER-MINOR) allow safely adding listener to abortSignal (Chemi Atlow) https://github.com/nodejs/node/pull/48596
fs, stream:
  * initial `Symbol.dispose` and `Symbol.asyncDispose` support (Moshe Atlow) https://github.com/nodejs/node/pull/48518
net:
  * add autoSelectFamily global getter and setter (Paolo Insogna) https://github.com/nodejs/node/pull/45777
url:
  * (SEMVER-MINOR) add value argument to has and delete methods (Sankalp Shubham) https://github.com/nodejs/node/pull/47885

PR-URL: https://github.com/nodejs/node/pull/49220
2023-09-18 17:39:17 -04:00
Ulises Gascón
b651e37d2e
2023-09-18, Version 20.7.0 (Current)
Notable changes:

crypto:
  * update root certificates to NSS 3.93 (Node.js GitHub Bot) https://github.com/nodejs/node/pull/49341
deps:
  * upgrade npm to 10.1.0 (npm team) https://github.com/nodejs/node/pull/49570
  * upgrade npm to 10.0.0 (npm team) https://github.com/nodejs/node/pull/49423
doc:
  * move and rename loaders section (Geoffrey Booth) https://github.com/nodejs/node/pull/49261
  * add release key for Ulises Gascon (Ulises Gascón) https://github.com/nodejs/node/pull/49196
lib:
  * (SEMVER-MINOR) add api to detect whether source-maps are enabled (翠 / green) https://github.com/nodejs/node/pull/46391
src:
  * support multiple `--env-file` declarations (Yagiz Nizipli) https://github.com/nodejs/node/pull/49542
src,permission:
  * add multiple allow-fs-* flags (Carlos Espa) https://github.com/nodejs/node/pull/49047
test_runner:
  * (SEMVER-MINOR) expose location of tests (Colin Ihrig) https://github.com/nodejs/node/pull/48975

PR-URL: https://github.com/nodejs/node/pull/49592
2023-09-18 17:36:24 +00:00
Richard Lau
44084b81bb
doc: mark Node.js 16 as End-of-Life
PR-URL: https://github.com/nodejs/node/pull/49651
Refs: https://nodejs.org/en/blog/announcements/nodejs16-eol
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
2023-09-14 16:22:41 +00:00
RafaelGSS
0a2ab4c77c
2023-09-08, Version 20.6.1 (Current)
Notable changes:

esm:
  * fix loading of CJS modules from ESM (Antoine du Hamel) https://github.com/nodejs/node/pull/49500

PR-URL: https://github.com/nodejs/node/pull/49528
2023-09-08 11:45:05 -04:00
Ulises Gascón
12354260db 2023-09-04, Version 20.6.0 (Current)
Notable changes:

deps:
  * V8: cherry-pick 93275031284c (Joyee Cheung) #48660
doc:
  * add new TSC members (Michael Dawson) #48841
  * add rluvaton to collaborators (Raz Luvaton) #49215
esm:
  * unflag import.meta.resolve (Guy Bedford) #49028
  * add `initialize` hook, integrate with `register` (Izaak Schroeder) #48842
  * unflag `Module.register` and allow nested loader `import()` (Izaak Schroeder) #48559
inspector:
  * (SEMVER-MINOR) open add `SymbolDispose` (Chemi Atlow) #48765
module:
  * implement `register` utility (João Lenon) #46826
  * make CJS load from ESM loader (Antoine du Hamel) #47999
src:
  * add built-in `.env` file support (Yagiz Nizipli) #48890
  * initialize cppgc (Daryl Haresign and Joyee Cheung) #48660 and #45704
test_runner:
  * (SEMVER-MINOR) expose location of tests (Colin Ihrig) #48975

PR-URL: https://github.com/nodejs/node/pull/49185
2023-09-04 15:01:52 -05:00
RafaelGSS
ae25da20fa 2023-08-09, Version 20.5.1 (Current)
This is a security release.

Notable changes:

* CVE-2023-32002: Policies can be bypassed via Module.\_load (High)
* CVE-2023-32558: process.binding() can bypass the permission model through path traversal (High)
* CVE-2023-32004: Permission model can be bypassed by specifying a path traversal sequence in a Buffer (High)
* CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
* CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
* CVE-2023-32005: fs.statfs can bypass the permission model (Low)
* CVE-2023-32003: fs.mkdtemp() and fs.mkdtempSync() can bypass the permission model (Low)
* OpenSSL Security Releases
  * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000264.html
  * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000265.html
  * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000267.html

PR-URL: https://github.com/nodejs-private/node-private/pull/465
2023-08-09 14:24:18 -03:00
RafaelGSS
6d46d986a4 2023-08-09, Version 18.17.1 'Hydrogen' (LTS)
Notable changes:

Following CVEs are fixed in this release:

* CVE-2023-32002: Policies can be bypassed via Module._load (High)
* CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
* CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
* OpenSSL Security Releases
  * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000264.html
  * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000265.html
  * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000267.html

PR-URL: https://github.com/nodejs-private/node-private/pull/463
2023-08-09 14:02:22 -03:00
RafaelGSS
eed21991fb 2023-08-09, Version 16.20.2 'Gallium' (LTS)
This is a security release.

Notable changes:

Following CVEs are fixed in this release:

* CVE-2023-32002: Policies can be bypassed via Module._load (High)
* CVE-2023-32006: Policies can be bypassed by module.constructor.createRequire (Medium)
* CVE-2023-32559: Policies can be bypassed via process.binding (Medium)
* OpenSSL Security Releases
  * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000264.html
  * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000265.html
  * https://mta.openssl.org/pipermail/openssl-announce/2023-July/000267.html

PR-URL: https://github.com/nodejs-private/node-private/pull/458
2023-08-09 13:36:10 -03:00
Juan José Arboleda
d5761a4f8e 2023-07-18, Version 20.5.0 (Current)
Notable changes:

doc:
  * add atlowChemi to collaborators (atlowChemi) https://github.com/nodejs/node/pull/48757
events:
  * (SEMVER-MINOR) allow safely adding listener to abortSignal (Chemi Atlow) https://github.com/nodejs/node/pull/48596
fs:
  * add a fast-path for readFileSync utf-8 (Yagiz Nizipli) https://github.com/nodejs/node/pull/48658
test_runner:
  * (SEMVER-MINOR) add shards support (Raz Luvaton) https://github.com/nodejs/node/pull/48639

PR-URL: https://github.com/nodejs/node/pull/48761
2023-07-20 16:28:46 -05:00
Danielle Adams
51513b23e8
2023-07-18, Version 18.17.0 'Hydrogen' (LTS)
Notable changes:

Ada 2.0
Node.js v18.17.0 comes with the latest version of the URL parser, Ada. This
update brings significant performance improvements to URL parsing, including
enhancements to the url.domainToASCII and url.domainToUnicode functions
in node:url.

Ada 2.0 has been integrated into the Node.js codebase, ensuring that all
parts of the application can benefit from the improved performance. Additionally,
Ada 2.0 features a significant performance boost over its predecessor, Ada 1.0.4,
while also eliminating the need for the ICU requirement for URL hostname parsing.

Contributed by Yagiz Nizipli and Daniel Lemire in https://github.com/nodejs/node/pull/47339

Web Crypto API
Web Crypto API functions' arguments are now coerced and validated as per
their WebIDL definitions like in other Web Crypto API implementations. This
further improves interoperability with other implementations of Web Crypto API.

Contributed by Filip Skokan in https://github.com/nodejs/node/pull/46067

crypto:
  * update root certificates to NSS 3.89 (Node.js GitHub Bot) https://github.com/nodejs/node/pull/47659
dns:
  * (SEMVER-MINOR) expose getDefaultResultOrder (btea) https://github.com/nodejs/node/pull/46973
doc:
  * add ovflowd to collaborators (Claudio Wunder) https://github.com/nodejs/node/pull/47844
  * add KhafraDev to collaborators (Matthew Aitken) https://github.com/nodejs/node/pull/47510
* events:
  * (SEMVER-MINOR) add getMaxListeners method (Matthew Aitken) https://github.com/nodejs/node/pull/47039
fs:
  * (SEMVER-MINOR) add support for mode flag to specify the copy behavior (Tetsuharu Ohzeki) https://github.com/nodejs/node/pull/47084
  * (SEMVER-MINOR) add recursive option to readdir and opendir (Ethan Arrowood) https://github.com/nodejs/node/pull/41439
  * (SEMVER-MINOR) add support for mode flag to specify the copy behavior (Tetsuharu Ohzeki) https://github.com/nodejs/node/pull/47084
  * (SEMVER-MINOR) implement byob mode for readableWebStream() (Debadree Chatterjee) https://github.com/nodejs/node/pull/46933
http:
  * (SEMVER-MINOR) prevent writing to the body when not allowed by HTTP spec (Gerrard Lindsay) https://github.com/nodejs/node/pull/47732
  * (SEMVER-MINOR) remove internal error in assignSocket (Matteo Collina) https://github.com/nodejs/node/pull/47723
  * (SEMVER-MINOR) add highWaterMark opt in http.createServer (HinataKah0) https://github.com/nodejs/node/pull/47405
lib:
  * (SEMVER-MINOR) add webstreams to Duplex.from() (Debadree Chatterjee) https://github.com/nodejs/node/pull/46190
  * (SEMVER-MINOR) implement AbortSignal.any() (Chemi Atlow) https://github.com/nodejs/node/pull/47821
module:
  * change default resolver to not throw on unknown scheme (Gil Tayar) https://github.com/nodejs/node/pull/47824
node-api:
  * (SEMVER-MINOR) define version 9 (Chengzhong Wu) https://github.com/nodejs/node/pull/48151
  * (SEMVER-MINOR) deprecate napi_module_register (Vladimir Morozov) https://github.com/nodejs/node/pull/46319
stream:
  * (SEMVER-MINOR) preserve object mode in compose (Raz Luvaton) https://github.com/nodejs/node/pull/47413
  * (SEMVER-MINOR) add setter & getter for default highWaterMark (#46929) (Robert Nagy) https://github.com/nodejs/node/pull/46929
test:
  * unflake test-vm-timeout-escape-nexttick (Santiago Gimeno) https://github.com/nodejs/node/pull/48078
test_runner:
  * (SEMVER-MINOR) add shorthands to `test` (Chemi Atlow) https://github.com/nodejs/node/pull/47909
  * (SEMVER-MINOR) support combining coverage reports (Colin Ihrig) https://github.com/nodejs/node/pull/47686
  * (SEMVER-MINOR) execute before hook on test (Chemi Atlow) https://github.com/nodejs/node/pull/47586
  * (SEMVER-MINOR) expose reporter for use in run api (Chemi Atlow) https://github.com/nodejs/node/pull/47238
tools:
  * update LICENSE and license-builder.sh (Santiago Gimeno) https://github.com/nodejs/node/pull/48078
url:
  * (SEMVER-MINOR) implement URL.canParse (Matthew Aitken) https://github.com/nodejs/node/pull/47179
wasi:
  * (SEMVER-MINOR) no longer require flag to enable wasi (Michael Dawson) https://github.com/nodejs/node/pull/47286

PR-URL: https://github.com/nodejs/node/pull/48694
2023-07-18 15:37:22 -04:00
RafaelGSS
8fc3851da7 2023-07-05, Version 20.4.0 (Current)
Notable changes:

crypto:
  * update root certificates to NSS 3.90 (Node.js GitHub Bot) https://github.com/nodejs/node/pull/48416
doc:
  * add vmoroz to collaborators (Vladimir Morozov) https://github.com/nodejs/node/pull/48527
  * add kvakil to collaborators (Keyhan Vakil) https://github.com/nodejs/node/pull/48449
fs, stream:
  * initial `Symbol.dispose` and `Symbol.asyncDispose` support (Moshe Atlow) https://github.com/nodejs/node/pull/48518
test_runner:
  * (SEMVER-MINOR) add initial draft for fakeTimers (Erick Wendel) https://github.com/nodejs/node/pull/47775
tls:
  * (SEMVER-MINOR) add ALPNCallback server option for dynamic ALPN negotiation (Tim Perry) https://github.com/nodejs/node/pull/45190

PR-URL: https://github.com/nodejs/node/pull/48643
2023-07-05 10:51:42 -03:00
RafaelGSS
b607b74a4f 2023-06-20, Version 18.16.1 'Hydrogen' (LTS)
This is a security release.

Notable changes:

Following CVEs are fixed in this release:

* CVE-2023-30581: `mainModule.__proto__` Bypass Experimental Policy Mechanism (High)
* CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
* CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
* CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
* CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
* OpenSSL Security Releases
  * https://www.openssl.org/news/secadv/20230328.txt
  * https://www.openssl.org/news/secadv/20230420.txt
  * https://www.openssl.org/news/secadv/20230530.txt
* c-ares vulnerabilities:
  * GHSA-9g78-jv2r-p7vc
  * GHSA-8r8p-23f3-64c2
  * GHSA-54xr-f67r-4pc4
  * GHSA-x6mf-cxr9-8q6v

PR-URL: https://github.com/nodejs-private/node-private/pull/434
2023-06-20 17:26:23 -03:00
RafaelGSS
167dc77d85 2023-06-20, Version 20.3.1 (Current)
This is a security release.

Notable Changes

The following CVEs are fixed in this release:
* CVE-2023-30581: `mainModule.__proto__` Bypass Experimental Policy Mechanism (High)
* CVE-2023-30584: Path Traversal Bypass in Experimental Permission Model (High)
* CVE-2023-30587: Bypass of Experimental Permission Model via Node.js Inspector (High)
* CVE-2023-30582: Inadequate Permission Model Allows Unauthorized File Watching (Medium)
* CVE-2023-30583: Bypass of Experimental Permission Model via fs.openAsBlob() (Medium)
* CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
* CVE-2023-30586: Bypass of Experimental Permission Model via Arbitrary OpenSSL Engines (Medium)
* CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
* CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
* CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)

* OpenSSL Security Releases
  * [OpenSSL security advisory 28th March](https://www.openssl.org/news/secadv/20230328.txt).
  * [OpenSSL security advisory 20th April](https://www.openssl.org/news/secadv/20230420.txt).
  * [OpenSSL security advisory 30th May](https://www.openssl.org/news/secadv/20230530.txt)

PR-URL: https://github.com/nodejs-private/node-private/pull/435
2023-06-20 17:08:45 -03:00
RafaelGSS
c09acb3ea8 2023-06-20, Version 16.20.1 'Gallium' (LTS)
This is a security release.

Notable changes:

Following CVEs are fixed in this release:

* CVE-2023-30581: `mainModule.__proto__` Bypass Experimental Policy Mechanism (High)
* CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
* CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
* CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
* CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
* OpenSSL Security Releases
  * https://www.openssl.org/news/secadv/20230328.txt
  * https://www.openssl.org/news/secadv/20230420.txt
  * https://www.openssl.org/news/secadv/20230530.txt
* c-ares vulnerabilities:
  * GHSA-9g78-jv2r-p7vc
  * GHSA-8r8p-23f3-64c2
  * GHSA-54xr-f67r-4pc4
  * GHSA-x6mf-cxr9-8q6v

PR-URL: https://github.com/nodejs-private/node-private/pull/432
2023-06-20 16:21:56 -03:00
Michaël Zasso
5a58972207 2023-06-08, Version 20.3.0 (Current)
Notable changes:

deps:
  * upgrade to libuv 1.45.0, including significant performance
    improvements to file system operations on Linux (Santiago Gimeno) https://github.com/nodejs/node/pull/48078
doc:
  * add Ruy Adorno to list of TSC members (Michael Dawson) https://github.com/nodejs/node/pull/48172
  * mark Node.js 14 as End-of-Life (Richard Lau) https://github.com/nodejs/node/pull/48023
lib:
  * (SEMVER-MINOR) implement AbortSignal.any() (Chemi Atlow) https://github.com/nodejs/node/pull/47821
module:
  * change default resolver to not throw on unknown scheme (Gil Tayar) https://github.com/nodejs/node/pull/47824
node-api:
  * (SEMVER-MINOR) define version 9 (Chengzhong Wu) https://github.com/nodejs/node/pull/48151
stream:
  * deprecate asIndexedPairs (Chemi Atlow) https://github.com/nodejs/node/pull/48102

PR-URL: https://github.com/nodejs/node/pull/48332
2023-06-08 13:00:26 -03:00
Richard Lau
6aa2aeedcb
doc: mark Node.js 19 as End-of-Life
PR-URL: https://github.com/nodejs/node/pull/48283
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Debadree Chatterjee <debadree333@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
2023-06-01 17:51:45 +00:00
Michaël Zasso
c2ca4290f6
2023-05-16, Version 20.2.0 (Current)
Notable changes:

doc:
  * add ovflowd to collaborators (Claudio Wunder) https://github.com/nodejs/node/pull/47844
http:
  * (SEMVER-MINOR) prevent writing to the body when not allowed by HTTP spec (Gerrard Lindsay) https://github.com/nodejs/node/pull/47732
sea:
  * (SEMVER-MINOR) add option to disable the experimental SEA warning (Darshan Sen) https://github.com/nodejs/node/pull/47588
test_runner:
  * (SEMVER-MINOR) add `skip`, `todo`, and `only` shorthands to `test` (Chemi Atlow) https://github.com/nodejs/node/pull/47909
url:
  * (SEMVER-MINOR) add value argument to `URLSearchParams` `has` and `delete` methods (Sankalp Shubham) https://github.com/nodejs/node/pull/47885

PR-URL: https://github.com/nodejs/node/pull/48020
2023-05-16 14:40:46 +02:00
Richard Lau
fb6afb5c67
doc: mark Node.js 14 as End-of-Life
PR-URL: https://github.com/nodejs/node/pull/48023
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Matthew Aitken <maitken033380023@gmail.com>
Reviewed-By: Qingyu Deng <i@ayase-lab.com>
Reviewed-By: Daeyeon Jeong <daeyeon.dev@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Deokjin Kim <deokjin81.kim@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
2023-05-16 11:20:08 +00:00
Michaël Zasso
c24a61b3f6
2023-05-03, Version 20.1.0 (Current)
Notable changes:

assert:
  * deprecate `CallTracker` (Moshe Atlow) https://github.com/nodejs/node/pull/47740
crypto:
  * update root certificates to NSS 3.89 (Node.js GitHub Bot) https://github.com/nodejs/node/pull/47659
dns:
  * (SEMVER-MINOR) expose `getDefaultResultOrder` (btea) https://github.com/nodejs/node/pull/46973
doc:
  * add KhafraDev to collaborators (Matthew Aitken) https://github.com/nodejs/node/pull/47510
fs:
  * (SEMVER-MINOR) add `recursive` option to `readdir` and `opendir` (Ethan Arrowood) https://github.com/nodejs/node/pull/41439
  * (SEMVER-MINOR) add support for `mode` flag to specify the copy behavior of the `cp` methods (Tetsuharu Ohzeki) https://github.com/nodejs/node/pull/47084
http:
  * (SEMVER-MINOR) add `highWaterMark` option `http.createServer` (HinataKah0) https://github.com/nodejs/node/pull/47405
stream:
  * (SEMVER-MINOR) preserve object mode in `compose` (Raz Luvaton) https://github.com/nodejs/node/pull/47413
test_runner:
  * (SEMVER-MINOR) add `testNamePatterns` to `run` API (Chemi Atlow) https://github.com/nodejs/node/pull/47628
  * (SEMVER-MINOR) execute `before` hook on test (Chemi Atlow) https://github.com/nodejs/node/pull/47586
  * (SEMVER-MINOR) support combining coverage reports (Colin Ihrig) https://github.com/nodejs/node/pull/47686
wasi:
  * (SEMVER-MINOR) make `returnOnExit` true by default (Michael Dawson) https://github.com/nodejs/node/pull/47390

PR-URL: https://github.com/nodejs/node/pull/47820
2023-05-03 17:41:05 +02:00
RafaelGSS
8920dc1801 2023-04-18, Version 20.0.0 (Current)
Notable Changes:

crypto:
  * (SEMVER-MAJOR) use WebIDL converters in WebCryptoAPI (Filip Skokan) https://github.com/nodejs/node/pull/46067
deps:
  * update ada to 2.0.0 (Node.js GitHub Bot) https://github.com/nodejs/node/pull/47339
esm:
  * move hook execution to separate thread (Jacob Smith) https://github.com/nodejs/node/pull/44710
sea:
  * use JSON configuration and blob content for SEA (Joyee Cheung) https://github.com/nodejs/node/pull/47125
src,process:
  * (SEMVER-MINOR) add permission model (Rafael Gonzaga) https://github.com/nodejs/node/pull/44004
url:
  * drop ICU requirement for parsing hostnames (Yagiz Nizipli) https://github.com/nodejs/node/pull/47339
  * use ada::url_aggregator for parsing urls (Yagiz Nizipli) https://github.com/nodejs/node/pull/47339
  * (SEMVER-MAJOR) runtime-deprecate url.parse() with invalid ports (Rich Trott) https://github.com/nodejs/node/pull/45526

Semver-Major Commits:

* [9fafb0a090] - (SEMVER-MAJOR) async_hooks: deprecate the AsyncResource.bind asyncResource property (James M Snell) https://github.com/nodejs/node/pull/46432
* [1948d37595] - (SEMVER-MAJOR) buffer: check INSPECT_MAX_BYTES with validateNumber (Umuoy) https://github.com/nodejs/node/pull/46599
* [7bc0e6a4e7] - (SEMVER-MAJOR) buffer: graduate File from experimental and expose as global (Khafra) https://github.com/nodejs/node/pull/47153
* [671ffd7825] - (SEMVER-MAJOR) buffer: use min/max of `validateNumber` (Deokjin Kim) https://github.com/nodejs/node/pull/45796
* [ab1614d280] - (SEMVER-MAJOR) build: reset embedder string to "-node.0" (Michaël Zasso) https://github.com/nodejs/node/pull/47251
* [c1bcdbcf79] - (SEMVER-MAJOR) build: warn for gcc versions earlier than 10.1 (Richard Lau) https://github.com/nodejs/node/pull/46806
* [649f68fc1e] - (SEMVER-MAJOR) build: reset embedder string to "-node.0" (Yagiz Nizipli) https://github.com/nodejs/node/pull/45579
* [9374700d7a] - (SEMVER-MAJOR) crypto: remove DEFAULT_ENCODING (Tobias Nießen) https://github.com/nodejs/node/pull/47182
* [1640aeb680] - (SEMVER-MAJOR) crypto: remove obsolete SSL_OP_* constants (Tobias Nießen) https://github.com/nodejs/node/pull/47073
* [c2e4b1fa9a] - (SEMVER-MAJOR) crypto: remove ALPN_ENABLED (Tobias Nießen) https://github.com/nodejs/node/pull/47028
* [3ef38c4bd7] - (SEMVER-MAJOR) crypto: use WebIDL converters in WebCryptoAPI (Filip Skokan) https://github.com/nodejs/node/pull/46067
* [08af023b1f] - (SEMVER-MAJOR) crypto: runtime deprecate replaced rsa-pss keygen parameters (Filip Skokan) https://github.com/nodejs/node/pull/45653
* [7eb0ac3cb6] - (SEMVER-MAJOR) deps: patch V8 to support compilation on win-arm64 (Michaël Zasso) https://github.com/nodejs/node/pull/47251
* [a7c129f286] - (SEMVER-MAJOR) deps: silence irrelevant V8 warning (Michaël Zasso) https://github.com/nodejs/node/pull/47251
* [6f5655a18e] - (SEMVER-MAJOR) deps: always define V8_EXPORT_PRIVATE as no-op (Michaël Zasso) https://github.com/nodejs/node/pull/47251
* [f226350fcb] - (SEMVER-MAJOR) deps: update V8 to 11.3.244.4 (Michaël Zasso) https://github.com/nodejs/node/pull/47251
* [d6dae7420e] - (SEMVER-MAJOR) deps: V8: cherry-pick f1c888e7093e (Michaël Zasso) https://github.com/nodejs/node/pull/45579
* [56c436533e] - (SEMVER-MAJOR) deps: fix V8 build on Windows with MSVC (Michaël Zasso) https://github.com/nodejs/node/pull/45579
* [51ab98c71b] - (SEMVER-MAJOR) deps: silence irrelevant V8 warning (Michaël Zasso) https://github.com/nodejs/node/pull/45579
* [9f84d3eea8] - (SEMVER-MAJOR) deps: V8: fix v8-cppgc.h for MSVC (Jiawen Geng) https://github.com/nodejs/node/pull/45579
* [f2318cd4b5] - (SEMVER-MAJOR) deps: fix V8 build issue with inline methods (Jiawen Geng) https://github.com/nodejs/node/pull/45579
* [16e03e7968] - (SEMVER-MAJOR) deps: update V8 to 10.9.194.4 (Yagiz Nizipli) https://github.com/nodejs/node/pull/45579
* [6473f5e7f7] - (SEMVER-MAJOR) doc: update toolchains used for Node.js 20 releases (Richard Lau) https://github.com/nodejs/node/pull/47352
* [cc18fd9608] - (SEMVER-MAJOR) events: refactor to use `validateNumber` (Deokjin Kim) https://github.com/nodejs/node/pull/45770
* [ff92b40ffc] - (SEMVER-MAJOR) http: close the connection after sending a body without declared length (Tim Perry) https://github.com/nodejs/node/pull/46333
* [2a29df6464] - (SEMVER-MAJOR) http: keep HTTP/1.1 conns alive even if the Connection header is removed (Tim Perry) https://github.com/nodejs/node/pull/46331
* [391dc74a10] - (SEMVER-MAJOR) http: throw error if options of http.Server is array (Deokjin Kim) https://github.com/nodejs/node/pull/46283
* [ed3604cd64] - (SEMVER-MAJOR) http: server check Host header, to meet RFC 7230 5.4 requirement (wwwzbwcom) https://github.com/nodejs/node/pull/45597
* [88d71dc301] - (SEMVER-MAJOR) lib: refactor to use min/max of `validateNumber` (Deokjin Kim) https://github.com/nodejs/node/pull/45772
* [e4d641f02a] - (SEMVER-MAJOR) lib: refactor to use validators in http2 (Debadree Chatterjee) https://github.com/nodejs/node/pull/46174
* [0f3e531096] - (SEMVER-MAJOR) lib: performance improvement on readline async iterator (Thiago Oliveira Santos) https://github.com/nodejs/node/pull/41276
* [5b5898ac86] - (SEMVER-MAJOR) lib,src: update exit codes as per todos (Debadree Chatterjee) https://github.com/nodejs/node/pull/45841
* [55321bafd1] - (SEMVER-MAJOR) net: enable autoSelectFamily by default (Paolo Insogna) https://github.com/nodejs/node/pull/46790
* [2d0d99733b] - (SEMVER-MAJOR) process: remove `process.exit()`, `process.exitCode` coercion to integer (Daeyeon Jeong) https://github.com/nodejs/node/pull/43716
* [dc06df31b6] - (SEMVER-MAJOR) readline: refactor to use `validateNumber` (Deokjin Kim) https://github.com/nodejs/node/pull/45801
* [295b2f3ff4] - (SEMVER-MAJOR) src: update NODE_MODULE_VERSION to 115 (Michaël Zasso) https://github.com/nodejs/node/pull/47251
* [3803b028dd] - (SEMVER-MAJOR) src: share common code paths for SEA and embedder script (Anna Henningsen) https://github.com/nodejs/node/pull/46825
* [e8bddac3e9] - (SEMVER-MAJOR) src: apply ABI-breaking API simplifications (Anna Henningsen) https://github.com/nodejs/node/pull/46705
* [f84de0ad4c] - (SEMVER-MAJOR) src: use uint32_t for process initialization flags enum (Anna Henningsen) https://github.com/nodejs/node/pull/46427
* [a6242772ec] - (SEMVER-MAJOR) src: fix ArrayBuffer::Detach deprecation (Michaël Zasso) https://github.com/nodejs/node/pull/45579
* [dd5c39a808] - (SEMVER-MAJOR) src: update NODE_MODULE_VERSION to 112 (Yagiz Nizipli) https://github.com/nodejs/node/pull/45579
* [63eca7fec0] - (SEMVER-MAJOR) stream: validate readable defaultEncoding (Marco Ippolito) https://github.com/nodejs/node/pull/46430
* [9e7093f416] - (SEMVER-MAJOR) stream: validate writable defaultEncoding (Marco Ippolito) https://github.com/nodejs/node/pull/46322
* [fb91ee4f26] - (SEMVER-MAJOR) test: make trace-gc-flag tests less strict (Yagiz Nizipli) https://github.com/nodejs/node/pull/45579
* [eca618071e] - (SEMVER-MAJOR) test: adapt test-v8-stats for V8 update (Michaël Zasso) https://github.com/nodejs/node/pull/45579
* [c03354d3e0] - (SEMVER-MAJOR) test: test case for multiple res.writeHead and res.getHeader (Marco Ippolito) https://github.com/nodejs/node/pull/45508
* [c733cc0c7f] - (SEMVER-MAJOR) test_runner: mark module as stable (Colin Ihrig) https://github.com/nodejs/node/pull/46983
* [7ce223273d] - (SEMVER-MAJOR) tools: update V8 gypfiles for 11.1 (Michaël Zasso) https://github.com/nodejs/node/pull/47251
* [ca4bd3023e] - (SEMVER-MAJOR) tools: update V8 gypfiles for 11.0 (Michaël Zasso) https://github.com/nodejs/node/pull/47251
* [58b06a269a] - (SEMVER-MAJOR) tools: update V8 gypfiles (Michaël Zasso) https://github.com/nodejs/node/pull/45579
* [027841c964] - (SEMVER-MAJOR) url: use private properties for brand check (Yagiz Nizipli) https://github.com/nodejs/node/pull/46904
* [3bed5f11e0] - (SEMVER-MAJOR) url: runtime-deprecate url.parse() with invalid ports (Rich Trott) https://github.com/nodejs/node/pull/45526
* [7c76fddf25] - (SEMVER-MAJOR) util,doc: mark parseArgs() as stable (Colin Ihrig) https://github.com/nodejs/node/pull/46718
* [4b52727976] - (SEMVER-MAJOR) wasi: make version non-optional (Michael Dawson) https://github.com/nodejs/node/pull/47391

Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>

PR-URL: https://github.com/nodejs/node/pull/47441
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
2023-04-18 13:04:39 -03:00
Danielle Adams
527394783e
2023-04-12, Version 18.16.0 'Hydrogen' (LTS)
Notable changes:

Add initial support for single executable applications

Compile a JavaScript file into a single executable application:

```console
$ echo 'console.log(`Hello, ${process.argv[2]}!`);' > hello.js

$ cp $(command -v node) hello

$ npx postject hello NODE_JS_CODE hello.js \
    --sentinel-fuse NODE_JS_FUSE_fce680ab2cc467b6e072b8b5df1996b2

$ npx postject hello NODE_JS_CODE hello.js \
    --sentinel-fuse NODE_JS_FUSE_fce680ab2cc467b6e072b8b5df1996b2 \
    --macho-segment-name NODE_JS

$ ./hello world
Hello, world!
```

Contributed by Darshan Sen in https://github.com/nodejs/node/pull/45038

Replace url parser with Ada

Node.js gets a new URL parser called Ada that is compliant with the WHATWG
URL Specification and provides more than 100% performance improvement to
the existing implementation.

Contributed by Yagiz Nizipli in https://github.com/nodejs/node/pull/46410

Other notable changes:

* buffer:
  * (SEMVER-MINOR) add Buffer.copyBytesFrom(...) (James M Snell) https://github.com/nodejs/node/pull/46500
* doc:
  * add marco-ippolito to collaborators (Marco Ippolito) https://github.com/nodejs/node/pull/46816
  * add debadree25 to collaborators (Debadree Chatterjee) https://github.com/nodejs/node/pull/46716
  * add deokjinkim to collaborators (Deokjin Kim) https://github.com/nodejs/node/pull/46444
* events:
  * (SEMVER-MINOR) add listener argument to listenerCount (Paolo Insogna) https://github.com/nodejs/node/pull/46523
* lib:
  * (SEMVER-MINOR) add AsyncLocalStorage.bind() and .snapshot() (flakey5) https://github.com/nodejs/node/pull/46387
  * (SEMVER-MINOR) add aborted() utility function (Debadree Chatterjee) https://github.com/nodejs/node/pull/46494
* src:
  * (SEMVER-MINOR) allow optional Isolate termination in node::Stop() (Shelley Vohr) https://github.com/nodejs/node/pull/46583
  * (SEMVER-MINOR) allow embedder control of code generation policy (Shelley Vohr) https://github.com/nodejs/node/pull/46368
* stream:
  * (SEMVER-MINOR) add abort signal for ReadableStream and WritableStream (Debadree Chatterjee) https://github.com/nodejs/node/pull/46273
* tls:
  * (SEMVER-MINOR) support automatic DHE (Tobias Nießen) https://github.com/nodejs/node/pull/46978
* url:
  * (SEMVER-MINOR) implement URLSearchParams size getter (James M Snell) https://github.com/nodejs/node/pull/46308
* worker:
  * (SEMVER-MINOR) add support for worker name in inspector and trace_events (Debadree Chatterjee) https://github.com/nodejs/node/pull/46832

PR-URL: https://github.com/nodejs/node/pull/47502
2023-04-12 20:34:40 -04:00
RafaelGSS
c8f6f851f9 2023-04-10, Version 19.9.0 (Current)
Notable changes:

events:
  * (SEMVER-MINOR) add getMaxListeners method (Khafra) https://github.com/nodejs/node/pull/47039
lib:
  * (SEMVER-MINOR) add tracing channel to diagnostics\_channel (Stephen Belanger)
msi:
  * (SEMVER-MINOR) migrate to WiX4 (Stefan Stojanovic) https://github.com/nodejs/node/pull/45943
node-api:
  * (SEMVER-MINOR) deprecate napi\_module\_register (Vladimir Morozov) https://github.com/nodejs/node/pull/46319
stream:
  * (SEMVER-MINOR) add setter & getter for default highWaterMark (Robert Nagy) https://github.com/nodejs/node/pull/46929
url:
  * (SEMVER-MINOR) implement URL.canParse (Khafra) https://github.com/nodejs/node/pull/47179
test_runner:
  * (SEMVER-MINOR) expose reporter for use in run api (Chemi Atlow) https://github.com/nodejs/node/pull/47238

PR-URL: https://github.com/nodejs/node/pull/47441
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
2023-04-10 21:10:55 -03:00
Beth Griggs
143deae6d8
2023-03-29, Version 16.20.0 'Gallium' (LTS)
Notable changes:

- deps:
  - update undici to 5.20.0 (Node.js GitHub Bot)
    https://github.com/nodejs/node/pull/46711
  - update c-ares to 1.19.0 (Michaël Zasso)
    https://github.com/nodejs/node/pull/46415
  - upgrade npm to 8.19.4 (npm team)
    https://github.com/nodejs/node/pull/46677
  - update corepack to 0.17.0 (Node.js GitHub Bot)
    https://github.com/nodejs/node/pull/46842
- (SEMVER-MINOR) src: add support for externally shared js builtins
  (Michael Dawson) [https://github.com/nodejs/node/pull/44376]

PR-URL: https://github.com/nodejs/node/pull/47272
2023-03-29 19:05:29 +01:00
Michaël Zasso
fa8465794d
2023-03-15, Version 19.8.1 (Current)
Notable changes:

This release contains a single revert of a change that was introduced in v19.8.0
and introduced application crashes.

Fixes: https://github.com/nodejs/node/issues/47096
PR-URL: https://github.com/nodejs/node/pull/47104
2023-03-15 18:11:57 +01:00
Michaël Zasso
115c9ac68d
2023-03-14, Version 19.8.0 (Current)
Notable changes:

buffer:
  * (SEMVER-MINOR) add Buffer.copyBytesFrom(...) (James M Snell) https://github.com/nodejs/node/pull/46500
doc:
  * add marco-ippolito to collaborators (Marco Ippolito) https://github.com/nodejs/node/pull/46816
events:
  * (SEMVER-MINOR) add listener argument to listenerCount (Paolo Insogna) https://github.com/nodejs/node/pull/46523
lib:
  * (SEMVER-MINOR) add AsyncLocalStorage.bind() and .snapshot() (flakey5) https://github.com/nodejs/node/pull/46387
src:
  * (SEMVER-MINOR) add `fs.openAsBlob` to support File-backed Blobs (James M Snell) https://github.com/nodejs/node/pull/45258
tls:
  * (SEMVER-MINOR) support automatic DHE (Tobias Nießen) https://github.com/nodejs/node/pull/46978
url:
  * (SEMVER-MINOR) implement URLSearchParams size getter (James M Snell) https://github.com/nodejs/node/pull/46308
wasi:
  * (SEMVER-MINOR) add support for version when creating WASI (Michael Dawson) https://github.com/nodejs/node/pull/46469
worker:
  * (SEMVER-MINOR) add support for worker name in inspector and trace_events (Debadree Chatterjee) https://github.com/nodejs/node/pull/46832

PR-URL: https://github.com/nodejs/node/pull/47087
2023-03-14 19:52:10 +01:00
Juan José Arboleda
3b0c047c31 2023-03-07, Version 18.15.0 'Hydrogen' (LTS)
Notable changes:

buffer:
  * (SEMVER-MINOR) add isAscii method (Yagiz Nizipli) https://github.com/nodejs/node/pull/46046
doc,lib,src,test:
  * rename --test-coverage (Colin Ihrig) https://github.com/nodejs/node/pull/46017
fs:
  * (SEMVER-MINOR) add statfs() functions (Colin Ihrig) https://github.com/nodejs/node/pull/46358
src,lib:
  * (SEMVER-MINOR) add constrainedMemory API for process (theanarkh) https://github.com/nodejs/node/pull/46218
test_runner:
  * add initial code coverage support (Colin Ihrig) https://github.com/nodejs/node/pull/46017
  * (SEMVER-MINOR) add reporters (Moshe Atlow) https://github.com/nodejs/node/pull/45712
v8:
  * (SEMVER-MINOR) support gc profile (theanarkh) https://github.com/nodejs/node/pull/46255
vm:
  * (SEMVER-MINOR) expose cachedDataRejected for vm.compileFunction (Anna Henningsen) https://github.com/nodejs/node/pull/46320

PR-URL: https://github.com/nodejs/node/pull/46920
2023-03-07 14:52:01 -05:00
Myles Borins
6a80a2b8cb
2023-02-21, Version 18.14.2 'Hydrogen' (LTS)
Notable changes:

deps:
  * upgrade npm to 9.5.0 (npm team) https://github.com/nodejs/node/pull/46673

PR-URL: https://github.com/nodejs/node/pull/46724
2023-02-21 13:14:43 -05:00
Myles Borins
89322aed7e
2023-02-21, Version 19.7.0 (Current)
Notable changes:

deps:
  * upgrade npm to 9.5.0 (npm team) https://github.com/nodejs/node/pull/46673
  * add ada as a dependency (Yagiz Nizipli) https://github.com/nodejs/node/pull/46410
doc:
  * add debadree25 to collaborators (Debadree Chatterjee) https://github.com/nodejs/node/pull/46716
  * add deokjinkim to collaborators (Deokjin Kim) https://github.com/nodejs/node/pull/46444
doc,lib,src,test:
  * rename --test-coverage (Colin Ihrig) https://github.com/nodejs/node/pull/46017
lib:
  * (SEMVER-MINOR) add aborted() utility function (Debadree Chatterjee) https://github.com/nodejs/node/pull/46494
src:
  * (SEMVER-MINOR) add initial support for single executable applications (Darshan Sen) https://github.com/nodejs/node/pull/45038
  * (SEMVER-MINOR) allow optional Isolate termination in node::Stop() (Shelley Vohr) https://github.com/nodejs/node/pull/46583
  * (SEMVER-MINOR) allow blobs in addition to `FILE*`s in embedder snapshot API (Anna Henningsen) https://github.com/nodejs/node/pull/46491
  * (SEMVER-MINOR) allow snapshotting from the embedder API (Anna Henningsen) https://github.com/nodejs/node/pull/45888
  * (SEMVER-MINOR) make build_snapshot a per-Isolate option, rather than a global one (Anna Henningsen) https://github.com/nodejs/node/pull/45888
  * (SEMVER-MINOR) add snapshot support for embedder API (Anna Henningsen) https://github.com/nodejs/node/pull/45888
  * (SEMVER-MINOR) allow embedder control of code generation policy (Shelley Vohr) https://github.com/nodejs/node/pull/46368
stream:
  * (SEMVER-MINOR) add abort signal for ReadableStream and WritableStream (Debadree Chatterjee) https://github.com/nodejs/node/pull/46273
test_runner:
  * add initial code coverage support (Colin Ihrig) https://github.com/nodejs/node/pull/46017
url:
  * replace url-parser with ada (Yagiz Nizipli) https://github.com/nodejs/node/pull/46410

PR-URL: https://github.com/nodejs/node/pull/46725
2023-02-21 13:12:58 -05:00
RafaelGSS
dd1977f3dd 2023-02-16, Version 19.6.1 (Current)
This is a security release.

The following CVEs are fixed in this release:

- CVE-2023-23919: OpenSSL errors not cleared in error stack (Medium)
- CVE-2023-23918: Experimental Policies bypass via `process.mainModule.require`(High)
- CVE-2023-23920: Insecure loading of ICU data through ICU_DATA environment variable (Low)
- OpenSSL 3.0.8
- undici 5.19.1

PR-URL: #385
2023-02-16 18:39:22 -03:00
Juan José Arboleda
667dd34d79 2023-02-16, Version 18.14.1 'Hydrogen' (LTS)
This is a security release.

Notable changes:

The following CVEs are fixed in this release:

- CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High)
- CVE-2023-23919: Node.js OpenSSL error handling issues in nodejs crypto library (Medium)
- CVE-2023-23936: Fetch API in Node.js did not protect against CRLF injection in host headers (Medium)
- CVE-2023-24807: Regular Expression Denial of Service in Headers in Node.js fetch API (Low)
- CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low)
- OpenSSL 3.0.8
- undici 5.19.1

PR-URL: https://github.com/nodejs-private/node-private/pull/386
2023-02-16 18:29:17 -03:00
Richard Lau
5c4a287c3e
2023-02-16, Version 16.19.1 'Gallium' (LTS)
This is a security release.

Notable changes:

The following CVEs are fixed in this release:

- CVE-2023-23918: Node.js Permissions policies can be bypassed via
  process.mainModule (High)
- CVE-2023-23919: Node.js OpenSSL error handling issues in nodejs
  crypto library (Medium)
- CVE-2023-23936: Fetch API in Node.js did not protect against CRLF
  injection in host headers (Medium)
- CVE-2023-24807: Regular Expression Denial of Service in Headers in
  Node.js fetch API (Low)
- CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA
  environment variable (Low)

Fixed by an update to undici:

- CVE-2023-23936: Fetch API in Node.js did not protect against CRLF
  injection in host headers (Medium)
  See https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff
  for more information.
- CVE-2023-24807: Regular Expression Denial of Service in Headers in
  Node.js fetch API (Low)
  See https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w
  for more information.

- OpenSSL 1.1.1t

PR-URL: https://github.com/nodejs-private/node-private/pull/390
2023-02-16 16:12:30 -05:00
Richard Lau
6aca711858
2023-02-16, Version 14.21.3 'Fermium' (LTS)
This is a security release.

Notable changes:

The following CVEs are fixed in this release:

* CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High)
* CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low)

* OpenSSL 1.1.1t
* npm 6.14.18

PR-URL: https://github.com/nodejs-private/node-private/pull/389
Refs: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases
2023-02-16 16:11:10 -05:00
Juan José Arboleda
66ab03d032 2023-02-02, Version 18.14.0 'Hydrogen' (LTS)
Notable changes:

* deps:
  * upgrade npm to 9.3.1 (npm team) https://github.com/nodejs/node/pull/46242
* doc:
  * add parallelism note to os.cpus() (Colin Ihrig) https://github.com/nodejs/node/pull/45895
* http:
  * join authorization headers (Marco Ippolito) https://github.com/nodejs/node/pull/45982
  * improved timeout defaults handling (Paolo Insogna) https://github.com/nodejs/node/pull/45778
* stream:
  * implement finished() for ReadableStream and WritableStream (Debadree Chatterjee) https://github.com/nodejs/node/pull/46205

PR-URL: https://github.com/nodejs/node/pull/46396
2023-02-02 14:08:50 -05:00
ruyadorno@google.com
1579ff4f95
2023-02-02, Version 19.6.0 (Current)
Notable changes:

buffer:
  * (SEMVER-MINOR) add isAscii method (Yagiz Nizipli) https://github.com/nodejs/node/pull/46046
deps:
  * upgrade npm to 9.4.0 (npm team) https://github.com/nodejs/node/pull/46353
esm:
  * leverage loaders when resolving subsequent loaders (Maël Nison) https://github.com/nodejs/node/pull/43772
fs:
  * (SEMVER-MINOR) add statfs() functions (Colin Ihrig) https://github.com/nodejs/node/pull/46358
src,lib:
  * (SEMVER-MINOR) add constrainedMemory API for process (theanarkh) https://github.com/nodejs/node/pull/46218
test_runner:
  * (SEMVER-MINOR) add reporters (Moshe Atlow) https://github.com/nodejs/node/pull/45712
v8:
  * (SEMVER-MINOR) support gc profile (theanarkh) https://github.com/nodejs/node/pull/46255
vm:
  * (SEMVER-MINOR) expose cachedDataRejected for vm.compileFunction (Anna Henningsen) https://github.com/nodejs/node/pull/46320

PR-URL: https://github.com/nodejs/node/pull/46455
2023-02-02 11:04:44 -05:00
RafaelGSS
40a206cfff 2023-01-24, Version 19.5.0 (Current)
Notable changes:

* http:
  * (SEMVER-MINOR) join authorization headers (Marco Ippolito) [#45982](https://github.com/nodejs/node/pull/45982)
* lib:
  * add webstreams to Duplex.from() (Debadree Chatterjee) [#46190](https://github.com/nodejs/node/pull/46190)
* stream:
  * implement finished() for ReadableStream and WritableStream (Debadree Chatterjee) [#46205](https://github.com/nodejs/node/pull/46205)

PR-URL: https://github.com/nodejs/node/pull/46286
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
2023-01-24 18:16:02 -03:00
RafaelGSS
22a2ec64c4 2023-01-06, Version 19.4.0 (Current)
Notable changes:

buffer:
  * (SEMVER-MINOR) add buffer.isUtf8 for utf8 validation (Yagiz Nizipli) https://github.com/nodejs/node/pull/45947
http:
  * (SEMVER-MINOR) improved timeout defaults handling (Paolo Insogna) https://github.com/nodejs/node/pull/45778
net
  * add autoSelectFamily global getter and setter (Paolo Insogna) https://github.com/nodejs/node/pull/45777
os:
  * (SEMVER-MINOR) add availableParallelism() (Colin Ihrig) https://github.com/nodejs/node/pull/45895
util:
  * add fast path for text-decoder fatal flag (Yagiz Nizipli) https://github.com/nodejs/node/pull/45803

PR-URL: https://github.com/nodejs/node/pull/46061
2023-01-06 09:57:24 -03:00
Danielle Adams
0593b699b8
2023-01-05, Version 18.13.0 'Hydrogen' (LTS)
Notable changes:

Add support for externally shared js builtins:

By default Node.js is built so that all dependencies are bundled into the
Node.js binary itself. Some Node.js distributions prefer to manage dependencies
externally. There are existing build options that allow dependencies with
native code to be externalized. This commit adds additional options so that
dependencies with JavaScript code (including WASM) can also be externalized.
This addition does not affect binaries shipped by the Node.js project but
will allow other distributions to externalize additional dependencies when
needed.

Contributed by Michael Dawson in https://github.com/nodejs/node/pull/44376

Introduce `File`:

The File class is part of the [FileAPI](https://w3c.github.io/FileAPI/).
It can be used anywhere a Blob can, for example in `URL.createObjectURL`
and `FormData`. It contains two properties that Blobs do not have: `lastModified`,
the last time the file was modified in ms, and `name`, the name of the file.

Contributed by Khafra in https://github.com/nodejs/node/pull/45139

Support function mocking on Node.js test runner:

The `node:test` module supports mocking during testing via a top-level `mock`
object.

```js
test('spies on an object method', (t) => {
  const number = {
    value: 5,
    add(a) {
      return this.value + a;
    },
  };
  t.mock.method(number, 'add');

  assert.strictEqual(number.add(3), 8);
  assert.strictEqual(number.add.mock.calls.length, 1);
});
```

Contributed by Colin Ihrig in https://github.com/nodejs/node/pull/45326

Other notable changes:

build:
  * disable v8 snapshot compression by default (Joyee Cheung) https://github.com/nodejs/node/pull/45716
crypto:
  * update root certificates (Luigi Pinca) https://github.com/nodejs/node/pull/45490
deps:
  * update ICU to 72.1 (Michaël Zasso) https://github.com/nodejs/node/pull/45068
doc:
  * add doc-only deprecation for headers/trailers setters (Rich Trott) https://github.com/nodejs/node/pull/45697
  * add Rafael to the tsc (Michael Dawson) https://github.com/nodejs/node/pull/45691
  * deprecate use of invalid ports in `url.parse` (Antoine du Hamel) https://github.com/nodejs/node/pull/45576
  * add lukekarrys to collaborators (Luke Karrys) https://github.com/nodejs/node/pull/45180
  * add anonrig to collaborators (Yagiz Nizipli) https://github.com/nodejs/node/pull/45002
  * deprecate url.parse() (Rich Trott) https://github.com/nodejs/node/pull/44919
lib:
  * drop fetch experimental warning (Matteo Collina) https://github.com/nodejs/node/pull/45287
net:
  * (SEMVER-MINOR) add autoSelectFamily and autoSelectFamilyAttemptTimeout options (Paolo Insogna) https://github.com/nodejs/node/pull/44731
* src:
  * (SEMVER-MINOR) add uvwasi version (Jithil P Ponnan) https://github.com/nodejs/node/pull/45639
  * (SEMVER-MINOR) add initial shadow realm support (Chengzhong Wu) https://github.com/nodejs/node/pull/42869
test_runner:
  * (SEMVER-MINOR) add t.after() hook (Colin Ihrig) https://github.com/nodejs/node/pull/45792
  * (SEMVER-MINOR) don't use a symbol for runHook() (Colin Ihrig) https://github.com/nodejs/node/pull/45792
tls:
  * (SEMVER-MINOR) add "ca" property to certificate object (Ben Noordhuis) https://github.com/nodejs/node/pull/44935
  * remove trustcor root ca certificates (Ben Noordhuis) https://github.com/nodejs/node/pull/45776
tools:
  * update certdata.txt (Luigi Pinca) https://github.com/nodejs/node/pull/45490
util:
  * add fast path for utf8 encoding (Yagiz Nizipli) https://github.com/nodejs/node/pull/45412
  * improve textdecoder decode performance (Yagiz Nizipli) https://github.com/nodejs/node/pull/45294
  * (SEMVER-MINOR) add MIME utilities (#21128) (Bradley Farias) https://github.com/nodejs/node/pull/21128

PR-URL: https://github.com/nodejs/node/pull/46025
2023-01-05 19:57:23 -05:00
Michaël Zasso
b4f8186657
2022-12-14, Version 19.3.0 (Current)
Notable changes:

build:
  * disable v8 snapshot compression by default (Joyee Cheung) https://github.com/nodejs/node/pull/45716
deps:
  * upgrade npm to 9.2.0 (npm team) https://github.com/nodejs/node/pull/45780
doc:
  * add doc-only deprecation for headers/trailers setters (Rich Trott) https://github.com/nodejs/node/pull/45697
  * add Rafael Gonzaga to the TSC (Michael Dawson) https://github.com/nodejs/node/pull/45691
net:
  * (SEMVER-MINOR) add autoSelectFamily and autoSelectFamilyAttemptTimeout options (Paolo Insogna) https://github.com/nodejs/node/pull/44731
src:
  * (SEMVER-MINOR) add uvwasi version (Jithil P Ponnan) https://github.com/nodejs/node/pull/45639
test_runner:
  * (SEMVER-MINOR) add t.after() hook (Colin Ihrig) https://github.com/nodejs/node/pull/45792
  * (SEMVER-MINOR) don't use a symbol for runHook() (Colin Ihrig) https://github.com/nodejs/node/pull/45792
tls:
  * remove trustcor root ca certificates (Ben Noordhuis) https://github.com/nodejs/node/pull/45776

PR-URL: https://github.com/nodejs/node/pull/45831
2022-12-14 13:52:52 +00:00
Richard Lau
a14244ce26
2022-12-13, Version 16.19.0 'Gallium' (LTS)
Notable changes:

- OpenSSL 1.1.1s
- Root certificates updated to NSS 3.85
- Time zone update to 2022f
- add dgram send queue info
- upgrade npm to 8.19.3
- add `--watch`
- add default value option to parsearg

PR-URL: https://github.com/nodejs/node/pull/45791
2022-12-13 08:01:09 -05:00
Richard Lau
c7946b1744
2022-12-13, Version 14.21.2 'Fermium' (LTS)
Notable changes:

OpenSSL 1.1.1s
Root certificates updated to NSS 3.85
Time zone update to 2022f

PR-URL: https://github.com/nodejs/node/pull/45775
2022-12-13 07:44:16 -05:00
Ruy Adorno
1bbd14eac2
2022-11-29, Version 19.2.0 (Current)
Notable changes:

buffer:
  * (SEMVER-MINOR) introduce File (Khafra) https://github.com/nodejs/node/pull/45139
deps:
  * update timezone to 2022f (Node.js GitHub Bot) https://github.com/nodejs/node/pull/45289
  * update V8 to 10.8.168.20 (Michaël Zasso) https://github.com/nodejs/node/pull/45230
doc:
  * deprecate use of invalid ports in `url.parse` (Antoine du Hamel) https://github.com/nodejs/node/pull/45576
util:
  * add fast path for utf8 encoding (Yagiz Nizipli) https://github.com/nodejs/node/pull/45412

PR-URL: https://github.com/nodejs/node/pull/45615
2022-11-29 14:10:05 -05:00
Rafael Gonzaga
0a592e48a0
doc: include v19.1.0 in CHANGELOG.md
It was missed in the last release.

Refs: 3770d3a450
PR-URL: https://github.com/nodejs/node/pull/45462
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Ruy Adorno <ruyadorno@google.com>
Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Harshitha K P <harshitha014@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
2022-11-15 10:50:42 +00:00
Juan José Arboleda
58e8a8c58e 2022-11-04, Version 18.12.1 'Hydrogen' (LTS)
This is a security release.

Notable changes:

The following CVEs are fixed in this release:

- CVE-2022-3602: A buffer overrun can be triggered in X.509
                 certificate verification (High)
- CVE-2022-3786: A buffer overrun can be triggered in X.509
                 certificate verification (High)
- CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP
                  address (Medium)

PR-URL: https://github.com/nodejs-private/node-private/pull/365
2022-11-04 14:26:35 -05:00
RafaelGSS
e4135a1de1 2022-11-04, Version 19.0.1 (Current)
This is a security release.

Notable changes:

The following CVEs are fixed in this release:

- CVE-2022-3786: A buffer overrun can be triggered in X.509
                 certificate verification (High)
- CVE-2022-3602: A buffer overrun can be triggered in X.509
                 certificate verification (High)
- CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP
                  address (Medium)

PR-URL: https://github.com/nodejs-private/node-private/pull/366
2022-11-04 14:55:40 -03:00
Beth Griggs
81123b6658
2022-11-04, Version 16.18.1 'Gallium' (LTS)
This is a security release.

Notable changes:

The following CVEs are fixed in this release:

- CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP
                  address (Medium)

PR-URL: https://github.com/nodejs-private/node-private/pull/363
2022-11-04 16:28:31 +00:00
Beth Griggs
7a14550e7c
2022-11-04, Version 14.21.1 'Fermium' (LTS)
This is a security release.

Notable changes:

The following CVEs are fixed in this release:

- CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP
                  address (Medium)

PR-URL: https://github.com/nodejs-private/node-private/pull/362
2022-11-04 16:12:57 +00:00
Danielle Adams
f1e93820a7
2022-11-01, Version 14.21.0 'Fermium' (LTS)
Notable changes:

* deps:
  * update corepack to 0.14.2 (Node.js GitHub Bot) https://github.com/nodejs/node/pull/44775
* src:
  * add --openssl-shared-config option (Daniel Bevenius) https://github.com/nodejs/node/pull/43124

PR-URL: https://github.com/nodejs/node/pull/44889
2022-11-01 17:19:41 -04:00
Rafael Gonzaga
26126469c1
doc: mark Node.js 12 as End-of-Life
PR-URL: https://github.com/nodejs/node/pull/45186
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
2022-10-26 11:04:50 +00:00
Ruy Adorno
efd3c9cd31
2022-10-25, Version 18.12.0 'Hydrogen' (LTS)
Notable changes:

This release marks the transition of Node.js 18.x into Long Term Support (LTS)
with the codename 'Hydrogen'. The 18.x release line now moves into "Active LTS"
and will remain so until October 2023. After that time, it will move into
"Maintenance" until end of life in April 2025.

PR-URL: https://github.com/nodejs/node/pull/45100
2022-10-25 17:27:18 -04:00
KaKa
ee07e6632c
doc: mark Node.js v17.x as EOL
v17.x is EOL on 2022-06-01

Refs: https://github.com/nodejs/Release/blob/main/schedule.json
PR-URL: https://github.com/nodejs/node/pull/45110
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
2022-10-21 14:28:14 +00:00
Richard Lau
3db0c85878
doc: update Node.js 16 End-of-Life date
Node.js 16's End-of-Life date was brought forward to coincide with
the end of support for upstream OpenSSL 1.1.1.

PR-URL: https://github.com/nodejs/node/pull/45103
Refs: https://nodejs.org/en/blog/announcements/nodejs16-eol/
Refs: https://github.com/nodejs/Release/pull/752
Refs: https://github.com/nodejs/TSC/issues/1222
Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
2022-10-21 02:23:53 +00:00
RafaelGSS
9878c26561 2022-10-18, Version 19.0.0 (Current)
Notable Changes:

doc:
  * graduate webcrypto to stable (Filip Skokan) https://github.com/nodejs/node/pull/44897
esm:
  * remove specifier resolution flag (Geoffrey Booth) https://github.com/nodejs/node/pull/44859
http:
  * (SEMVER-MAJOR) use Keep-Alive by default in global agents (Paolo Insogna) https://github.com/nodejs/node/pull/43522
build:
  * (SEMVER-MAJOR) remove dtrace & etw support (Ben Noordhuis) https://github.com/nodejs/node/pull/43652
  * (SEMVER-MAJOR) remove systemtap support (Ben Noordhuis) https://github.com/nodejs/node/pull/43651
deps:
  * (SEMVER-MAJOR) deps: update V8 to 10.7.193.13 (Michaël Zasso) https://github.com/nodejs/node/pull/44741

Deprecation and Removals:

* deprecate url.parse() (Rich Trott) https://github.com/nodejs/node/pull/44919
* (SEMVER-MAJOR) runtime deprecate exports double slash maps (Guy Bedford) https://github.com/nodejs/node/pull/44495
* (SEMVER-MAJOR) runtime deprecate coercion to integer in `process.exit()` (Daeyeon Jeong) https://github.com/nodejs/node/pull/44711

Semver-Major Commits:

* [53f73d1cfe] - (SEMVER-MAJOR) build: enable V8's trap handler on Windows (Michaël Zasso) https://github.com/nodejs/node/pull/44741
* [06aaf8a1c4] - (SEMVER-MAJOR) build: reset embedder string to "-node.0" (Michaël Zasso) https://github.com/nodejs/node/pull/44741
* [aa3a572e6b] - (SEMVER-MAJOR) build: remove dtrace & etw support (Ben Noordhuis) https://github.com/nodejs/node/pull/43652
* [38f1e2793c] - (SEMVER-MAJOR) build: remove systemtap support (Ben Noordhuis) https://github.com/nodejs/node/pull/43651
* [2849283c4c] - (SEMVER-MAJOR) crypto: remove non-standard `webcrypto.Crypto.prototype.CryptoKey` (Antoine du Hamel) https://github.com/nodejs/node/pull/42083
* [a1653ac715] - (SEMVER-MAJOR) crypto: do not allow to call setFips from the worker thread (Sergey Petushkov) https://github.com/nodejs/node/pull/43624
* [fd36a8dadb] - (SEMVER-MAJOR) deps: update llhttp to 8.1.0 (Paolo Insogna) https://github.com/nodejs/node/pull/44967
* [89ecdddaab] - (SEMVER-MAJOR) deps: bump minimum ICU version to 71 (Michaël Zasso) https://github.com/nodejs/node/pull/44741
* [66fe446efd] - (SEMVER-MAJOR) deps: V8: cherry-pick 0cccb6f27d78 (Michaël Zasso) https://github.com/nodejs/node/pull/44741
* [88ed027d57] - (SEMVER-MAJOR) deps: V8: cherry-pick 7ddb8399f9f1 (Michaël Zasso) https://github.com/nodejs/node/pull/44741
* [26c651c34e] - (SEMVER-MAJOR) deps: V8: cherry-pick 1b3a4f0c34a1 (Michaël Zasso) https://github.com/nodejs/node/pull/44741
* [c8ff2dfd11] - (SEMVER-MAJOR) deps: V8: cherry-pick b161a0823165 (Michaël Zasso) https://github.com/nodejs/node/pull/44741
* [7a8fa2d517] - (SEMVER-MAJOR) deps: fix V8 build on Windows with MSVC (Michaël Zasso) https://github.com/nodejs/node/pull/44741
* [83b0aaa800] - (SEMVER-MAJOR) deps: fix V8 build on SmartOS (Michaël Zasso) https://github.com/nodejs/node/pull/44741
* [7a952e8ea5] - (SEMVER-MAJOR) deps: silence irrelevant V8 warning (Michaël Zasso) https://github.com/nodejs/node/pull/44741
* [6bd756d7c6] - (SEMVER-MAJOR) deps: update V8 to 10.7.193.13 (Michaël Zasso) https://github.com/nodejs/node/pull/44741
* [03fb789fb9] - (SEMVER-MAJOR) events: add null check for the signal of EventTarget (Masashi Hirano) https://github.com/nodejs/node/pull/43153
* [a4fa526ddc] - (SEMVER-MAJOR) fs: add directory autodetection to fsPromises.symlink() (Livia Medeiros) https://github.com/nodejs/node/pull/42894
* [bb4891d8d4] - (SEMVER-MAJOR) fs: add validateBuffer to improve error (Hirotaka Tagawa / wafuwafu13) https://github.com/nodejs/node/pull/44769
* [950a4411fa] - (SEMVER-MAJOR) fs: remove coercion to string in writing methods (Livia Medeiros) https://github.com/nodejs/node/pull/42796
* [41a6d82968] - (SEMVER-MAJOR) fs: harden fs.readSync(buffer, options) typecheck (LiviaMedeiros) https://github.com/nodejs/node/pull/42772
* [2275faac2b] - (SEMVER-MAJOR) fs: harden fs.read(params, callback) typecheck (LiviaMedeiros) https://github.com/nodejs/node/pull/42772
* [29953a0b88] - (SEMVER-MAJOR) fs: harden filehandle.read(params) typecheck (LiviaMedeiros) https://github.com/nodejs/node/pull/42772
* [4267b92604] - (SEMVER-MAJOR) http: use Keep-Alive by default in global agents (Paolo Insogna) https://github.com/nodejs/node/pull/43522
* [0324529e0f] - (SEMVER-MAJOR) inspector: introduce inspector/promises API (Erick Wendel) https://github.com/nodejs/node/pull/44250
* [80270994d6] - (SEMVER-MAJOR) lib: enable global CustomEvent by default (Daeyeon Jeong) https://github.com/nodejs/node/pull/44860
* [f529f73bd7] - (SEMVER-MAJOR) lib: brand check event handler property receivers (Chengzhong Wu) https://github.com/nodejs/node/pull/44483
* [6de2673a9f] - (SEMVER-MAJOR) lib: enable global WebCrypto by default (Antoine du Hamel) https://github.com/nodejs/node/pull/42083
* [73ba8830d5] - (SEMVER-MAJOR) lib: use private field in AbortController (Joyee Cheung) https://github.com/nodejs/node/pull/43820
* [7dd2f41c73] - (SEMVER-MAJOR) module: runtime deprecate exports double slash maps (Guy Bedford) https://github.com/nodejs/node/pull/44495
* [22c39b1ddd] - (SEMVER-MAJOR) path: the dot will be added(path.format) if it is not specified in `ext` (theanarkh) https://github.com/nodejs/node/pull/44349
* [587367d107] - (SEMVER-MAJOR) perf_hooks: expose webperf global scope interfaces (Chengzhong Wu) https://github.com/nodejs/node/pull/44483
* [364c0e196c] - (SEMVER-MAJOR) perf_hooks: fix webperf idlharness (Chengzhong Wu) https://github.com/nodejs/node/pull/44483
* [ada2d053ae] - (SEMVER-MAJOR) process: runtime deprecate coercion to integer in `process.exit()` (Daeyeon Jeong) https://github.com/nodejs/node/pull/44711
* [e0ab8dd637] - (SEMVER-MAJOR) process: make process.config read only (Sergey Petushkov) https://github.com/nodejs/node/pull/43627
* [481a959adb] - (SEMVER-MAJOR) readline: remove `question` method from `InterfaceConstructor` (Antoine du Hamel) https://github.com/nodejs/node/pull/44606
* [c9602ce212] - (SEMVER-MAJOR) src: use new v8::OOMErrorCallback API (Michaël Zasso) https://github.com/nodejs/node/pull/44741
* [19a70c11e4] - (SEMVER-MAJOR) src: override CreateJob instead of PostJob (Clemens Backes) https://github.com/nodejs/node/pull/44741
* [fd52c62bee] - (SEMVER-MAJOR) src: use V8_ENABLE_SANDBOX macro (Michaël Zasso) https://github.com/nodejs/node/pull/44741
* [c10988db44] - (SEMVER-MAJOR) src: use non-deprecated V8 inspector API (Michaël Zasso) https://github.com/nodejs/node/pull/44741
* [3efe901dd6] - (SEMVER-MAJOR) src: update NODE_MODULE_VERSION to 111 (Michaël Zasso) https://github.com/nodejs/node/pull/44741
* [77e585657f] - (SEMVER-MAJOR) src: turn embedder api overload into default argument (Alena Khineika) https://github.com/nodejs/node/pull/43629
* [dabda03ea9] - (SEMVER-MAJOR) src: per-environment time origin value (Chengzhong Wu) https://github.com/nodejs/node/pull/43781
* [2e49b99cc2] - (SEMVER-MAJOR) src,test: disable freezing V8 flags on initialization (Clemens Backes) https://github.com/nodejs/node/pull/44741
* [2b32985c62] - (SEMVER-MAJOR) stream: use null for the error argument (Luigi Pinca) https://github.com/nodejs/node/pull/44312
* [36805e8524] - (SEMVER-MAJOR) test: adapt test-repl for V8 update (Michaël Zasso) https://github.com/nodejs/node/pull/44741
* [96ef25793d] - (SEMVER-MAJOR) test: adapt test-repl-pretty-*stack to V8 changes (Michaël Zasso) https://github.com/nodejs/node/pull/44741
* [71c193e581] - (SEMVER-MAJOR) test: adapt to new JSON SyntaxError messages (Michaël Zasso) https://github.com/nodejs/node/pull/44741
* [b5f1564880] - (SEMVER-MAJOR) test: rename always-opt flag to always-turbofan (Michaël Zasso) https://github.com/nodejs/node/pull/44741
* [1acf0339dd] - (SEMVER-MAJOR) test: fix test-hash-seed for new V8 versions (Michaël Zasso) https://github.com/nodejs/node/pull/44741
* [57ff476c33] - (SEMVER-MAJOR) test: remove duplicate test (Luigi Pinca) https://github.com/nodejs/node/pull/44051
* [77def91bf9] - (SEMVER-MAJOR) tls,http2: send fatal alert on ALPN mismatch (Tobias Nießen) https://github.com/nodejs/node/pull/44031
* [4860ad99b9] - (SEMVER-MAJOR) tools: update V8 gypfiles for 10.7 (Michaël Zasso) https://github.com/nodejs/node/pull/44741

PR-URL: https://github.com/nodejs/node/pull/44626
Co-authored-by: Ruy Adorno <ruyadorno@google.com>
2022-10-18 11:17:48 -03:00
Danielle Adams
a7a672c68f
2022-10-13, Version 18.11.0 (Current)
watch mode (experimental):

Running in 'watch' mode using `node --watch` restarts the process when an
imported file is changed.

Contributed by Moshe Atlow in https://github.com/nodejs/node/pull/44366

Other notable changes:

* fs:
  * (SEMVER-MINOR) add `FileHandle.prototype.readLines` (Antoine du Hamel)
  https://github.com/nodejs/node/pull/42590
* http:
  * (SEMVER-MINOR) add writeEarlyHints function to ServerResponse (Wing)
  https://github.com/nodejs/node/pull/44180
* http2:
  * (SEMVER-MINOR) make early hints generic (Yagiz Nizipli) https://github.com/nodejs/node/pull/44820
* lib:
  * (SEMVER-MINOR) refactor transferable AbortSignal (flakey5) https://github.com/nodejs/node/pull/44048
* src:
  * (SEMVER-MINOR) add detailed embedder process initialization API (Anna
  Henningsen) https://github.com/nodejs/node/pull/44121
* util:
  * (SEMVER-MINOR) add default value option to parsearg (Manuel Spigolon)
  https://github.com/nodejs/node/pull/44631

PR-URL: https://github.com/nodejs/node/pull/44968
2022-10-13 17:12:13 -04:00
RafaelGSS
7b36855274 2022-09-28, Version 18.10.0 (Current)
Notable changes:

doc:
  * (SEMVER-MINOR) deprecate modp1, modp2, and modp5 groups (Tobias Nießen) <https://github.com/nodejs/node/pull/44588>
gyp:
  * libnode for ios app embedding (chexiongsheng) <https://github.com/nodejs/node/pull/44210>
http:
  * (SEMVER-MINOR) throw error on content-length mismatch (sidwebworks) (<https://github.com/nodejs/node/pull/44378>)
stream:
  * (SEMVER-MINOR) add `ReadableByteStream.tee()` (Daeyeon Jeong) (<https://github.com/nodejs/node/pull/44505>)

PR-URL: https://github.com/nodejs/node/pull/44799
2022-09-28 14:34:53 -03:00
RafaelGSS
7e0097d8a3 2022-09-23, Version 18.9.1 (Current)
This is a security release.

Notable changes:

* crypto: fix weak randomness in WebCrypto keygen (Ben Noordhuis) https://github.com/nodejs-private/node-private/pull/346
* deps: MacOS - fix location of OpenSSL config file (Michael Dawson) https://github.com/nodejs-private/node-private/pull/345
* http: disable chunked encoding when OBS fold is used (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/341
* src: fix IPv4 non routable validation (RafaelGSS) https://github.com/nodejs-private/node-private/pull/337

PR-URL: https://github.com/nodejs-private/node-private/pull/350
2022-09-23 12:37:45 -03:00
Ruy Adorno
d58a2fe6df 2022-09-23, Version 16.17.1 'Gallium' (LTS)
This is a security release.

Notable changes:

crypto:
  * fix weak randomness in WebCrypto keygen (Ben Noordhuis) https://github.com/nodejs-private/node-private/pull/346
http:
  * disable chunked encoding when using OBS fold is used (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/341
src:
  * fix IPv4 non routable validation (RafaelGSS) https://github.com/nodejs-private/node-private/pull/337

PR-URL: https://github.com/nodejs-private/node-private/pull/352
2022-09-23 12:37:42 -03:00
Bryan English
bf9b821d22 2022-09-23, Version 14.20.1 'Fermium' (LTS)
This is a security release.

Notable changes:

The following CVEs are fixed in this release:

* CVE-2022-32212: DNS rebinding in --inspect on macOS (High)
* CVE-2022-32213: bypass via obs-fold mechanic (Medium)
* CVE-2022-35256: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields (Medium)

PR-URL: https://github.com/nodejs-private/node-private/pull/348
2022-09-23 12:37:39 -03:00
RafaelGSS
fd277b283b 2022-09-08, Version v18.9.0 (Current)
Notable changes:

* doc:
  * add daeyeon to collaborators (Daeyeon Jeong) https://github.com/nodejs/node/pull/44355
* lib:
  * (SEMVER-MINOR) add diagnostics channel for process and worker (theanarkh) https://github.com/nodejs/node/pull/44045
* os:
  * (SEMVER-MINOR) add machine method (theanarkh) https://github.com/nodejs/node/pull/44416
* report:
  * (SEMVER-MINOR) expose report public native apis (Chengzhong Wu) https://github.com/nodejs/node/pull/44255
* src:
  * (SEMVER-MINOR) expose environment RequestInterrupt api (Chengzhong Wu) https://github.com/nodejs/node/pull/44362
* vm:
  * include vm context in the embedded snapshot (Joyee Cheung) https://github.com/nodejs/node/pull/44252

PR-URL: https://github.com/nodejs/node/pull/44521
2022-09-08 11:33:19 -03:00
Ruy Adorno
e7b51fbdaf
2022-08-24, Version 18.8.0 (Current)
Notable changes:

* bootstrap:
  * implement run-time user-land snapshots via --build-snapshot and
  --snapshot-blob (Joyee Cheung) in #38905
* crypto:
  * (SEMVER-MINOR) allow zero-length IKM in HKDF and in webcrypto PBKDF2
  (Filip Skokan) #44201
  * (SEMVER-MINOR) allow zero-length secret KeyObject
  (Filip Skokan) #44201
* deps:
  * upgrade npm to 8.18.0 (npm team) #44263 - Adds a new npm query cmd
* doc:
  * add Erick Wendel to collaborators (Erick Wendel) #44088
  * add theanarkh to collaborators (theanarkh) #44131
  * add MoLow to collaborators (Moshe Atlow) #44214
  * add cola119 to collaborators (cola119) #44248
  * deprecate --trace-atomics-wait (Keyhan Vakil) #44093
* http:
  * (SEMVER-MINOR) make idle http parser count configurable
  (theanarkh) #43974
* net:
  * (SEMVER-MINOR) add local family (theanarkh) #43975
* src:
  * (SEMVER-MINOR) print source map error source on demand
  (Chengzhong Wu) #43875
* tls:
  * (SEMVER-MINOR) pass a valid socket on tlsClientError
  (Daeyeon Jeong) #44021

PR-URL: https://github.com/nodejs/node/pull/44353
2022-08-24 11:56:01 -04:00
Michaël Zasso
5e5fb825fc
2022-08-16, Version 16.17.0 'Gallium' (LTS)
Notable changes:

Adds `util.parseArgs` helper for higher level command-line argument
parsing.
Contributed by Benjamin Coe, John Gee, Darcy Clarke, Joe Sepi,
Kevin Gibbons, Aaron Casanova, Jessica Nahulan, and Jordan Harband.
https://github.com/nodejs/node/pull/42675

Node.js ESM Loader hooks now support multiple custom loaders, and
composition is achieved via "chaining": `foo-loader` calls `bar-loader`
calls `qux-loader` (a custom loader _must_ now signal a short circuit
when intentionally not calling the next). See the ESM docs
(https://nodejs.org/dist/latest-v16.x/docs/api/esm.html) for details.
Contributed by Jacob Smith, Geoffrey Booth, and Bradley Farias.
https://github.com/nodejs/node/pull/42623

The `node:test` module, which was initially introduced in Node.js
v18.0.0, is now available with all the changes done to it up to Node.js
v18.7.0.

To better align Node.js' experimental implementation of the Web Crypto
API with other runtimes, several changes were made:
* Support for CFRG curves was added, with the `'Ed25519'`, `'Ed448'`,
  `'X25519'`, and `'X448'` algorithms.
* The proprietary `'NODE-DSA'`, `'NODE-DH'`, `'NODE-SCRYPT'`,
  `'NODE-ED25519'`, `'NODE-ED448'`, `'NODE-X25519'`, and `'NODE-X448'`
  algorithms were removed.
* The proprietary `'node.keyObject'` import/export format was removed.
Contributed by Filip Skokan.
https://github.com/nodejs/node/pull/42507
https://github.com/nodejs/node/pull/43310

Updated Corepack to 0.12.1 - https://github.com/nodejs/node/pull/43965
Updated ICU to 71.1 - https://github.com/nodejs/node/pull/42655
Updated npm to 8.15.0 - https://github.com/nodejs/node/pull/43917
Updated Undici to 5.8.0 - https://github.com/nodejs/node/pull/43886

(SEMVER-MINOR) crypto: make authTagLength optional for CC20P1305 (Tobias Nießen) https://github.com/nodejs/node/pull/42427
(SEMVER-MINOR) crypto: align webcrypto RSA key import/export with other implementations (Filip Skokan) https://github.com/nodejs/node/pull/42816
(SEMVER-MINOR) dns: export error code constants from `dns/promises` (Feng Yu) https://github.com/nodejs/node/pull/43176
doc: deprecate coercion to integer in process.exit (Daeyeon Jeong) https://github.com/nodejs/node/pull/43738
(SEMVER-MINOR) doc: deprecate diagnostics_channel object subscribe method (Stephen Belanger) https://github.com/nodejs/node/pull/42714
(SEMVER-MINOR) errors: add support for cause in aborterror (James M Snell) https://github.com/nodejs/node/pull/41008
(SEMVER-MINOR) events: expose CustomEvent on global with CLI flag (Daeyeon Jeong) https://github.com/nodejs/node/pull/43885
(SEMVER-MINOR) events: add `CustomEvent` (Daeyeon Jeong) https://github.com/nodejs/node/pull/43514
(SEMVER-MINOR) events: propagate abortsignal reason in new AbortError ctor in events (James M Snell) https://github.com/nodejs/node/pull/41008
(SEMVER-MINOR) fs: propagate abortsignal reason in new AbortSignal constructors (James M Snell) https://github.com/nodejs/node/pull/41008
(SEMVER-MINOR) fs: make params in writing methods optional (LiviaMedeiros) https://github.com/nodejs/node/pull/42601
(SEMVER-MINOR) fs: add `read(buffer[, options])` versions (LiviaMedeiros) https://github.com/nodejs/node/pull/42768
(SEMVER-MINOR) http: add drop request event for http server (theanarkh) https://github.com/nodejs/node/pull/43806
(SEMVER-MINOR) http: add diagnostics channel for http client (theanarkh) https://github.com/nodejs/node/pull/43580
(SEMVER-MINOR) http: add perf_hooks detail for http request and client (theanarkh) https://github.com/nodejs/node/pull/43361
(SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) https://github.com/nodejs/node/pull/41397
(SEMVER-MINOR) http2: propagate abortsignal reason in new AbortError constructor (James M Snell) https://github.com/nodejs/node/pull/41008
(SEMVER-MINOR) http2: compat support for array headers (OneNail) https://github.com/nodejs/node/pull/42901
(SEMVER-MINOR) lib: propagate abortsignal reason in new AbortError constructor in blob (James M Snell) https://github.com/nodejs/node/pull/41008
(SEMVER-MINOR) lib: add abortSignal.throwIfAborted() (James M Snell) https://github.com/nodejs/node/pull/40951
(SEMVER-MINOR) lib: improved diagnostics_channel subscribe/unsubscribe (Stephen Belanger) https://github.com/nodejs/node/pull/42714
(SEMVER-MINOR) module: add isBuiltIn method (hemanth.hm) https://github.com/nodejs/node/pull/43396
(SEMVER-MINOR) module,repl: support 'node:'-only core modules (Colin Ihrig) https://github.com/nodejs/node/pull/42325
(SEMVER-MINOR) net: add drop event for net server (theanarkh) https://github.com/nodejs/node/pull/43582
(SEMVER-MINOR) net: add ability to reset a tcp socket (pupilTong) https://github.com/nodejs/node/pull/43112
(SEMVER-MINOR) node-api: emit uncaught-exception on unhandled tsfn callbacks (Chengzhong Wu) https://github.com/nodejs/node/pull/36510
(SEMVER-MINOR) perf_hooks: add PerformanceResourceTiming (RafaelGSS) https://github.com/nodejs/node/pull/42725
(SEMVER-MINOR) report: add more heap infos in process report (theanarkh) https://github.com/nodejs/node/pull/43116
(SEMVER-MINOR) src: add --openssl-legacy-provider option (Daniel Bevenius) https://github.com/nodejs/node/pull/40478
(SEMVER-MINOR) src: define fs.constants.S_IWUSR & S_IRUSR for Win (Liviu Ionescu) https://github.com/nodejs/node/pull/42757
(SEMVER-MINOR) src,doc,test: add --openssl-shared-config option (Daniel Bevenius) https://github.com/nodejs/node/pull/43124
(SEMVER-MINOR) stream: use cause options in AbortError constructors (James M Snell) https://github.com/nodejs/node/pull/41008
(SEMVER-MINOR) stream: add iterator helper find (Nitzan Uziely) https://github.com/nodejs/node/pull/41849
(SEMVER-MINOR) stream: add writableAborted (Robert Nagy) https://github.com/nodejs/node/pull/40802
(SEMVER-MINOR) timers: propagate signal.reason in awaitable timers (James M Snell) https://github.com/nodejs/node/pull/41008
(SEMVER-MINOR) v8: add v8.startupSnapshot utils (Joyee Cheung) https://github.com/nodejs/node/pull/43329
(SEMVER-MINOR) v8: export more fields in getHeapStatistics (theanarkh) https://github.com/nodejs/node/pull/42784
(SEMVER-MINOR) worker: add hasRef() to MessagePort (Darshan Sen) https://github.com/nodejs/node/pull/42849

PR-URL: https://github.com/nodejs/node/pull/44098
2022-08-16 13:02:32 +02:00
Danielle Adams
09c8df033f
2022-07-26, Version 18.7.0 (Current)
Notable changes:

* doc:
  * add F3n67u to collaborators (Feng Yu) https://github.com/nodejs/node/pull/43953
  * deprecate coercion to integer in process.exit (Daeyeon Jeong)
  https://github.com/nodejs/node/pull/43738
  * (SEMVER-MINOR) deprecate diagnostics_channel object subscribe method
  (Stephen Belanger) https://github.com/nodejs/node/pull/42714
* events:
  * (SEMVER-MINOR) expose CustomEvent on global with CLI flag (Daeyeon
  Jeong) https://github.com/nodejs/node/pull/43885
  * (SEMVER-MINOR) add `CustomEvent` (Daeyeon Jeong) https://github.com/nodejs/node/pull/43514
* http:
  * (SEMVER-MINOR) add drop request event for http server (theanarkh)
  https://github.com/nodejs/node/pull/43806
* lib:
  * (SEMVER-MINOR) improved diagnostics_channel subscribe/unsubscribe
  (Stephen Belanger) https://github.com/nodejs/node/pull/42714
* util:
  * (SEMVER-MINOR) add tokens to parseArgs (John Gee) https://github.com/nodejs/node/pull/43459

PR-URL: https://github.com/nodejs/node/pull/43993
2022-07-26 18:15:12 -04:00
Michaël Zasso
d2fe72a4a2
2022-07-13, Version 18.6.0 (Current)
Notable changes:

- esm: add chaining to loaders

PR-URL: https://github.com/nodejs/node/pull/43789
2022-07-13 22:52:14 +02:00
RafaelGSS
5a62789b81
2022-07-07, Version 18.5.0 (Current)
This is a security release.

Notable changes:

* (SEMVER-MAJOR) src,deps,build,test: add OpenSSL config appname (Daniel Bevenius) https://github.com/nodejs/node/pull/43124
* (SEMVER-MAJOR) src,doc,test: add --openssl-shared-config option (Daniel Bevenius) https://github.com/nodejs/node/pull/43124
* update archs files for quictls/openssl-3.0.5+quic (RafaelGSS) https://github.com/nodejs/node/pull/43693
* upgrade openssl sources to quictls/openssl-3.0.5+quic (RafaelGSS) https://github.com/nodejs/node/pull/43693

PR-URL: https://github.com/nodejs-private/node-private/pull/329
2022-07-07 09:59:35 -04:00
Danielle Adams
614436a2db
2022-07-07, Version 16.16.0 'Gallium' (LTS)
This is a security release.

Notable changes:

* deps:
  * upgrade openssl sources to OpenSSL\_1\_1\_1q (RafaelGSS) https://github.com/nodejs/node/pull/43692
* src:
  * add OpenSSL config appname (Daniel Bevenius) https://github.com/nodejs/node/pull/43124

PR-URL: https://github.com/nodejs-private/node-private/pull/331
2022-07-07 09:57:41 -04:00
Juan José Arboleda
dc4678f63d
2022-07-07, Version 14.20.0 'Fermium' (LTS)
This is a security release.

Notable changes:

* (SEMVER-MAJOR) src,deps,build,test: add OpenSSL config appname (Daniel Bevenius) https://github.com/nodejs/node/pull/43124
* deps: upgrade openssl sources to 1.1.1q (RafaelGSS) https://github.com/nodejs/node/pull/43686

PR-URL: https://github.com/nodejs-private/node-private/pull/332
2022-07-07 09:54:23 -04:00
Danielle Adams
f50a80c8e1
2022-06-16, Version 18.4.0 (Current)
Notable changes:

* crypto:
  * remove Node.js-specific webcrypto extensions (Filip Skokan) https://github.com/nodejs/node/pull/43310
  * add CFRG curves to Web Crypto API (Filip Skokan) https://github.com/nodejs/node/pull/42507
* dns:
  * accept `'IPv4'` and `'IPv6'` for `family` (Antoine du Hamel) https://github.com/nodejs/node/pull/43054
* report:
  * add more heap infos in process report (theanarkh) https://github.com/nodejs/node/pull/43116

PR-URL: https://github.com/nodejs/node/pull/43385
2022-06-16 09:45:05 -04:00
Bryan English
55f56efbac 2022-06-01, Version 18.3.0 (Current)
Notable changes:

* deps: update undici to 5.4.0  (Node.js GitHub Bot) https://github.com/nodejs/node/pull/43262
* (SEMVER-MINOR) util: add parseArgs module (Benjamin Coe) https://github.com/nodejs/node/pull/42675
* (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) https://github.com/nodejs/node/pull/41397
* deps: upgrade npm to 8.11.0 (npm team) https://github.com/nodejs/node/pull/43210
* deps: patch V8 to 10.2.154.4 (Michaël Zasso) https://github.com/nodejs/node/pull/43067
* (SEMVER-MINOR) deps: update V8 to 10.2.154.2 (Michaël Zasso) https://github.com/nodejs/node/pull/42740
* (SEMVER-MINOR) fs: make params in writing methods optional (LiviaMedeiros) https://github.com/nodejs/node/pull/42601
* (SEMVER-MINOR) http: add uniqueHeaders option to request and createServer (Paolo Insogna) https://github.com/nodejs/node/pull/41397
* (SEMVER-MINOR) net: add ability to reset a tcp socket (pupilTong) https://github.com/nodejs/node/pull/43112
* (SEMVER-MINOR) Revert "build: make x86 Windows support temporarily experimental" (Michaël Zasso) [#42740](https://github.com/nodejs/node/pull/42740)
  * This means 32-bit Windows binaries are back with this release.

PR-URL: https://github.com/nodejs/node/pull/43266
2022-06-01 23:19:53 -04:00
Ruy Adorno
b984017899
2022-06-01, Version 17.9.1 (Current)
Notable changes:

* Upgrade npm to 8.11.0
* Update to OpenSSL 3.0.3

PR-URL: https://github.com/nodejs/node/pull/43256
2022-06-01 20:35:21 -04:00
Juan José Arboleda
18d3c33f3a 2022-06-01, Version 16.15.1 'Gallium' (LTS)
Notable changes:

- deps: upgrade npm to 8.11.0 (<npm-cli+bot@github.com>) https://github.com/nodejs/node/pull/43210
- doc:
  - add release key for RafaelGSS (Rafael Gonzaga) https://github.com/nodejs/node/pull/43131
  - add release key for Juan Arboleda (Juan José) https://github.com/nodejs/node/pull/42961

PR-URL: https://github.com/nodejs/node/pull/43272
2022-06-01 18:16:27 -05:00
Richard Lau
70069b21a2
2022-05-17, Version 14.19.3 'Fermium' (LTS)
Notable changes:
- This release updates OpenSSL to 1.1.1o. This update is not being
treated as a security release as the issues addressed in OpenSSL 1.1.1o
were assessed to not affect Node.js 14. See
https://nodejs.org/en/blog/vulnerability/openssl-fixes-in-regular-releases-may2022/
for more information on how the May 2022 OpenSSL releases affects other
Node.js release lines.
- The list of GPG keys used to sign releases has been synchronized with
the main branch.

PR-URL: https://github.com/nodejs/node/pull/43075
2022-05-17 14:36:58 -04:00
RafaelGSS
2bc1991423 2022-05-17, Version 18.2.0 (Current)
Notable changes:

OpenSSL 3.0.3

This update can be treated as a security release as the issues addressed
in OpenSSL 3.0.3 slightly affect Node.js 18. See https://nodejs.org/en/blog/vulnerability/openssl-fixes-in-regular-releases-may2022/
for more information on how the May 2022 OpenSSL releases affect other
Node.js release lines.

- deps: update archs files for quictls/openssl-3.0.3+quic
  (RafaelGSS) https://github.com/nodejs/node/pull/43022
- deps: upgrade openssl sources to quictls/openssl-3.0.3
  (RafaelGSS) https://github.com/nodejs/node/pull/43022

Other notable changes:

- _Revert_ "deps: add template for generated headers"
  (Daniel Bevenius) https://github.com/nodejs/node/pull/42978
- deps: update undici to 5.2.0
  (Node.js GitHub Bot) https://github.com/nodejs/node/pull/43059
- deps: upgrade npm to 8.9.0
  (npm team) https://github.com/nodejs/node/pull/42968
- (SEMVER-MINOR) fs: add `read(buffer[, options])` versions
  (LiviaMedeiros) https://github.com/nodejs/node/pull/42768
- (SEMVER-MINOR) http: added connection closing methods
  (Shogun) https://github.com/nodejs/node/pull/42812
- doc: add LiviaMedeiros to collaborators
  (LiviaMedeiros) https://github.com/nodejs/node/pull/43039
- doc: add release key for Juan Arboleda
  (Juan José) https://github.com/nodejs/node/pull/42961
- (SEMVER-MINOR) fs: add `read(buffer[, options])` versions
  (LiviaMedeiros) https://github.com/nodejs/node/pull/42768
- (SEMVER-MINOR) http: added connection closing methods
  (Paolo Insogna) https://github.com/nodejs/node/pull/42812
- (SEMVER-MINOR) perf_hooks: add PerformanceResourceTiming
  (RafaelGSS) https://github.com/nodejs/node/pull/42725

PR-URL: https://github.com/nodejs/node/pull/43036
2022-05-17 12:34:36 -03:00
Juan José Arboleda
755721a80c
2022-05-04, Version 14.19.2 'Fermium' (LTS)
Notable Changes

doc:

* New release key for Bryan English

Learn more at: https://github.com/nodejs/node/pull/42102
Contributed by Bryan English (bengl)

npm:

* Upgrade `npm` to `v6.14.17`.

Learn more at: https://github.com/nodejs/node/pull/42900
Contributed by Ruy Adorno (ruyadorno)

V8:

* V8 had a stack overflow issue affecting the `vm` module,
cherry-picking `cc9a8a37445e`
(cc9a8a3744)
from V8 solves this issue.

Learn more at: https://github.com/nodejs/node/pull/41826
Contributed by Gus Caplan (devsnek)

* Using `getHeapSnapshot()` was causing a Node.js crash due a V8 issue,
this is fixed by backporting `367b0c1e7a32`
(367b0c1e7a)
from V8.

Learn more at: https://github.com/nodejs/node/pull/42637
Contributed by Chengzhong Wu (legendecas)

PR-URL: https://github.com/nodejs/node/pull/42899
2022-05-04 12:05:24 -05:00
Michaël Zasso
6ebe5a4ff0
2022-05-03, Version 18.1.0 (Current)
Notable changes:

doc:
  * add @kuriyosh to collaborators (Yoshiki Kurihara) https://github.com/nodejs/node/pull/42824
lib,src:
  * (SEMVER-MINOR) implement WebAssembly Web API (Tobias Nießen) https://github.com/nodejs/node/pull/42701
test_runner:
  * (SEMVER-MINOR) add initial CLI runner (Colin Ihrig) https://github.com/nodejs/node/pull/42658
worker:
  * (SEMVER-MINOR) add hasRef() to MessagePort (Darshan Sen) https://github.com/nodejs/node/pull/42849

PR-URL: https://github.com/nodejs/node/pull/42943
2022-05-03 13:53:19 +02:00
Danielle Adams
3120691b35
2022-04-26, Version 16.15.0 'Gallium' (LTS)
Notable changes:

Add fetch API

Adds experimental support to the fetch API. This adds the `--experimental-fetch`
flag that installs the `fetch`, `Request`, `Response`, `Headers`, and `FormData`
globals.

* (SEMVER-MINOR) add fetch (Michaël Zasso) https://github.com/nodejs/node/pull/41749
* (SEMVER-MINOR) add FormData global when fetch is enabled (Michaël Zasso) https://github.com/nodejs/node/pull/41956

Other notable changes

* build:
  * remove broken x32 arch support (Ben Noordhuis) https://github.com/nodejs/node/pull/41905
* crypto:
  * (SEMVER-MINOR) add KeyObject.prototype.equals method (Filip Skokan) https://github.com/nodejs/node/pull/42093
* doc:
  * add @ShogunPanda to collaborators (Paolo Insogna) https://github.com/nodejs/node/pull/42362
  * add JakobJingleheimer to collaborators list (Jacob Smith) https://github.com/nodejs/node/pull/42185
  * add joesepi to collaborators (Joe Sepi) https://github.com/nodejs/node/pull/41914
  * add marsonya to collaborators (Akhil Marsonya) https://github.com/nodejs/node/pull/41991
  * deprecate string coercion in `fs.write`, `fs.writeFileSync` (Livia
    Medeiros) https://github.com/nodejs/node/pull/42149
  * deprecate notice for process methods (Yash Ladha) https://github.com/nodejs/node/pull/41587
* esm:
  * (SEMVER-MINOR) support https remotely and http locally under flag
    (Bradley Farias) https://github.com/nodejs/node/pull/36328
* module:
  * (SEMVER-MINOR) unflag esm json modules (Geoffrey Booth) https://github.com/nodejs/node/pull/41736
* node-api:
  * (SEMVER-MINOR) add node_api_symbol_for() (Darshan Sen) https://github.com/nodejs/node/pull/41329
* process:
  * deprecate multipleResolves (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/41872
* stream:
  * (SEMVER-MINOR) support some and every (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/41573
  * (SEMVER-MINOR) add toArray (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/41553
  * (SEMVER-MINOR) add forEach method (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/41445

PR-URL: https://github.com/nodejs/node/pull/42847
2022-04-26 21:00:36 -04:00
Beth Griggs
77373aa5d6
2022-04-19, Version 18.0.0 (Current)
Notable Changes:

Deprecations and Removals:

- (SEMVER-MAJOR) fs: runtime deprecate string coercion in `fs.write`,
  `fs.writeFileSync`
  (Livia Medeiros) (https://github.com/nodejs/node/pull/42607)
- (SEMVER-MAJOR) dns: remove `dns.lookup` and `dnsPromises.lookup`
  options type coercion
  (Antoine du Hamel) (https://github.com/nodejs/node/pull/41431)
- (SEMVER-MAJOR) process: runtime deprecate multipleResolves
  (Benjamin Gruenbaum) (https://github.com/nodejs/node/pull/41896)
- (SEMVER-MAJOR) stream: remove thenable support (Robert Nagy)
  (https://github.com/nodejs/node/pull/40773)
- (SEMVER-MAJOR) tls: move tls.parseCertString to end-of-life
  (Tobias Nießen) (https://github.com/nodejs/node/pull/41479)

fetch (experimental):

An experimental fetch API is available on the global scope by default.
The implementation is based upon https://undici.nodejs.org/#/,
an HTTP/1.1 client written for Node.js by contributors to the project.

Through this addition, the following globals are made available: `fetch`
, `FormData`, `Headers`, `Request`, `Response`.

Disable this API with the `--no-experimental-fetch` command-line flag.

Contributed by Michaël Zasso in https://github.com/nodejs/node/pull/41811.

HTTP Timeouts:

`server.headersTimeout`, which limits the amount of time the parser will
wait to receive the complete HTTP headers, is now set to `60000` (60
seconds) by default.

`server.requestTimeout`, which sets the timeout value in milliseconds
for receiving the entire request from the client, is now set to `300000`
(5 minutes) by default.

If these timeouts expire, the server responds with status 408 without
forwarding the request to the request listener and then closes the
connection.

Both timeouts must be set to a non-zero value to protect against
potential Denial-of-Service attacks in case the server is deployed
without a reverse proxy in front.

Contributed by Paolo Insogna in https://github.com/nodejs/node/pull/41263.

Test Runner module (experimental):

The `node:test` module facilitates the creation of JavaScript tests that
report results in TAP format. This module is only available under the
`node:` scheme.

Contributed by Colin Ihrig in https://github.com/nodejs/node/pull/42325.

Toolchain and Compiler Upgrades:

- Prebuilt binaries for Linux are now built on Red Hat Enterprise Linux
  (RHEL) 8 and are compatible with Linux distributions based on glibc
  2.28 or later, for example, Debian 10, RHEL 8, Ubuntu 20.04.
- Prebuilt binaries for macOS now require macOS 10.15 or later.
- For AIX the minimum supported architecture has been raised from Power
  7 to Power 8.

Prebuilt binaries for 32-bit Windows will initially not be available due
to issues building the V8 dependency in Node.js. We hope to restore
32-bit Windows binaries for Node.js 18 with a future V8 update.

Node.js does not support running on operating systems that are no longer
supported by their vendor. For operating systems where their vendor has
planned to end support earlier than April 2025, such as Windows 8.1
(January 2023) and Windows Server 2012 R2 (October 2023), support for
Node.js 18 will end at the earlier date.

Full details about the supported toolchains and compilers are documented
in the Node.js `BUILDING.md` file.

Contributed by Richard Lau in https://github.com/nodejs/node/pull/42292,
https://github.com/nodejs/node/pull/42604 and https://github.com/nodejs/node/pull/42659
, and Michaël Zasso in https://github.com/nodejs/node/pull/42105 and
https://github.com/nodejs/node/pull/42666.

V8 10.1:

The V8 engine is updated to version 10.1, which is part of Chromium 101.
Compared to the version included in Node.js 17.9.0, the following new
features are included:

- The `findLast` and `findLastIndex` array methods.
- Improvements to the `Intl.Locale` API.
- The `Intl.supportedValuesOf` function.
- Improved performance of class fields and private class methods (the
  initialization of them is now as fast as ordinary property stores).

The data format returned by the serialization API (`v8.serialize(value)`)
has changed, and cannot be deserialized by earlier versions of Node.js.
On the other hand, it is still possible to deserialize the previous
format, as the API is backwards-compatible.

Contributed by Michaël Zasso in https://github.com/nodejs/node/pull/42657.

Web Streams API (experimental):

Node.js now exposes the experimental implementation of the Web Streams
API on the global scope. This means the following APIs are now globally
available:

- `ReadableStream`, `ReadableStreamDefaultReader`,
`ReadableStreamBYOBReader`, `ReadableStreamBYOBRequest`,
`ReadableByteStreamController`, `ReadableStreamDefaultController`,
`TransformStream`, `TransformStreamDefaultController`, `WritableStream`,
`WritableStreamDefaultWriter`, `WritableStreamDefaultController`,
`ByteLengthQueuingStrategy`, `CountQueuingStrategy`, `TextEncoderStream`,
`TextDecoderStream`, `CompressionStream`, `DecompressionStream`.

Contributed James Snell in https://github.com/nodejs/node/pull/39062,
and Antoine du Hamel in https://github.com/nodejs/node/pull/42225.

Other Notable Changes:

- (SEMVER-MAJOR) buffer: expose Blob as a global
  (James M Snell) (https://github.com/nodejs/node/pull/41270)
- (SEMVER-MAJOR) child\_process: improve argument validation
  (Rich Trott) (https://github.com/nodejs/node/pull/41305)
- doc: add RafaelGSS to collaborators
  (RafaelGSS) (https://github.com/nodejs/node/pull/42718)
- (SEMVER-MAJOR) http: make TCP noDelay enabled by default
  (Paolo Insogna) (https://github.com/nodejs/node/pull/42163)
- (SEMVER-MAJOR) net: make `server.address()` return an integer for
  `family`
  (Antoine du Hamel) (https://github.com/nodejs/node/pull/41431)
- (SEMVER-MAJOR) worker: expose BroadcastChannel as a global
  (James M Snell) (https://github.com/nodejs/node/pull/41271)
- (SEMVER-MAJOR) worker: graduate BroadcastChannel to supported
  (James M Snell) (https://github.com/nodejs/node/pull/41271)

Semver-Major Commits:

- (SEMVER-MAJOR) assert,util: compare RegExp.lastIndex while using deep
  equal checks
  (Ruben Bridgewater) (https://github.com/nodejs/node/pull/41020)
- (SEMVER-MAJOR) buffer: refactor `byteLength` to remove outdated
  optimizations
  (Rongjian Zhang) (https://github.com/nodejs/node/pull/38545)
- (SEMVER-MAJOR) buffer: expose Blob as a global
  (James M Snell) (https://github.com/nodejs/node/pull/41270)
- (SEMVER-MAJOR) buffer: graduate Blob from experimental
  (James M Snell) (https://github.com/nodejs/node/pull/41270)
- (SEMVER-MAJOR) build: make x86 Windows support temporarily
  experimental
  (Michaël Zasso) (https://github.com/nodejs/node/pull/42666)
- (SEMVER-MAJOR) build: bump macOS deployment target to 10.15
  (Richard Lau) (https://github.com/nodejs/node/pull/42292)
- (SEMVER-MAJOR) build: downgrade Windows 8.1 and server 2012 R2 to
  experimental
  (Michaël Zasso) (https://github.com/nodejs/node/pull/42105)
- (SEMVER-MAJOR) child\_process: improve argument validation
  (Rich Trott) (https://github.com/nodejs/node/pull/41305)
- (SEMVER-MAJOR) cluster: make `kill` to be just `process.kill`
  (Bar Admoni) (https://github.com/nodejs/node/pull/34312)
- (SEMVER-MAJOR) crypto: cleanup validation
  (Mohammed Keyvanzadeh) (https://github.com/nodejs/node/pull/39841)
- (SEMVER-MAJOR) crypto: prettify othername in PrintGeneralName
  (Tobias Nießen) (https://github.com/nodejs/node/pull/42123)
- (SEMVER-MAJOR) crypto: fix X509Certificate toLegacyObject
  (Tobias Nießen) (https://github.com/nodejs/node/pull/42124)
- (SEMVER-MAJOR) crypto: use RFC2253 format in PrintGeneralName
  (Tobias Nießen) (https://github.com/nodejs/node/pull/42002)
- (SEMVER-MAJOR) crypto: change default check(Host|Email) behavior
  (Tobias Nießen) (https://github.com/nodejs/node/pull/41600)
- (SEMVER-MAJOR) deps: V8: cherry-pick semver-major commits from 10.2
  (Michaël Zasso) (https://github.com/nodejs/node/pull/42657)
- (SEMVER-MAJOR) deps: update V8 to 10.1.124.6
  (Michaël Zasso) (https://github.com/nodejs/node/pull/42657)
- (SEMVER-MAJOR) deps: update V8 to 9.8.177.9
  (Michaël Zasso) (https://github.com/nodejs/node/pull/41610)
- (SEMVER-MAJOR) deps: update V8 to 9.7.106.18
  (Michaël Zasso) (https://github.com/nodejs/node/pull/40907)
- (SEMVER-MAJOR) dns: remove `dns.lookup` and `dnsPromises.lookup`
  options type coercion
  (Antoine du Hamel) (https://github.com/nodejs/node/pull/41431)
- (SEMVER-MAJOR) doc: update minimum glibc requirements for Linux
  (Richard Lau) (https://github.com/nodejs/node/pull/42659)
- (SEMVER-MAJOR) doc: update AIX minimum supported arch
  (Richard Lau) (https://github.com/nodejs/node/pull/42604)
- (SEMVER-MAJOR) fs: runtime deprecate string coercion in `fs.write`,
  `fs.writeFileSync`
  (Livia Medeiros) (https://github.com/nodejs/node/pull/42607)
- (SEMVER-MAJOR) http: refactor headersTimeout and requestTimeout logic
  (Paolo Insogna) (https://github.com/nodejs/node/pull/41263)
- (SEMVER-MAJOR) http: make TCP noDelay enabled by default
  (Paolo Insogna) (https://github.com/nodejs/node/pull/42163)
- (SEMVER-MAJOR) lib: enable fetch by default
  (Michaël Zasso) (https://github.com/nodejs/node/pull/41811)
- (SEMVER-MAJOR) lib: replace validator and error
  (Mohammed Keyvanzadeh) (https://github.com/nodejs/node/pull/41678)
- (SEMVER-MAJOR) module,repl: support 'node:'-only core modules
  (Colin Ihrig) (https://github.com/nodejs/node/pull/42325)
- (SEMVER-MAJOR) net: make `server.address()` return an integer for
  `family`
  (Antoine du Hamel) (https://github.com/nodejs/node/pull/41431)
- (SEMVER-MAJOR) process: disallow some uses of Object.defineProperty()
  on process.env
  (Himself65) (https://github.com/nodejs/node/pull/28006)
- (SEMVER-MAJOR) process: runtime deprecate multipleResolves
  (Benjamin Gruenbaum) (https://github.com/nodejs/node/pull/41896)
- (SEMVER-MAJOR) readline: fix question still called after closed
  (Xuguang Mei) (https://github.com/nodejs/node/pull/42464)
- (SEMVER-MAJOR) stream: remove thenable support
  (Robert Nagy) (https://github.com/nodejs/node/pull/40773)
- (SEMVER-MAJOR) stream: expose web streams globals, remove runtime
  experimental warning
  (Antoine du Hamel) (https://github.com/nodejs/node/pull/42225)
- (SEMVER-MAJOR) stream: need to cleanup event listeners if last stream
  is readable
  (Xuguang Mei) (https://github.com/nodejs/node/pull/41954)
- (SEMVER-MAJOR) stream: revert revert `map` spec compliance
  (Benjamin Gruenbaum) (https://github.com/nodejs/node/pull/41933)
- (SEMVER-MAJOR) stream: throw invalid arg type from End Of Stream
  (Jithil P Ponnan) (https://github.com/nodejs/node/pull/41766)
- (SEMVER-MAJOR) stream: don't emit finish after destroy
  (Robert Nagy) (https://github.com/nodejs/node/pull/40852)
- (SEMVER-MAJOR) stream: add errored and closed props
  (Robert Nagy) (https://github.com/nodejs/node/pull/40696)
- (SEMVER-MAJOR) test: add initial test module
  (Colin Ihrig) (https://github.com/nodejs/node/pull/42325)
- (SEMVER-MAJOR) timers: refactor internal classes to ES2015 syntax
  (Rabbit) (https://github.com/nodejs/node/pull/37408)
- (SEMVER-MAJOR) tls: represent registeredID numerically always
  (Tobias Nießen) (https://github.com/nodejs/node/pull/41561)
- (SEMVER-MAJOR) tls: move tls.parseCertString to end-of-life
  (Tobias Nießen) (https://github.com/nodejs/node/pull/41479)
- (SEMVER-MAJOR) url: throw on NULL in IPv6 hostname
  (Rich Trott) (https://github.com/nodejs/node/pull/42313)
- (SEMVER-MAJOR) v8: make v8.writeHeapSnapshot() error codes consistent
  (Darshan Sen) (https://github.com/nodejs/node/pull/42577)
- (SEMVER-MAJOR) v8: make writeHeapSnapshot throw if fopen fails
  (Antonio Román) (https://github.com/nodejs/node/pull/41373)
- (SEMVER-MAJOR) worker: expose BroadcastChannel as a global
  (James M Snell) (https://github.com/nodejs/node/pull/41271)
- (SEMVER-MAJOR) worker: graduate BroadcastChannel to supported
  (James M Snell) (https://github.com/nodejs/node/pull/41271)

PR-URL: https://github.com/nodejs/node/pull/42262
2022-04-19 16:27:11 +01:00
Richard Lau
3f526c1ec9
2022-04-05, Version 12.22.12 'Erbium' (LTS)
Notable changes:

This is planned to be the final Node.js 12 release. Node.js 12 will
reach End-of-Life status on 30 April 2022, after which it will no
receive updates. You are strongly advised to migrate your applications
to Node.js 16 or 14 (both of which are Long Term Support (LTS) releases)
to continue to receive future security updates beyond 30 April 2022.

This release fixes a shutdown crash in Node-API (formerly N-API) and a
potential stack overflow when using `vm.runInNewContext()`.

The list of GPG keys used to sign releases and instructions on how to
fetch the keys for verifying binaries has been synchronized with the
main branch.

PR-URL: https://github.com/nodejs/node/pull/42531
2022-04-05 08:15:00 -04:00
Bryan English
3579f6d044 2022-03-22, Version 17.8.0 (Current)
Notable changes:

doc:
  * add @ShogunPanda to collaborators (Shogun) https://github.com/nodejs/node/pull/42362
  * deprecate string coercion in `fs.write`, `fs.writeFileSync` (Livia Medeiros) https://github.com/nodejs/node/pull/42149
http:
  * (SEMVER-MINOR) trace http client by perf_hooks (theanarkh) https://github.com/nodejs/node/pull/42345
deps:
  * upgrade npm to 8.5.5 (npm team) https://github.com/nodejs/node/pull/42382
  * update undici to 4.15.1 (Michaël Zasso) https://github.com/nodejs/node/pull/42246

PR-URL: https://github.com/nodejs/node/pull/42425
2022-03-22 10:34:05 -04:00
Richard Lau
a66b9cabc8
2022-03-17, Version 17.7.2 (Current)
This is a security release.

Notable changes:

Update to OpenSSL 3.0.2, which addresses the following vulnerability:
- Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)(CVE-2022-0778)
  More details are available at https://www.openssl.org/news/secadv/20220315.txt

PR-URL: https://github.com/nodejs/node/pull/42381
2022-03-17 21:02:01 -04:00
Richard Lau
c7173ede3f
2022-03-17, Version 16.14.2 'Gallium' (LTS)
This is a security release.

Notable changes:

Update to OpenSSL 1.1.1n, which addresses the following vulnerability:
- Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)(CVE-2022-0778)
  More details are available at https://www.openssl.org/news/secadv/20220315.txt

PR-URL: https://github.com/nodejs/node/pull/42385
2022-03-17 20:53:43 -04:00
Richard Lau
b1174f3e9b
2022-03-17, Version 14.19.1 'Fermium' (LTS)
This is a security release.

Notable changes:

Update to OpenSSL 1.1.1n, which addresses the following vulnerability:
- Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)(CVE-2022-0778)
  More details are available at https://www.openssl.org/news/secadv/20220315.txt

PR-URL: https://github.com/nodejs/node/pull/42371
2022-03-17 19:34:25 -04:00
Richard Lau
aead813234
2022-03-17, Version 12.22.11 'Erbium' (LTS)
This is a security release.

Notable changes:

Update to OpenSSL 1.1.1n, which addresses the following vulnerability:
- Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)(CVE-2022-0778)
  More details are available at https://www.openssl.org/news/secadv/20220315.txt

Fix for building Node.js 12.x with Visual Studio 2019 to allow us to continue to
run CI tests.

PR-URL: https://github.com/nodejs/node/pull/42363
2022-03-17 19:23:23 -04:00
Danielle Adams
4586ac49f2
2022-03-15, Version 16.14.1 'Gallium' (LTS)
Notable changes:

* doc:
  * add release key for Bryan English (Bryan English) https://github.com/nodejs/node/pull/42102

PR-URL: https://github.com/nodejs/node/pull/42200
2022-03-15 22:31:35 -04:00
Stewart X Addison
3f466d8901
2022-03-10, Version 17.7.1 (Current)
Notable changes:

Fixed regression in url.resolve()

This release fixes an issue introduced in Node.js v17.7.0 with some URLs
that contain `@`. This issue affected yarn 1. This version reverts the
change that introduced the regression.

PR-URL: https://github.com/nodejs/node/pull/42285
2022-03-10 20:19:55 +00:00
Stewart X Addison
72c0c4b09b
2022-03-09, Version 17.7.0 (Current)
Notable changes:

* (SEMVER-MINOR) crypto: add KeyObject.prototype.equals method (Filip Skokan) https://github.com/nodejs/node/pull/42093
* (SEMVER-MINOR) net: add new options to net.Socket and net.Server (Paolo Insogna) https://github.com/nodejs/node/pull/41310
* (SEMVER-MINOR) src: allow preventing InitializeInspector in env (Shelley Vohr) https://github.com/nodejs/node/pull/35025
* doc: add release key for Bryan English (Bryan English) https://github.com/nodejs/node/pull/42102

Dependency Updates:

* deps: update nghttp2 to 1.47.0 (Yash Ladha) https://github.com/nodejs/node/pull/42127
* deps: upgrade npm to 8.5.2 (npm team) https://github.com/nodejs/node/pull/42122

New Collaborators:

* doc: add JakobJingleheimer to collaborators list (Jacob Smith) https://github.com/nodejs/node/pull/42185
* doc: move bnoordhuis back to collaborators (Ben Noordhuis) https://github.com/nodejs/node/pull/42064

PR-URL: https://github.com/nodejs/node/pull/42254
2022-03-09 17:47:02 +00:00
Bryan English
175638b7a4 2022-02-22, Version 17.6.0 (Current)
Notable changes:

- doc: deprecate notice for process methods (Yash Ladha) https://github.com/nodejs/node/pull/41587
- stream: revert `map` spec compliance (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/41931
- build: remove broken x32 arch support (Ben Noordhuis) https://github.com/nodejs/node/pull/41905
- (SEMVER-MINOR) esm: support https remotely and http locally under flag (Bradley Farias) https://github.com/nodejs/node/pull/36328
- (SEMVER-MINOR) fs: support copy of relative links with cp and cpSync (Marcos Bjoerkelund) https://github.com/nodejs/node/pull/41819
- (SEMVER-MINOR) lib: add FormData global when fetch is enabled (Michaël Zasso) https://github.com/nodejs/node/pull/41956
- (SEMVER-MINOR) readline: bind keystroke `ctrl`+`6` to redo (Ray) https://github.com/nodejs/node/pull/41662
- process: deprecate multipleResolves (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/41872
  - Documentation-only.

Dependency updates:

- deps: upgrade npm to 8.5.1 (npm-robot) https://github.com/nodejs/node/pull/42039
- deps: update undici to 3e267ece5f (Michaël Zasso) https://github.com/nodejs/node/pull/41955
- deps: upgrade npm to 8.5.0 (npm-robot) https://github.com/nodejs/node/pull/41925

New collaborators:

- doc: add marsonya to collaborators (Akhil Marsonya) https://github.com/nodejs/node/pull/41991
- doc: add joesepi to collaborators (Joe Sepi) https://github.com/nodejs/node/pull/41914

PR-URL: https://github.com/nodejs/node/pull/42072
2022-02-22 17:31:17 -08:00
Ruy Adorno
36dadfa382
2022-02-10, Version 17.5.0 (Current)
Notable changes:

lib:
  * (SEMVER-MINOR) add fetch (Michaël Zasso) https://github.com/nodejs/node/pull/41749
module:
  * unflag esm json modules (Geoffrey Booth) https://github.com/nodejs/node/pull/41736
node-api:
  * (SEMVER-MINOR) add node_api_symbol_for() (Darshan Sen) https://github.com/nodejs/node/pull/41329
stream:
  * (SEMVER-MINOR) add iterator helper find (linkgoron) https://github.com/nodejs/node/pull/41849
  * (SEMVER-MINOR) add toArray (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/41553
  * (SEMVER-MINOR) add forEach method (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/41445
  * (SEMVER-MINOR) support some and every (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/41573
deps:
  * upgrade npm to 8.4.1 (npm team) [#41836](https://github.com/nodejs/node/pull/41836)

PR-URL: https://github.com/nodejs/node/pull/41897
2022-02-10 13:23:49 -05:00
Danielle Adams
2455b26fdb
2022-02-08, Version 16.14.0 'Gallium' (LTS)
Notable changes:

Importing JSON modules now requires experimental import assertions
syntax

This release adds experimental support for the import assertions stage 3
proposal.

To keep Node.js ESM implementation as compatible as possible with the
HTML spec, import assertions are now required to import JSON modules
(still behind the `--experimental-json-modules` CLI flag):

```mjs
import info from './package.json' assert { type: 'json' };
```

Or use dynamic import:

```mjs
const info = await import('./package.json', {
  assert: { type: 'json' }
});
```

Contributed by Antoine du Hamel and Geoffrey Booth https://github.com/nodejs/node/pull/40250

Other notable changes:

* async_hooks:
  * (SEMVER-MINOR) expose async_wrap providers (Rafael Gonzaga) https://github.com/nodejs/node/pull/40760
* child_process:
  * (SEMVER-MINOR) add support for URL to `cp.fork` (Antoine du Hamel) https://github.com/nodejs/node/pull/41225
* doc:
  * add @Mesteery to collaborators (Mestery) https://github.com/nodejs/node/pull/41543
  * add @bnb as a collaborator (Tierney Cyren) https://github.com/nodejs/node/pull/41100
* esm:
  * (SEMVER-MINOR) graduate capturerejections to supported (James M Snell) https://github.com/nodejs/node/pull/41267
  * (SEMVER-MINOR) add EventEmitterAsyncResource to core (James M Snell) https://github.com/nodejs/node/pull/41246
* events:
  * (SEMVER-MINOR) propagate weak option for kNewListener (James M Snell) https://github.com/nodejs/node/pull/40899
* fs:
  * (SEMVER-MINOR) accept URL as argument for `fs.rm` and `fs.rmSync` (Antoine du Hamel) https://github.com/nodejs/node/pull/41132
* lib:
  * (SEMVER-MINOR) make AbortSignal cloneable/transferable (James M Snell) https://github.com/nodejs/node/pull/41050
  * (SEMVER-MINOR) add AbortSignal.timeout (James M Snell) https://github.com/nodejs/node/pull/40899
  * (SEMVER-MINOR) add reason to AbortSignal (James M Snell) https://github.com/nodejs/node/pull/40807
  * (SEMVER-MINOR) add unsubscribe method to non-active DC channels (simon-id) https://github.com/nodejs/node/pull/40433
  * (SEMVER-MINOR) add return value for DC channel.unsubscribe (simon-id) https://github.com/nodejs/node/pull/40433
* loader:
  * (SEMVER-MINOR) return package format from defaultResolve if known (Gabriel Bota) https://github.com/nodejs/node/pull/40980
* perf_hooks:
  * (SEMVER-MINOR) multiple fixes for Histogram (James M Snell) https://github.com/nodejs/node/pull/41153
* process:
  * (SEMVER-MINOR) add `getActiveResourcesInfo()` (Darshan Sen) https://github.com/nodejs/node/pull/40813
* src:
  * (SEMVER-MINOR) add x509.fingerprint512 to crypto module (3nprob) https://github.com/nodejs/node/pull/39809
  * (SEMVER-MINOR) add flags for controlling process behavior (Cheng Zhao) https://github.com/nodejs/node/pull/40339
* stream:
  * (SEMVER-MINOR) add filter method to readable (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/41354
  * (SEMVER-MINOR) add isReadable helper (Robert Nagy) https://github.com/nodejs/node/pull/41199
  * (SEMVER-MINOR) add map method to Readable (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/40815
  * deprecate thenable support (Antoine du Hamel) https://github.com/nodejs/node/pull/40860
* util:
  * (SEMVER-MINOR) pass through the inspect function to custom inspect functions (Ruben Bridgewater) https://github.com/nodejs/node/pull/41019
  * (SEMVER-MINOR) add numericSeparator to util.inspect (Ruben Bridgewater) https://github.com/nodejs/node/pull/41003
  * (SEMVER-MINOR) always visualize cause property in errors during inspection (Ruben Bridgewater) https://github.com/nodejs/node/pull/41002
* timers:
  * (SEMVER-MINOR) add experimental scheduler api (James M Snell) https://github.com/nodejs/node/pull/40909
* v8:
  * (SEMVER-MINOR) multi-tenant promise hook api (Stephen Belanger) https://github.com/nodejs/node/pull/39283

PR-URL: https://github.com/nodejs/node/pull/41804
2022-02-08 14:28:28 -05:00
Ruy Adorno
f436f6f55e
2022-02-01, Version 12.22.10 'Erbium' (LTS)
Notable changes:

* Upgrade npm to 6.14.16
* Updated ICU time zone data

PR-URL: https://github.com/nodejs/node/pull/41710
2022-02-01 15:19:03 -05:00
Richard Lau
1c23c1ed25
2022-02-01, Version 14.19.0 'Fermium' (LTS)
Notable changes:

Corepack:
Node.js now includes Corepack, a script that acts as a bridge between
Node.js projects and the package managers they are intended to be used
with during development.
In practical terms, Corepack will let you use Yarn and pnpm without
having to install them - just like what currently happens with npm,
which is shipped in Node.js by default.

Contributed by Maël Nison - https://github.com/nodejs/node/pull/39608

ICU updated:
ICU has been updated to 70.1. This updates timezone database to 2021a3,
including bringing forward the start for DST for Jordan from March to
February.

Contributed by Michaël Zasso - https://github.com/nodejs/node/pull/40658

New option to disable loading of native addons:
A new command line option `--no-addons` has been added to disallow
loading of native addons.

Contributed by Dominic Elm - https://github.com/nodejs/node/pull/39977

Updated Root Certificates:
Root certificates have been updated to those from Mozilla's Network
Security Services 3.71.

Contributed by Richard Lau - https://github.com/nodejs/node/pull/40280

Other Notable Changes:

crypto:
  * (SEMVER-MINOR) make FIPS related options always available (Vít Ondruch) https://github.com/nodejs/node/pull/36341
lib:
  * (SEMVER-MINOR) add unsubscribe method to non-active DC channels (simon-id) https://github.com/nodejs/node/pull/40433
  * (SEMVER-MINOR) add return value for DC channel.unsubscribe (simon-id) https://github.com/nodejs/node/pull/40433
module:
  * (SEMVER-MINOR) support pattern trailers (Guy Bedford) https://github.com/nodejs/node/pull/39635
src:
  * (SEMVER-MINOR) make napi_create_reference accept symbol (JckXia) https://github.com/nodejs/node/pull/39926

PR-URL: https://github.com/nodejs/node/pull/41696
2022-02-01 08:30:03 -05:00
Michaël Zasso
325b9473c0
2022-01-18, Version 17.4.0 (Current)
Notable changes:

child_process:
  * (SEMVER-MINOR) add support for URL to `cp.fork` (Antoine du Hamel) https://github.com/nodejs/node/pull/41225
crypto:
  * (SEMVER-MINOR) alias webcrypto.subtle and webcrypto.getRandomValues on crypto (James M Snell) https://github.com/nodejs/node/pull/41266
doc:
  * add Mesteery to collaborators (Mestery) https://github.com/nodejs/node/pull/41543
events:
  * (SEMVER-MINOR) graduate capturerejections to supported (James M Snell) https://github.com/nodejs/node/pull/41267
  * (SEMVER-MINOR) add EventEmitterAsyncResource to core (James M Snell) https://github.com/nodejs/node/pull/41246
loader:
  * (SEMVER-MINOR) return package format from defaultResolve if known (Gabriel Bota) https://github.com/nodejs/node/pull/40980
perf_hooks:
  * (SEMVER-MINOR) multiple fixes for Histogram (James M Snell) https://github.com/nodejs/node/pull/41153
stream:
  * (SEMVER-MINOR) add filter method to readable (Benjamin Gruenbaum, Robert Nagy) https://github.com/nodejs/node/pull/41354
  * (SEMVER-MINOR) add isReadable helper (Robert Nagy) https://github.com/nodejs/node/pull/41199
  * (SEMVER-MINOR) add map method to Readable (Benjamin Gruenbaum, Robert Nagy) https://github.com/nodejs/node/pull/40815

PR-URL: https://github.com/nodejs/node/pull/41557
2022-01-18 16:03:23 +01:00
Beth Griggs
c4194c0dce
2022-01-10, Version 17.3.1 (Current)
This is a security release.

Notable changes:

Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
is specifically defined to use a particular SAN type, can result in
bypassing name-constrained intermediates. Node.js was accepting URI SAN
types, which PKIs are often not defined to use. Additionally, when a
protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when
checking a certificate against a hostname. This behavior can be
reverted through the `--security-revert` command-line option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531

Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
- Node.js converts SANs (Subject Alternative Names) to a string format.
It uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate
chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the
problematic characters in order to prevent the injection. This
behavior can be reverted through the `--security-revert` command-line
option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532

Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
- Node.js did not handle multi-value Relative Distinguished Names
correctly. Attackers could craft certificate subjects containing a
single-value Relative Distinguished Name that would be interpreted as a
multi-value Relative Distinguished Name, for example, in order to inject
a Common Name that would allow bypassing the certificate subject
verification.
- Affected versions of Node.js do not accept multi-value Relative
Distinguished Names and are thus not vulnerable to such attacks
themselves. However, third-party code that uses node's ambiguous
presentation of certificate subjects may be vulnerable.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533

Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
- Due to the formatting logic of the `console.table()` function it was
not safe to allow user controlled input to be passed to the `properties`
parameter while simultaneously passing a plain object with at least one
property as the first parameter, which could be `__proto__`. The
prototype pollution has very limited control, in that it only allows an
empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the
object these properties are being assigned to.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824

PR-URL: https://github.com/nodejs-private/node-private/pull/311
2022-01-10 23:49:27 +00:00
Danielle Adams
f99a2c275d
2022-01-10, Version 16.13.2 'Gallium' (LTS)
This is a security release.

Notable changes:

Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
is specifically defined to use a particular SAN type, can result in
bypassing name-constrained intermediates. Node.js was accepting URI SAN
types, which PKIs are often not defined to use. Additionally, when a
protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when
checking a certificate against a hostname. This behavior can be
reverted through the `--security-revert` command-line option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531

Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
- Node.js converts SANs (Subject Alternative Names) to a string format.
It uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate
chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the
problematic characters in order to prevent the injection. This
behavior can be reverted through the `--security-revert` command-line
option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532

Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
- Node.js did not handle multi-value Relative Distinguished Names
correctly. Attackers could craft certificate subjects containing a
single-value Relative Distinguished Name that would be interpreted as a
multi-value Relative Distinguished Name, for example, in order to inject
a Common Name that would allow bypassing the certificate subject
verification.
- Affected versions of Node.js do not accept multi-value Relative
Distinguished Names and are thus not vulnerable to such attacks
themselves. However, third-party code that uses node's ambiguous
presentation of certificate subjects may be vulnerable.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533

Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
- Due to the formatting logic of the `console.table()` function it was
not safe to allow user controlled input to be passed to the `properties`
parameter while simultaneously passing a plain object with at least one
property as the first parameter, which could be `__proto__`. The
prototype pollution has very limited control, in that it only allows an
empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the
object these properties are being assigned to.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824

PR-URL: https://github.com/nodejs-private/node-private/pull/312
2022-01-10 18:36:11 -05:00