Commit Graph

629 Commits

Author SHA1 Message Date
Beth Griggs
70cf0dce4e
2021-07-05, Version 16.4.2 (Current)
Notable changes:

Node.js 16.4.1 introduced a regression in the Windows installer on
non-English locales that is being fixed in this release. There is no
need to download this release if you are not using the Windows
installer.

PR-URL: https://github.com/nodejs/node/pull/39270
2021-07-05 18:23:26 +01:00
Richard Lau
ef3969542d
2021-07-05, Version v14.17.3 'Fermium' (LTS)
Notable changes:

Node.js 14.17.2 introduced a regression in the Windows installer on
non-English locales that is being fixed in this release. There is no
need to download this release if you are not using the Windows
installer.

PR-URL: https://github.com/nodejs/node/pull/39269
2021-07-05 17:03:09 +01:00
Richard Lau
cf1abe4b88
2021-07-05, Version 12.22.3 'Erbium' (LTS)
Notable changes:

Node.js 12.22.2 introduced a regression in the Windows installer on
non-English locales that is being fixed in this release. There is no
need to download this release if you are not using the Windows
installer.

PR-URL: https://github.com/nodejs/node/pull/39268
2021-07-05 16:50:08 +01:00
Richard Lau
e5f9ef62f6 doc: fix CHANGELOG.md formatting
Fix typo for line break tag.

PR-URL: https://github.com/nodejs/node/pull/39223
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
2021-07-02 05:45:26 +02:00
Beth Griggs
5ba2442e82
2021-07-01, Version 16.4.1 (Current)
This is a security release.

Notable changes:

Vulnerabilities fixed:

- **CVE-2021-22918**: libuv upgrade - Out of bounds read (Medium)
- **CVE-2021-22921**: Windows installer - Node Installer Local Privilege Escalation (Medium)

PR-URL: https://github.com/nodejs-private/node-private/pull/271
2021-07-01 15:37:30 +01:00
Richard Lau
0969b9f0e8
2021-07-01, Version 14.17.2 'Fermium' (LTS)
This is a security release.

Notable changes:

Vulnerabilities fixed:

- **CVE-2021-22918**: libuv upgrade - Out of bounds read (Medium)
- **CVE-2021-22921**: Windows installer - Node Installer Local Privilege Escalation (Medium)

PR-URL: https://github.com/nodejs-private/node-private/pull/272
2021-07-01 14:48:10 +01:00
Richard Lau
9b7eb82a42
2021-07-01, Version 12.22.2 'Erbium' (LTS)
This is a security release.

Notable changes:

Vulnerabilities fixed:

- **CVE-2021-22918**: libuv upgrade - Out of bounds read (Medium)
- **CVE-2021-22921**: Windows installer - Node Installer Local Privilege Escalation (Medium)
- **CVE-2021-27290**: npm upgrade - ssri Regular Expression Denial of Service (ReDoS) (High)
- **CVE-2021-23362**: npm upgrade - hosted-git-info Regular Expression Denial of Service (ReDoS) (Medium)

PR-URL: https://github.com/nodejs-private/node-private/pull/270
2021-07-01 14:41:48 +01:00
Danielle Adams
84d6ce9fd1
2021-06-23, Version 16.4.0 (Current)
Notable changes:

* async_hooks:
  * stabilize part of AsyncLocalStorage (Vladimir de Turckheim) https://github.com/nodejs/node/pull/37675
* deps:
  * upgrade npm to 7.18.1 (npm-robot) https://github.com/nodejs/node/pull/39065
  * update V8 to 9.1.269.36 (Michaël Zasso) https://github.com/nodejs/node/pull/38273
* dns:
  * allow `--dns-result-order` to change default dns verbatim (Ouyang Yadong) https://github.com/nodejs/node/pull/38099

PR-URL: https://github.com/nodejs/node/pull/39031
2021-06-23 07:42:28 -04:00
Michaël Zasso
c0becbc1bd
2021-06-15, Version 14.17.1 'Fermium' (LTS)
Notable changes:

deps:
  * update ICU to 69.1 (Michaël Zasso) https://github.com/nodejs/node/pull/38178
src:
  * align source-map stacks with spec (Benjamin Coe) https://github.com/nodejs/node/pull/37252

PR-URL: https://github.com/nodejs/node/pull/38948
2021-06-15 14:45:01 +02:00
Antoine du Hamel
174b191f70 doc: add missing changelog links
Refs: https://github.com/nodejs/node/pull/38507
Refs: https://github.com/nodejs/node/pull/38874

PR-URL: https://github.com/nodejs/node/pull/39016
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Zijian Liu <lxxyxzj@gmail.com>
2021-06-13 01:05:59 +00:00
Antoine du Hamel
9414230eb0 doc: mark Node.js v15.x as EOL
Today is 2021-06-01, which is the date v15.x release line is marked as
End-of-Life.

Refs: https://github.com/nodejs/Release/blob/main/schedule.json

PR-URL: https://github.com/nodejs/node/pull/38891
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Nitzan Uziely <linkgoron@gmail.com>
2021-06-03 17:36:15 +02:00
Michaël Zasso
44ffddae8b
2021-05-19, Version 16.2.0 (Current)
Notable changes:

async_hooks:
  * (SEMVER-MINOR) use new v8::Context PromiseHook API (Stephen Belanger) https://github.com/nodejs/node/pull/36394
lib:
  * support setting process.env.TZ on windows (James M Snell) https://github.com/nodejs/node/pull/38642
module:
  * (SEMVER-MINOR) add support for `URL` to `import.meta.resolve` (Antoine du Hamel) https://github.com/nodejs/node/pull/38587
process:
  * (SEMVER-MINOR) add `'worker'` event (James M Snell) https://github.com/nodejs/node/pull/38659
util:
  * (SEMVER-MINOR) add util.types.isKeyObject and util.types.isCryptoKey (Filip Skokan) https://github.com/nodejs/node/pull/38619

PR-URL: https://github.com/nodejs/node/pull/38719
2021-05-19 12:56:18 +02:00
Michaël Zasso
671c289957
2021-05-04, Version 16.1.0 (Current)
Notable changes:

fs:
  * (SEMVER-MINOR) allow no-params fsPromises fileHandle read (Nitzan Uziely) https://github.com/nodejs/node/pull/38287

PR-URL: https://github.com/nodejs/node/pull/38522
2021-05-04 17:09:39 +02:00
Richard Lau
6434cd66bb
doc: mark Node.js 10 as End-of-Life
PR-URL: https://github.com/nodejs/node/pull/38482
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Reviewed-By: Nitzan Uziely <linkgoron@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
2021-04-30 12:06:14 -04:00
Beth Griggs
8780537564
2021-04-20, Version 16.0.0 (Current)
Notable changes:

Deprecations and Removals:

- **(SEMVER-MAJOR)** **fs**: remove permissive rmdir recursive
  (Antoine du Hamel) [https://github.com/nodejs/node/pull/37216]
- **(SEMVER-MAJOR)** **fs**: runtime deprecate rmdir recursive option
  (Antoine du Hamel) [https://github.com/nodejs/node/pull/37302]
- **(SEMVER-MAJOR)** **lib**: runtime deprecate access to
  process.binding('http_parser') (James M Snell) [https://github.com/nodejs/node/pull/37813]
- **(SEMVER-MAJOR)** **lib**: runtime deprecate access to
  process.binding('url') (James M Snell) [https://github.com/nodejs/node/pull/37799]
- **(SEMVER-MAJOR)** **lib**: make process.binding('util') return only
  type checkers (Anna Henningsen) [https://github.com/nodejs/node/pull/37819]
- **(SEMVER-MAJOR)** **lib**: runtime deprecate access to
  process.binding('crypto') (James M Snell) [https://github.com/nodejs/node/pull/37790]
- **(SEMVER-MAJOR)** **lib**: runtime deprecate access to
  process.binding('signal_wrap') (James M Snell) [https://github.com/nodejs/node/pull/37800]
- **(SEMVER-MAJOR)** **lib**: runtime deprecate access to
  process.binding('v8') (James M Snell) [https://github.com/nodejs/node/pull/37789]
- **(SEMVER-MAJOR)** **lib**: runtime deprecate access to
  process.binding('async_wrap') (James M Snell) [https://github.com/nodejs/node/pull/37576]
- **(SEMVER-MAJOR)** **module**: remove module.createRequireFromPath
  (Antoine du Hamel) [https://github.com/nodejs/node/pull/37201]
- **(SEMVER-MAJOR)** **module**: runtime deprecate subpath folder
  mappings (Antoine du Hamel) [https://github.com/nodejs/node/pull/37215]
- **(SEMVER-MAJOR)** **module**: runtime deprecate "main" index and
  extension lookups (Antoine du Hamel) [https://github.com/nodejs/node/pull/37206]
- **(SEMVER-MAJOR)** **module**: runtime deprecate invalid package.json
  main entries (Antoine du Hamel) [https://github.com/nodejs/node/pull/37204]
- **(SEMVER-MAJOR)** **process**: runtime deprecate changing
  process.config (James M Snell) [https://github.com/nodejs/node/pull/36902]

Stable Timers Promises API:

The Timers Promises API provides an alternative set of timer functions
that return Promise objects. Added in Node.js v15.0.0, in this release
they graduate from experimental status to stable.

Contributed by James Snell - [https://github.com/nodejs/node/pull/38112]

Toolchain and Compiler Upgrades:

Node.js v16.0.0 will be the first release where we ship prebuilt
binaries for Apple Silicon. While we’ll be providing separate tarballs
for the Intel (`darwin-x64`) and ARM (`darwin-arm64`) architectures the
macOS installer (`.pkg`) will be shipped as a ‘fat’ (multi-architecture)
binary.

- **(SEMVER-MAJOR)** **build**: remove support for Python 2 (Christian
  Clauss) [https://github.com/nodejs/node/pull/36691]
- **(SEMVER-MAJOR)** **build**: default PYTHON to python3 in Makefile
  (Michaël Zasso) [https://github.com/nodejs/node/pull/37764]
- **build**: update Makefile to support fat binary (Ash Cripps)
  [https://github.com/nodejs/node/pull/37861]
- **(SEMVER-MAJOR)** **build**: enable ASLR (PIE) on OS X (woodfairy)
  [https://github.com/nodejs/node/pull/35704]
- **build**: warn for gcc versions earlier than 8.3.0 (Richard Lau)
  [https://github.com/nodejs/node/pull/37935]
- **(SEMVER-MAJOR)** **doc**: update minimum supported Xcode to 11
  (Michaël Zasso) [https://github.com/nodejs/node/pull/37872]
- **(SEMVER-MAJOR)** **doc**: update minimum supported GCC to 8.3
  (Michaël Zasso) [https://github.com/nodejs/node/pull/37871]
- **(SEMVER-MAJOR)** **doc**: update AIX to GCC8 for v16.x (Ash Cripps)
  [https://github.com/nodejs/node/pull/37677]
- **tools**: set arch in Distribution.xml (Ash Cripps)
  [https://github.com/nodejs/node/pull/38261]

V8 9.0:

The V8 JavaScript engine is updated to V8 9.0, including performance
tweaks and improvements.

This update also brings the ECMAScript RegExp Match Indices, which
provide the start and end indices of the captured string. The indices
array is available via the `.indices` property on match objects when the
regular expression has the `/d` flag.

Contributed by Michaël Zasso - [https://github.com/nodejs/node/pull/37587]

Other Notable Changes:

- **(SEMVER-MINOR)** **assert**: graduate assert.match and
  assert.doesNotMatch (James M Snell) [https://github.com/nodejs/node/pull/38111]
- **(SEMVER-MAJOR)** **buffer**: expose btoa and atob as globals
  (James M Snell) [https://github.com/nodejs/node/pull/37786]
- **(SEMVER-MAJOR)** **deps**: bump minimum ICU version to 68
  (Michaël Zasso) [https://github.com/nodejs/node/pull/37330]
- **deps**: update ICU to 69.1 (Michaël Zasso)
  [https://github.com/nodejs/node/pull/38178]
- **deps**: update llhttp to 6.0.0 (Fedor Indutny)
  [https://github.com/nodejs/node/pull/38277]
- **deps**: upgrade npm to 7.10.0 (Ruy Adorno)
  [https://github.com/nodejs/node/pull/38254]
- **(SEMVER-MINOR)** **http**: add http.ClientRequest.getRawHeaderNames()
  (simov) [https://github.com/nodejs/node/pull/37660]
- **(SEMVER-MAJOR)** **lib,src**: update cluster to use Parent
  (Michael Dawson) [https://github.com/nodejs/node/pull/36478]
- **(SEMVER-MINOR)** **module**: add support for `node:`‑prefixed
  `require(…)` calls (ExE Boss) [https://github.com/nodejs/node/pull/37246]
- **(SEMVER-MINOR)** **perf_hooks**: add histogram option to timerify
  (James M Snell) [https://github.com/nodejs/node/pull/37475]
- **(SEMVER-MINOR)** **repl**: add auto‑completion for `node:`‑prefixed
  `require(…)` calls (ExE Boss) [https://github.com/nodejs/node/pull/37246]
- **(SEMVER-MINOR)** **util**: add getSystemErrorMap() impl
  (eladkeyshawn) [https://github.com/nodejs/node/pull/38101]

Semver-Major Commits:

- **(SEMVER-MAJOR)** **async_hooks**: add thisArg to AsyncResource.bind
  (James M Snell) [https://github.com/nodejs/node/pull/36782]
- **(SEMVER-MAJOR)** **buffer**: expose btoa and atob as globals
  (James M Snell) [https://github.com/nodejs/node/pull/37786]
- **(SEMVER-MAJOR)** **build**: remove support for Python 2
  (Christian Clauss) [https://github.com/nodejs/node/pull/36691]
- **(SEMVER-MAJOR)** **build**: default PYTHON to python3 in Makefile
  (Michaël Zasso) [https://github.com/nodejs/node/pull/37764]
- **(SEMVER-MAJOR)** **build**: update Makefile to support fat binary
  (Ash Cripps) [https://github.com/nodejs/node/pull/37861]
- **(SEMVER-MAJOR)** **build**: include minimal V8 headers in
  distribution (Michaël Zasso) [https://github.com/nodejs/node/pull/37570]
- **(SEMVER-MAJOR)** **build**: use C++11 ABI with libstdc++
  (Anna Henningsen) [https://github.com/nodejs/node/pull/36634]
- **(SEMVER-MAJOR)** **build**: enable ASLR (PIE) on OS X (woodfairy)
  [https://github.com/nodejs/node/pull/35704]
- **(SEMVER-MAJOR)** **deps**: update V8 to 9.0.257.11 (Michaël Zasso)
  [https://github.com/nodejs/node/pull/37587]
- **(SEMVER-MAJOR)** **deps**: bump minimum ICU version to 68
  (Michaël Zasso) [https://github.com/nodejs/node/pull/37330]
- **(SEMVER-MAJOR)** **deps**: update V8 to 8.9.255.19 (Michaël Zasso)
  [https://github.com/nodejs/node/pull/37330]
- **(SEMVER-MAJOR)** **deps**: update V8 to 8.8.278.17 (Michaël Zasso)
  [https://github.com/nodejs/node/pull/36139]
- **(SEMVER-MAJOR)** **deps**: update V8 to 8.7.220 (Michaël Zasso)
  [https://github.com/nodejs/node/pull/35700]
- **(SEMVER-MAJOR)** **dns**: use url module instead of punycode for
  IDNA (Antoine du Hamel) [https://github.com/nodejs/node/pull/35091]
- **(SEMVER-MAJOR)** **doc**: update minimum supported Xcode to 11
  (Michaël Zasso) [https://github.com/nodejs/node/pull/37872]
- **(SEMVER-MAJOR)** **doc**: update minimum supported GCC to 8.3
  (Michaël Zasso) [https://github.com/nodejs/node/pull/37871]
- **(SEMVER-MAJOR)** **doc**: update AIX to GCC8 for v16.x (Ash Cripps)
  [https://github.com/nodejs/node/pull/37677]
- **(SEMVER-MAJOR)** **doc**: add http.IncomingMessage#connection
  (Pranshu Srivastava) [https://github.com/nodejs/node/pull/33768]
- **(SEMVER-MAJOR)** **events**: change EventTarget handler exception
  behavior (Nitzan Uziely) [https://github.com/nodejs/node/pull/37237]
- **(SEMVER-MAJOR)** **fs**: remove permissive rmdir recursive
  (Antoine du Hamel) [https://github.com/nodejs/node/pull/37216]
- **(SEMVER-MAJOR)** **fs**: add validation for fd and path
  (Dylan Elliott) [https://github.com/nodejs/node/pull/35187]
- **(SEMVER-MAJOR)** **fs**: runtime deprecate rmdir recursive option
  (Antoine du Hamel) [https://github.com/nodejs/node/pull/37302]
- **(SEMVER-MAJOR)** **fs**: fix flag and mode validation
  (James M Snell) [https://github.com/nodejs/node/pull/37480]
- **(SEMVER-MAJOR)** **http**: use objects with null prototype in Agent
  (Michaël Zasso) [https://github.com/nodejs/node/pull/36409]
- **(SEMVER-MAJOR)** **lib**: runtime deprecate access to
  process.binding('http_parser') (James M Snell)
  [https://github.com/nodejs/node/pull/37813]
- **(SEMVER-MAJOR)** **lib**: runtime deprecate access to
  process.binding('url') (James M Snell)
  [https://github.com/nodejs/node/pull/37799]
- **(SEMVER-MAJOR)** **lib**: make process.binding('util') return only
  type checkers (Anna Henningsen) [https://github.com/nodejs/node/pull/37819]
- **(SEMVER-MAJOR)** **lib**: runtime deprecate access to
  process.binding('crypto') (James M Snell) [https://github.com/nodejs/node/pull/37790]
- **(SEMVER-MAJOR)** **lib**: runtime deprecate access to
  process.binding('signal_wrap') (James M Snell) [https://github.com/nodejs/node/pull/37800]
- **(SEMVER-MAJOR)** **lib**: runtime deprecate access to
  process.binding('v8') (James M Snell) [https://github.com/nodejs/node/pull/37789]
- **(SEMVER-MAJOR)** **lib**: aggregate errors to avoid error swallowing
  (Antoine du Hamel) [https://github.com/nodejs/node/pull/37460]
- **(SEMVER-MAJOR)** **lib**: runtime deprecate access to
  process.binding('async_wrap') (James M Snell) [https://github.com/nodejs/node/pull/37576]
- **(SEMVER-MAJOR)** **lib**: remove usage of url.parse
  (raisinten) [https://github.com/nodejs/node/pull/36853]
- **(SEMVER-MAJOR)** **lib**: add error handling for input stream
  (rexagod) [https://github.com/nodejs/node/pull/31603]
- **(SEMVER-MAJOR)** **lib,src**: update cluster to use Parent
  (Michael Dawson) [https://github.com/nodejs/node/pull/36478]
- **(SEMVER-MAJOR)** **module**: runtime deprecate subpath folder
  mappings (Antoine du Hamel) [https://github.com/nodejs/node/pull/37215]
- **(SEMVER-MAJOR)** **module**: runtime deprecate "main" index and
  extension lookups (Antoine du Hamel) [https://github.com/nodejs/node/pull/37206]
- **(SEMVER-MAJOR)** **module**: runtime deprecate invalid package.json
  main entries (Antoine du Hamel) [https://github.com/nodejs/node/pull/37204]
- **(SEMVER-MAJOR)** **module**: remove module.createRequireFromPath
  (Antoine du Hamel) [https://github.com/nodejs/node/pull/37201]
- **(SEMVER-MAJOR)** **module**: only set cache when finding module
  succeeds (Yongsheng Zhang) [https://github.com/nodejs/node/pull/36642]
- **(SEMVER-MAJOR)** **perf_hooks**: make performance a global (James M
  Snell) [https://github.com/nodejs/node/pull/37970]
- **(SEMVER-MAJOR)** **perf_hooks**: complete overhaul of the
  implementation (James M Snell) [https://github.com/nodejs/node/pull/37136]
- **(SEMVER-MAJOR)** **process**: disallow adding options to
  process.allowedNodeEnvironmentFlags (Antoine du Hamel)
  [https://github.com/nodejs/node/pull/36660]
- **(SEMVER-MAJOR)** **process**: runtime deprecate changing
  process.config (James M Snell) [https://github.com/nodejs/node/pull/36902]
- **(SEMVER-MAJOR)** **readline**: cursorTo throw error on NaN
  (Zijian Liu) [https://github.com/nodejs/node/pull/36379]
- **(SEMVER-MAJOR)** **src**: mark internally exported functions as
  explicitly internal (Tyler Ang-Wanek) [https://github.com/nodejs/node/pull/37000]
- **(SEMVER-MAJOR)** **src**: inline AsyncCleanupHookHandle in headers
  (Tyler Ang-Wanek) [https://github.com/nodejs/node/pull/37000]
- **(SEMVER-MAJOR)** **src**: clean up embedder API (Anna Henningsen)
  [https://github.com/nodejs/node/pull/35897]
- **(SEMVER-MAJOR)** **worker**: send correct error status for worker
  init (Yash Ladha) [https://github.com/nodejs/node/pull/36242]

PR-URL: https://github.com/nodejs/node/pull/37678
2021-04-20 16:48:35 +01:00
Myles Borins
78b6f389d0
2021-04-06, Version 15.14.0 (Current)
Notable Changes:

This is a security release.

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

Other Notable changes:

fs:
  * (SEMVER-MINOR) add support for async iterators to `fsPromises.writeFile` (HiroyukiYagihashi) https://github.com/nodejs/node/pull/37490
net:
  * (SEMVER-MINOR) allow net.BlockList to use net.SocketAddress objects (James M Snell) https://github.com/nodejs/node/pull/37917
  * (SEMVER-MINOR) add SocketAddress class (James M Snell) https://github.com/nodejs/node/pull/37917
  * (SEMVER-MINOR) make net.BlockList cloneable (James M Snell) https://github.com/nodejs/node/pull/37917
net,tls:
  * (SEMVER-MINOR) add abort signal support to connect (Nitzan Uziely) https://github.com/nodejs/node/pull/37735
readline:
  * (SEMVER-MINOR) add AbortSignal support to interface (Nitzan Uziely) https://github.com/nodejs/node/pull/37932

PR-URL: https://github.com/nodejs/node/pull/38084
2021-04-06 15:55:23 -04:00
Myles Borins
1522a93646
2021-04-06, Version 14.16.1 'Fermium' (LTS)
This is a security release.

Notable Changes:

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

PR-URL: https://github.com/nodejs/node/pull/38082
2021-04-06 15:55:23 -04:00
Myles Borins
d318ec7fc3
2021-04-06, Version 12.22.1 'Erbium' (LTS)
This is a security release.

Notable changes:

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

PR-URL: https://github.com/nodejs/node/pull/38083
2021-04-06 15:55:22 -04:00
Myles Borins
cd15b1cde2
2021-04-06, Version 10.24.1 'Dubnium' (LTS)
This is a security release.

Notable changes:

Vulnerabilities fixed:

- **CVE-2021-3450**: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- **CVE-2021-3449**: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- **CVE-2020-7774**: npm upgrade - Update y18n to fix Prototype-Pollution (High)

PR-URL: https://github.com/nodejs/node/pull/38085
2021-04-06 15:55:22 -04:00
Ruy Adorno
82bc5c3d5c
2021-03-31, Version 15.13.0 (Current)
PR-URL: https://github.com/nodejs/node/pull/37977

Notable changes:

* buffer:
  * implement btoa and atob (James M Snell) https://github.com/nodejs/node/pull/37529
* deps:
  * upgrade npm to 7.7.6 (Ruy Adorno) https://github.com/nodejs/node/pull/37968
* doc:
  * add legacy status to stability index (James M Snell) https://github.com/nodejs/node/pull/37784
  * add @linkgoron to collaborators (Nitzan Uziely) https://github.com/nodejs/node/pull/37817
* http:
  * add http.ClientRequest.getRawHeaderNames() (simov) https://github.com/nodejs/node/pull/37660
2021-03-31 10:14:03 -04:00
Richard Lau
30fe4ed8c4
2021-03-30, Version 12.22.0 'Erbium' (LTS)
Notable changes

The legacy HTTP parser is runtime deprecated:
- The legacy HTTP parser, selected by the `--http-parser=legacy` command line
option, is deprecated with the pending End-of-Life of Node.js 10.x (where it
is the only HTTP parser implementation provided) at the end of April 2021. It
will now warn on use but otherwise continue to function and may be removed in
a future Node.js 12.x release.
- The default HTTP parser based on llhttp is not affected. By default it is
stricter than the now deprecated legacy HTTP parser. If interoperability with
HTTP implementations that send invalid HTTP headers is required, the HTTP
parser can be started in a less secure mode with the `--insecure-http-parser`
command line option.

ES Modules:
- ES Modules are now considered stable.

node-api:
- Updated to node-api version 8 and added an experimental API to allow
retrieval of the add-on file name.

New API's to control code coverage data collection:
- `v8.stopCoverage()` and `v8.takeCoverage()` have been added.

New API to monitor event loop utilization by Worker threads
- `worker.performance.eventLoopUtilization()` has been added.

PR-URL: https://github.com/nodejs/node/pull/37797
2021-03-30 15:09:15 +01:00
Danielle Adams
3b3b02f8bb
2021-03-17, Version 15.12.0 (Current)
PR-URL: https://github.com/nodejs/node/pull/37766

Notable changes:

* crypto:
  * add optional callback to crypto.sign and crypto.verify (Filip Skokan) https://github.com/nodejs/node/pull/37500
  * support JWK objects in create\*Key (Filip Skokan) https://github.com/nodejs/node/pull/37254
* deps:
  * update to cjs-module-lexer@1.1.0 (Guy Bedford) https://github.com/nodejs/node/pull/37712
  * switch openssl to quictls/openssl (James M Snell) https://github.com/nodejs/node/pull/37601
* fs:
  * improve fsPromises writeFile performance (Nitzan Uziely) https://github.com/nodejs/node/pull/37610
  * improve fsPromises readFile performance (Nitzan Uziely) https://github.com/nodejs/node/pull/37608
* lib:
  * implement AbortSignal.abort() (James M Snell) https://github.com/nodejs/node/pull/37693
* node-api:
  * define version 8 (Gabriel Schulhof) https://github.com/nodejs/node/pull/37652
* worker:
  * add setEnvironmentData/getEnvironmentData (James M Snell) https://github.com/nodejs/node/pull/37486
2021-03-17 18:16:45 -04:00
Michaël Zasso
f6b1df2226
2021-03-03, Version 15.11.0 (Current)
Notable changes:

crypto:
  * (SEMVER-MINOR) make FIPS related options always awailable (Vít Ondruch) https://github.com/nodejs/node/pull/36341
errors:
  * (SEMVER-MINOR) remove experimental from --enable-source-maps (Benjamin Coe) https://github.com/nodejs/node/pull/37362

PR-URL: https://github.com/nodejs/node/pull/37569
2021-03-03 07:06:17 +01:00
Richard Lau
eed3c72474
2021-02-23, Version 10.24.0 'Dubnium' (LTS)
This is a security release.

Notable changes

Vulnerabilities fixed:

- **CVE-2021-22883**: HTTP2 'unknownProtocol' cause Denial of Service by
    resource exhaustion
- **CVE-2021-22884**: DNS rebinding in --inspect
- **CVE-2021-23840**: OpenSSL - Integer overflow in CipherUpdate

PR-URL: https://github.com/nodejs-private/node-private/pull/255
2021-02-23 12:41:57 +00:00
Richard Lau
199c8bdb0d
2021-02-23, Version 12.21.0 'Erbium' (LTS)
This is a security release.

Notable changes

Vulnerabilities fixed:

- **CVE-2021-22883**: HTTP2 'unknownProtocol' cause Denial of Service by
    resource exhaustion
- **CVE-2021-22884**: DNS rebinding in --inspect
- **CVE-2021-23840**: OpenSSL - Integer overflow in CipherUpdate

PR-URL: https://github.com/nodejs-private/node-private/pull/256
2021-02-23 12:38:53 +00:00
Beth Griggs
40b805a6ef
2021-02-23, Version 14.16.0 'Fermium' (LTS)
This is a security release.

Notable changes:

Vulnerabilities fixed:

- **CVE-2021-22883**: HTTP2 'unknownProtocol' cause Denial of Service by
    resource exhaustion
- **CVE-2021-22884**: DNS rebinding in --inspect
- **CVE-2021-23840**: OpenSSL - Integer overflow in CipherUpdate

PR-URL: https://github.com/nodejs-private/node-private/pull/254
2021-02-23 12:22:11 +00:00
Beth Griggs
6f9b622737
2021-02-23, Version 15.10.0 (Current)
This is a security release.

Notable changes:

Vulnerabilities fixed:

- **CVE-2021-22883**: HTTP2 'unknownProtocol' cause Denial of Service by
    resource exhaustion
- **CVE-2021-22884**: DNS rebinding in --inspect
- **CVE-2021-23840**: OpenSSL - Integer overflow in CipherUpdate

PR-URL: https://github.com/nodejs-private/node-private/pull/253
2021-02-23 12:02:39 +00:00
Danielle Adams
3bf50a70b4
2021-02-17, Version 15.9.0 (Current)
PR-URL: https://github.com/nodejs/node/pull/37406

Notable Changes:

* crypto:
  * add keyObject.export() jwk format option (Filip Skokan) https://github.com/nodejs/node/pull/37081
* deps:
  * upgrade to libuv 1.41.0 (Colin Ihrig) https://github.com/nodejs/node/pull/37360
* doc:
  * add dmabupt to collaborators (Xu Meng) https://github.com/nodejs/node/pull/37377
  * refactor fs docs structure (James M Snell) https://github.com/nodejs/node/pull/37170
* fs:
  * add fsPromises.watch() (James M Snell) https://github.com/nodejs/node/pull/37179
  * use a default callback for fs.close() (James M Snell) https://github.com/nodejs/node/pull/37174
  * add AbortSignal support to watch (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/37190
* perf_hooks:
  * introduce createHistogram (James M Snell) https://github.com/nodejs/node/pull/37155
* stream:
  * improve Readable.from error handling (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/37158
* timers:
  * introduce setInterval async iterator (linkgoron) https://github.com/nodejs/node/pull/37153
* tls:
  * add ability to get cert/peer cert as X509Certificate object (James M Snell) https://github.com/nodejs/node/pull/37070
2021-02-17 21:20:34 -05:00
Ruy Adorno
ad38be4f6a
2021-02-10, Version 12.20.2 'Erbium' (LTS)
Notable changes:

* deps:
  * upgrade npm to 6.14.11 (Ruy Adorno) [#37173](https://github.com/nodejs/node/pull/37173)

PR-URL: https://github.com/nodejs/node/pull/37286
2021-02-10 15:31:09 -05:00
Richard Lau
857fbdb13f
2021-02-09, Version 10.23.3 'Dubnium' (LTS)
Notable changes:

The update to npm 6.14.11 has been relanded so that npm correctly reports its version.

PR-URL: https://github.com/nodejs/node/pull/37241
2021-02-09 22:58:32 +00:00
Beth Griggs
4f12215a6b
2021-02-09, Version 14.15.5 'Fermium' (LTS)
Notable changes:

- **deps**:
  - upgrade npm to 6.14.11 (Ruy Adorno)
    (https://github.com/nodejs/node/pull/37173)
  - V8: backport dfcf1e86fac0 (Michaël Zasso)
    (https://github.com/nodejs/node/pull/37245)
    - Note: Node.js is not believed to be vulnerable to CVE-2021-21148.
- **stream,zlib**: do not use \_stream\_\* anymore (Matteo Collina)
  (https://github.com/nodejs/node/pull/36618)

PR-URL: https://github.com/nodejs/node/pull/37074
2021-02-09 16:40:16 +00:00
Michaël Zasso
211574b0c2
2021-02-02, Version 15.8.0 (Current)
Notable changes:

crypto:
  * (SEMVER-MINOR) add generatePrime/checkPrime (James M Snell) https://github.com/nodejs/node/pull/36997
  * (SEMVER-MINOR) experimental (Ed/X)25519/(Ed/X)448 support (James M Snell) https://github.com/nodejs/node/pull/36879
deps:
  * upgrade npm to 7.5.0 (Ruy Adorno) https://github.com/nodejs/node/pull/37117
dgram:
  * (SEMVER-MINOR) support AbortSignal in createSocket (Nitzan Uziely) https://github.com/nodejs/node/pull/37026
doc:
  * add Zijian Liu to collaborators (ZiJian Liu) https://github.com/nodejs/node/pull/37075
esm:
  * deprecate legacy main lookup for modules (Guy Bedford) https://github.com/nodejs/node/pull/36918
readline:
  * (SEMVER-MINOR) add history event and option to set initial history (Mattias Runge-Broberg) https://github.com/nodejs/node/pull/33662
  * (SEMVER-MINOR) add support for the AbortController to the question method (Mattias Runge-Broberg) https://github.com/nodejs/node/pull/33676

PR-URL: https://github.com/nodejs/node/pull/37183
2021-02-02 21:50:24 +01:00
Richard Lau
c5f3565100
2021-01-26, Version 10.23.2 'Dubnium' (LTS)
Notable changes:

Release keys have been synchronized with the main branch.

- deps:
  - upgrade npm to 6.14.11 (Darcy Clarke)
    https://github.com/nodejs/node/pull/36838

PR-URL: https://github.com/nodejs/node/pull/37022
2021-01-26 17:14:19 +00:00
Ruy Adorno
cef00ad414
2021-01-26, Version 15.7.0 (Current)
PR-URL: https://github.com/nodejs/node/pull/37020

Notable changes:

* buffer:
  * introduce Blob (James M Snell) [#36811](https://github.com/nodejs/node/pull/36811)
  * add base64url encoding option (Filip Skokan) [#36952](https://github.com/nodejs/node/pull/36952)
* doc:
  * add @iansu to collaborators (Ian Sutherland) [#36951](https://github.com/nodejs/node/pull/36951)
  * add @RaisinTen to collaborators (Darshan Sen) [#36998](https://github.com/nodejs/node/pull/36998)
  * add @miladfarca to collaborators (Milad Fa) [#36934](https://github.com/nodejs/node/pull/36934)
* fs:
  * allow position parameter to be a BigInt in read and readSync (raisinten) [#36190](https://github.com/nodejs/node/pull/36190)
* http:
  * attach request as res.req (Ian Storm Taylor) [#36505](https://github.com/nodejs/node/pull/36505)
  * expose urlToHttpOptions utility (Yongsheng Zhang) [#35960](https://github.com/nodejs/node/pull/35960)
2021-01-26 11:06:59 -05:00
Danielle Adams
0f789488d4
2021-01-14, Version 15.6.0 (Current)
PR-URL: https://github.com/nodejs/node/pull/36889

Notable changes:

* child_process:
  * add 'overlapped' stdio flag (Thiago Padilha) (https://github.com/nodejs/node/pull/29412)
  * support AbortSignal in fork (Benjamin Gruenbaum) (https://github.com/nodejs/node/pull/36603)
* crypto:
  * implement basic secure heap support (James M Snell) (https://github.com/nodejs/node/pull/36779)
  * fixup bug in keygen error handling (James M Snell) (https://github.com/nodejs/node/pull/36779)
  * introduce X509Certificate API (James M Snell) (https://github.com/nodejs/node/pull/36804)
  * implement randomuuid (James M Snell) (https://github.com/nodejs/node/pull/36729)
* doc:
  * update release key for Danielle Adams (Danielle Adams) (https://github.com/nodejs/node/pull/36793)
  * add dnlup to collaborators (Daniele Belardi) (https://github.com/nodejs/node/pull/36849)
  * add panva to collaborators (Filip Skokan) (https://github.com/nodejs/node/pull/36802)
  * add yashLadha to collaborator (Yash Ladha) (https://github.com/nodejs/node/pull/36666)
* http:
  * set lifo as the default scheduling strategy in Agent (Matteo Collina) (https://github.com/nodejs/node/pull/36685)
* net:
  * support abortSignal in server.listen (Nitzan Uziely) (https://github.com/nodejs/node/pull/36623)
* process:
  * add direct access to rss without iterating pages (Adrien Maret) (https://github.com/nodejs/node/pull/34291)
* v8:
  * fix native  constructors (ExE Boss) (https://github.com/nodejs/node/pull/36549)
2021-01-14 19:58:43 -05:00
Richard Lau
ceb0dc907a
2021-01-04, Version 12.20.1 'Erbium' (LTS)
Notable changes:

This is a security release.

Vulnerabilities fixed:

- CVE-2020-8265: use-after-free in TLSWrap (High)
Affected Node.js versions are vulnerable to a use-after-free bug in
its TLS implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method
does not return an error, this object is passed back to the caller
as part of a StreamWriteResult structure. This may be exploited to
corrupt memory leading to a Denial of Service or potentially other
exploits
- CVE-2020-8287: HTTP Request Smuggling in nodejs
Affected versions of Node.js allow two copies of a header field in
a http request. For example, two Transfer-Encoding header fields.
In this case Node.js identifies the first header field and ignores
the second. This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html).
- CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js.
You can read more about it in
https://www.openssl.org/news/secadv/20201208.txt

PR-URL: https://github.com/nodejs-private/node-private/pull/240
2021-01-04 18:02:20 +00:00
Richard Lau
6c80df02d1
2021-01-04, Version 10.23.1 'Dubnium' (LTS)
Notable changes:

This is a security release.

Vulnerabilities fixed:

- CVE-2020-8265: use-after-free in TLSWrap (High)
Affected Node.js versions are vulnerable to a use-after-free bug in
its TLS implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
allocated WriteWrap object as first argument. If the DoWrite method
does not return an error, this object is passed back to the caller
as part of a StreamWriteResult structure. This may be exploited to
corrupt memory leading to a Denial of Service or potentially other
exploits
- CVE-2020-8287: HTTP Request Smuggling in nodejs
Affected versions of Node.js allow two copies of a header field in
a http request. For example, two Transfer-Encoding header fields.
In this case Node.js identifies the first header field and ignores
the second. This can lead to HTTP Request Smuggling
(https://cwe.mitre.org/data/definitions/444.html).
- CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js.
You can read more about it in
https://www.openssl.org/news/secadv/20201208.txt

PR-URL: https://github.com/nodejs-private/node-private/pull/239
2021-01-04 17:59:36 +00:00
Beth Griggs
a384a0c4c6
2021-01-04, Version 14.15.4 'Fermium' (LTS)
This is a security release.

Notable changes:

Vulnerabilities fixed:

- **CVE-2020-1971**: OpenSSL - EDIPARTYNAME NULL pointer de-reference
  (High)
  - This is a vulnerability in OpenSSL which may be exploited through
  Node.js. You can read more about it in
  https://www.openssl.org/news/secadv/20201208.txt

- **CVE-2020-8265**: use-after-free in TLSWrap (High)
  - Affected Node.js versions are vulnerable to a use-after-free bug in
  its TLS implementation. When writing to a TLS enabled socket,
  node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
  allocated WriteWrap object as first argument. If the DoWrite method
  does not return an error, this object is passed back to the caller as
  part of a StreamWriteResult structure. This may be exploited to
  corrupt memory leading to a Denial of Service or potentially other
  exploits.

- **CVE-2020-8287**: HTTP Request Smuggling in nodejs (Low)
  - Affected versions of Node.js allow two copies of a header field in
  a http request. For example, two Transfer-Encoding header fields. In
  this case Node.js identifies the first header field and ignores the
  second. This can lead to HTTP Request Smuggling
  (https://cwe.mitre.org/data/definitions/444.html).

PR-URL: https://github.com/nodejs-private/node-private/pull/242
2021-01-04 17:53:38 +00:00
Beth Griggs
433ed98b40
2021-01-04, Version 15.5.1 (Current)
This is a security release.

Notable changes:

Vulnerabilities fixed:

- **CVE-2020-8265**: use-after-free in TLSWrap (High)
  * Affected Node.js versions are vulnerable to a use-after-free bug in
  its TLS implementation. When writing to a TLS enabled socket,
  node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly
  allocated WriteWrap object as first argument. If the DoWrite method
  does not return an error, this object is passed back to the caller as
  part of a StreamWriteResult structure. This may be exploited to
  corrupt memory leading to a Denial of Service or potentially other
  exploits.

- **CVE-2020-8287**: HTTP Request Smuggling in nodejs (Low)
  * Affected versions of Node.js allow two copies of a header field in
  a http request. For example, two Transfer-Encoding header fields. In
  this case Node.js identifies the first header field and ignores the
  second. This can lead to HTTP Request Smuggling
  (https://cwe.mitre.org/data/definitions/444.html).

PR-URL: https://github.com/nodejs-private/node-private/pull/241
2021-01-04 17:46:51 +00:00
Michaël Zasso
80d2fbeb0c
2020-12-22, Version 15.5.0 (Current)
Notable changes:

    child_process:
      * (SEMVER-MINOR) add signal support to spawn (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/36432
    doc:
      * add PoojaDurgad to collaborators (Pooja D P) https://github.com/nodejs/node/pull/36511
    lib:
      * (SEMVER-MINOR) support BigInt in querystring.stringify (raisinten) https://github.com/nodejs/node/pull/36499
    src:
      * (SEMVER-MINOR) add way to get IsolateData and allocator from Environment (Anna Henningsen) https://github.com/nodejs/node/pull/36441
      * (SEMVER-MINOR) allow preventing SetPrepareStackTraceCallback (Shelley Vohr) https://github.com/nodejs/node/pull/36447
    stream:
      * (SEMVER-MINOR) support abortsignal in constructor (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/36431

PR-URL: https://github.com/nodejs/node/pull/36597
2020-12-22 19:56:09 +01:00
Beth Griggs
b49145f795
2020-12-17, Version 14.15.3 'Fermium' (LTS)
Notable Changes:

Node.js v14.15.2 included a commit that has caused reported breakages
when cloning request objects. This release reverts the commit that
introduced the behaviour change.

See https://github.com/nodejs/node/issues/36550 for more details.

PR-URL: https://github.com/nodejs/node/pull/36555
2020-12-17 23:22:59 +00:00
Beth Griggs
a150926177
2020-12-15, Version 14.15.2 'Fermium' (LTS)
Notable Changes:

- **deps**:
  - upgrade npm to 6.14.9 (Myles Borins)
    https://github.com/nodejs/node/pull/36450
  - update acorn to v8.0.4 (Michaël Zasso)
    https://github.com/nodejs/node/pull/35791
- **doc**: add release key for Danielle Adams (Danielle Adams)
    https://github.com/nodejs/node/pull/35545
- **http2**: check write not scheduled in scope destructor (David Halls)
    https://github.com/nodejs/node/pull/36241
- **stream**: fix regression on duplex end (Momtchil Momtchev)
    https://github.com/nodejs/node/pull/35941

PR-URL: https://github.com/nodejs/node/pull/36476
2020-12-15 23:48:00 +00:00
Danielle Adams
04e5418934
doc: add v15.4.0 link to CHANGELOG.md
PR-URL: https://github.com/nodejs/node/pull/36456
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Shelley Vohr <codebytere@gmail.com>
2020-12-14 15:02:05 -05:00
Myles Borins
219332e66c
2020-11-24, Version 12.20.0 'Erbium' (LTS)
Notable changes:

crypto:
  * update certdata to NSS 3.56 (Shelley Vohr) https://github.com/nodejs/node/pull/35546
deps:
  * update llhttp to 2.1.3 (Fedor Indutny) https://github.com/nodejs/node/pull/35435
  * (SEMVER-MINOR) upgrade to libuv 1.40.0 (Colin Ihrig) https://github.com/nodejs/node/pull/35333
doc:
  * add aduh95 to collaborators (Antoine du Hamel) https://github.com/nodejs/node/pull/35542
fs:
  * (SEMVER-MINOR) add .ref() and .unref() methods to watcher classes (rickyes) https://github.com/nodejs/node/pull/33134
http:
  * (SEMVER-MINOR) added scheduling option to http agent (delvedor) https://github.com/nodejs/node/pull/33278
module:
  * (SEMVER-MINOR) exports pattern support (Guy Bedford) https://github.com/nodejs/node/pull/34718
  * (SEMVER-MINOR) named exports for CJS via static analysis (Guy Bedford) https://github.com/nodejs/node/pull/35249
n-api:
  * (SEMVER-MINOR) add more property defaults (Gerhard Stoebich) https://github.com/nodejs/node/pull/35214
src:
  * (SEMVER-MINOR) move node_contextify to modern THROW_ERR_* (James M Snell) https://github.com/nodejs/node/pull/35470
  * (SEMVER-MINOR) move node_process to modern THROW_ERR* (James M Snell) https://github.com/nodejs/node/pull/35472
  * (SEMVER-MINOR) expose v8::Isolate setup callbacks (Shelley Vohr) https://github.com/nodejs/node/pull/35512

PR-URL: https://github.com/nodejs/node/pull/35950
2020-11-24 11:40:37 -05:00
Shelley Vohr
7b5b8ef424
2020-11-24, Version 15.3.0 (Current)
Notable changes:

dns:
  * (SEMVER-MINOR) add a cancel() method to the promise Resolver (Szymon Marczak) https://github.com/nodejs/node/pull/33099
events:
  * (SEMVER-MINOR) add max listener warning for EventTarget (James M Snell) https://github.com/nodejs/node/pull/36001
http:
  * (SEMVER-MINOR) add support for abortsignal to http.request (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/36048
http2:
  * (SEMVER-MINOR) allow setting the local window size of a session (Yongsheng Zhang) https://github.com/nodejs/node/pull/35978
lib:
  * (SEMVER-MINOR) add throws option to fs.f/l/statSync (Andrew Casey) https://github.com/nodejs/node/pull/33716
path:
  * (SEMVER-MINOR) add `path/posix` and `path/win32` alias modules (ExE Boss) https://github.com/nodejs/node/pull/34962
readline:
  * (SEMVER-MINOR) add getPrompt to get the current prompt (Mattias Runge-Broberg) https://github.com/nodejs/node/pull/33675
src:
  * (SEMVER-MINOR) add loop idle time in diagnostic report (Gireesh Punathil) https://github.com/nodejs/node/pull/35940
util:
  * (SEMVER-MINOR) add `util/types` alias module (ExE Boss) https://github.com/nodejs/node/pull/34055

PR-URL: https://github.com/nodejs/node/pull/36232
2020-11-24 08:26:26 -08:00
Beth Griggs
88d0b5b2fb
2020-11-16, Version 12.19.1 'Erbium' (LTS)
This is a security release.

Notable changes:

Vulnerabilities fixed:

* CVE-2020-8277: Denial of Service through DNS request (High). A Node.js
  application that allows an attacker to trigger a DNS request for a
  host of their choice could trigger a Denial of Service by getting the
  application to resolve a DNS record with a larger number of responses.

PR-URL: https://github.com/nodejs-private/node-private/pull/233
2020-11-16 17:09:16 +01:00
Beth Griggs
f67088efec
2020-11-16, Version 14.15.1 'Fermium' (LTS)
This is a security release.

Notable changes:

Vulnerabilities fixed:

* CVE-2020-8277: Denial of Service through DNS request (High). A Node.js
  application that allows an attacker to trigger a DNS request for a
  host of their choice could trigger a Denial of Service by getting the
  application to resolve a DNS record with a larger number of responses.

PR-URL: https://github.com/nodejs-private/node-private/pull/234
2020-11-16 17:09:15 +01:00
Michaël Zasso
6be214d537
2020-11-16, Version 15.2.1 (Current)
This is a security release.

Notable changes:

Vulnerabilities fixed:

* CVE-2020-8277: Denial of Service through DNS request (High). A Node.js
  application that allows an attacker to trigger a DNS request for a
  host of their choice could trigger a Denial of service by getting the
  application to resolve a DNS record with a larger number of responses.

PR-URL: https://github.com/nodejs-private/node-private/pull/232
2020-11-16 17:09:15 +01:00
Danielle Adams
f5c508c805
2020-11-10, Version 15.2.0 (Current)
Notable changes:

* events:
  * getEventListeners static (Benjamin Gruenbaum) (https://github.com/nodejs/node/pull/35991)
* fs:
  * support abortsignal in writeFile (Benjamin Gruenbaum) (https://github.com/nodejs/node/pull/35993)
  * add support for AbortSignal in readFile (Benjamin Gruenbaum) (https://github.com/nodejs/node/pull/35911)
* stream:
  * fix thrown object reference (Gil Pedersen) (https://github.com/nodejs/node/pull/36065)

PR URL: https://github.com/nodejs/node/pull/36055
2020-11-10 17:51:54 -05:00
Michaël Zasso
8caa6a9d8c
2020-11-04, Version 15.1.0 (Current)
Notable changes:

child_process:
  * (SEMVER-MINOR) add ChildProcess 'spawn' event (Matthew Francis Brunetti) https://github.com/nodejs/node/pull/35369
dns:
  * (SEMVER-MINOR) add setLocalAddress to Resolver (Josh Dague) https://github.com/nodejs/node/pull/34824
http:
  * (SEMVER-MINOR) report request start and end with diagnostics_channel (Stephen Belanger) https://github.com/nodejs/node/pull/34895
http2:
  * (SEMVER-MINOR) add updateSettings to both http2 servers (Vincent Boivin) https://github.com/nodejs/node/pull/35383
lib:
  * (SEMVER-MINOR) create diagnostics_channel module (Stephen Belanger) https://github.com/nodejs/node/pull/34895
src:
  * (SEMVER-MINOR) add --heapsnapshot-near-heap-limit option (Joyee Cheung) https://github.com/nodejs/node/pull/33010
v8:
  * (SEMVER-MINOR) implement v8.stopCoverage() (Joyee Cheung) https://github.com/nodejs/node/pull/33807
  * (SEMVER-MINOR) implement v8.takeCoverage() (Joyee Cheung) https://github.com/nodejs/node/pull/33807
worker:
  * (SEMVER-MINOR) add eventLoopUtilization() (Trevor Norris) https://github.com/nodejs/node/pull/35664

PR-URL: https://github.com/nodejs/node/pull/35948
2020-11-04 21:43:02 +01:00
Richard Lau
0ca861745a
2020-10-27, Version 14.15.0 'Fermium' (LTS)
Notable changes:

This release marks the transition of Node.js 14.x into Long Term Support (LTS)
with the codename 'Fermium'. The 14.x release line now moves into "Active LTS"
and will remain so until October 2021. After that time, it will move into
"Maintenance" until end of life in April 2023.

PR-URL: https://github.com/nodejs/node/pull/35746
2020-10-27 11:59:05 -04:00
Richard Lau
62ead4e14f
2020-10-27, Version 10.23.0 'Dubnium' (LTS)
Notable changes:
- deps:
  - upgrade npm to 6.14.8 (Ruy Adorno)
    https://github.com/nodejs/node/pull/34834
- n-api:
  - create N-API version 7 (Gabriel Schulhof)
    https://github.com/nodejs/node/pull/35199
  - expose napi_build_version variable (NickNaso)
    https://github.com/nodejs/node/pull/27835
- tools:
  - add debug entitlements for macOS 10.15+ (Gabriele Greco)
    https://github.com/nodejs/node/pull/34378

PR-URL: https://github.com/nodejs/node/pull/35544
2020-10-27 11:31:31 -04:00
Beth Griggs
4d16554bfa
2020-10-21, Version 15.0.1 (Current)
Notable changes:

- **crypto**: fix regression on randomFillSync (James M Snell)
  (https://github.com/nodejs/node/pull/35723)
  - This fixes issue https://github.com/nodejs/node/issues/35722.
- **deps**: upgrade npm to 7.0.3 (Ruy Adorno)
  (https://github.com/nodejs/node/pull/35724)
- **doc**: add release key for Danielle Adams (Danielle Adams)
  (https://github.com/nodejs/node/pull/35545)

PR-URL: https://github.com/nodejs/node/pull/35736
2020-10-21 21:20:48 +01:00
Beth Griggs
57613f8c56
2020-10-20, Version 15.0.0 (Current)
Notable changes:

Deprecations and Removals:

- **build**: remove --build-v8-with-gn configure option (Yang Guo)
(https://github.com/nodejs/node/pull/27576)
- **build**: drop support for VS2017 (Michaël Zasso)
(https://github.com/nodejs/node/pull/33694)
- **doc**: move DEP0018 to End-of-Life (Rich Trott)
(https://github.com/nodejs/node/pull/35316)
- **fs**: deprecation warning on recursive rmdir (Ian Sutherland)
(https://github.com/nodejs/node/pull/35562)
- **lib**: add EventTarget-related browser globals (Anna Henningsen)
(https://github.com/nodejs/node/pull/35496)
- **net**: remove long deprecated server.connections property (James M
Snell) (https://github.com/nodejs/node/pull/33647)
- **repl**: remove deprecated repl.memory function (Ruben Bridgewater)
(https://github.com/nodejs/node/pull/33286)
- **repl**: remove deprecated repl.turnOffEditorMode() function (Ruben
Bridgewater) (https://github.com/nodejs/node/pull/33286)
- **repl**: remove deprecated repl.parseREPLKeyword() function (Ruben
Bridgewater) (https://github.com/nodejs/node/pull/33286)
- **repl**: remove deprecated bufferedCommand property (Ruben
Bridgewater) (https://github.com/nodejs/node/pull/33286)
- **repl**: remove deprecated .rli (Ruben Bridgewater)
(https://github.com/nodejs/node/pull/33286)
- **src**: remove deprecated node debug command (James M Snell)
(https://github.com/nodejs/node/pull/33648)
- **timers**: introduce timers/promises (James M Snell)
(https://github.com/nodejs/node/pull/33950)
- **util**: change default value of `maxStringLength` to 10000
(unknown) (https://github.com/nodejs/node/pull/32744)
- **wasi**: drop --experimental-wasm-bigint requirement (Colin Ihrig)
(https://github.com/nodejs/node/pull/35415)

npm 7 (https://github.com/nodejs/node/pull/35631):

Node.js 15 comes with a new major release of npm, npm 7. npm 7 comes
with many new features - including npm workspaces and a new
package-lock.json format. npm 7 also includes yarn.lock file support.
One of the big changes in npm 7 is that peer dependencies are now
installed by default.

Throw On Unhandled Rejections
(https://github.com/nodejs/node/pull/33021):

As of Node.js 15, the default mode for `unhandledRejection` is changed
to `throw` (from `warn`). In `throw` mode, if an `unhandledRejection`
hook is not set, the `unhandledRejection` is raised as an uncaught
exception. Users that have an `unhandledRejection` hook should see no
change in behavior, and it’s still possible to switch modes using the
`--unhandled-rejections=mode` process flag.

QUIC (https://github.com/nodejs/node/pull/32379):

Node.js 15 comes with experimental support QUIC, which can be enabled
by compiling Node.js with the `--experimental-quic` configuration flag.
The Node.js QUIC implementation is exposed by the core `net` module.

V8 8.6 (https://github.com/nodejs/node/pull/35415):

The V8 JavaScript engine has been updated to V8 8.6 (V8 8.4 is the
latest available in Node.js 14). Along with performance tweaks and
improvements the V8 update also brings the following language features:
* `Promise.any()` (from V8 8.5)
* `AggregateError` (from V8 8.5)
* `String.prototype.replaceAll()` (from V8 8.5)
* Logical assignment operators `&&=`, `||=`, and `??=` (from V8 8.5)

Other Notable Changes:

- **assert**: add `assert/strict` alias module (ExE Boss)
(https://github.com/nodejs/node/pull/34001)
- **dns**: add dns/promises alias (shisama)
(https://github.com/nodejs/node/pull/32953)
- **fs**: reimplement read and write streams using stream.construct
(Robert Nagy) (https://github.com/nodejs/node/pull/29656)
- **http2**: allow Host in HTTP/2 requests (Alba Mendez)
(https://github.com/nodejs/node/pull/34664)
- **lib**: add EventTarget-related browser globals (Anna Henningsen)
(https://github.com/nodejs/node/pull/35496)
- **lib**: unflag AbortController (James M Snell)
(https://github.com/nodejs/node/pull/33527)
- **lib**: initial experimental AbortController implementation (James M
Snell) (https://github.com/nodejs/node/pull/33527)
- **net**: autoDestroy Socket (Robert Nagy)
(https://github.com/nodejs/node/pull/31806)
- **src**: disallow JS execution inside FreeEnvironment (Anna
Henningsen) (https://github.com/nodejs/node/pull/33874)
- **stream**: construct (Robert Nagy)
(https://github.com/nodejs/node/pull/29656)
- **worker**: make MessageEvent class more Web-compatible (Anna
Henningsen) (https://github.com/nodejs/node/pull/35496)

Semver-Major Commits:

- **assert**: add `assert/strict` alias module (ExE Boss)
(https://github.com/nodejs/node/pull/34001)
- **build**: reset embedder string to "-node.0" (Michaël Zasso)
(https://github.com/nodejs/node/pull/35415)
- **build**: remove --build-v8-with-gn configure option (Yang Guo)
(https://github.com/nodejs/node/pull/27576)
- **build**: drop support for VS2017 (Michaël Zasso)
(https://github.com/nodejs/node/pull/33694)
- **crypto**: refactoring internals, add WebCrypto (James M Snell)
(https://github.com/nodejs/node/pull/35093)
- **crypto**: move node\_crypto files to src/crypto (James M Snell)
(https://github.com/nodejs/node/pull/35093)
- **deps**: V8: cherry-pick d76abfed3512 (Michaël Zasso)
(https://github.com/nodejs/node/pull/35415)
- **deps**: V8: cherry-pick 717543bbf0ef (Michaël Zasso)
(https://github.com/nodejs/node/pull/35415)
- **deps**: V8: cherry-pick 6be2f6e26e8d (Michaël Zasso)
(https://github.com/nodejs/node/pull/35415)
- **deps**: fix V8 build issue with inline methods (Jiawen Geng)
(https://github.com/nodejs/node/pull/35415)
- **deps**: fix platform-embedded-file-writer-win for ARM64 (Michaël
Zasso) (https://github.com/nodejs/node/pull/35415)
- **deps**: update V8 postmortem metadata script (Colin Ihrig)
(https://github.com/nodejs/node/pull/35415)
- **deps**: update V8 to 8.6.395 (Michaël Zasso)
(https://github.com/nodejs/node/pull/35415)
- **deps**: upgrade npm to 7.0.0 (Myles Borins)
(https://github.com/nodejs/node/pull/35631)
- **deps**: update npm to 7.0.0-rc.3 (Myles Borins)
(https://github.com/nodejs/node/pull/35474)
- **deps**: V8: cherry-pick 0d6debcc5f08 (Gus Caplan)
(https://github.com/nodejs/node/pull/33600)
- **dns**: add dns/promises alias (shisama)
(https://github.com/nodejs/node/pull/32953)
- **doc**: move DEP0018 to End-of-Life (Rich Trott)
(https://github.com/nodejs/node/pull/35316)
- **doc**: update support macos version for 15.x (Ash Cripps)
(https://github.com/nodejs/node/pull/35022)
- **fs**: deprecation warning on recursive rmdir (Ian Sutherland)
(https://github.com/nodejs/node/pull/35562)
- **fs**: reimplement read and write streams using stream.construct
(Robert Nagy) (https://github.com/nodejs/node/pull/29656)
- **http**: fixed socket.setEncoding fatal error (iskore)
(https://github.com/nodejs/node/pull/33405)
- **http**: emit 'error' on aborted server request (Robert Nagy)
(https://github.com/nodejs/node/pull/33172)
- **http**: cleanup end argument handling (Robert Nagy)
(https://github.com/nodejs/node/pull/31818)
- **http2**: allow Host in HTTP/2 requests (Alba Mendez)
(https://github.com/nodejs/node/pull/34664)
- **http2**: add `invalidheaders` test (Pranshu Srivastava)
(https://github.com/nodejs/node/pull/33161)
- **http2**: refactor state code validation for the http2Stream class
(rickyes) (https://github.com/nodejs/node/pull/33535)
- **http2**: header field valid checks (Pranshu Srivastava)
(https://github.com/nodejs/node/pull/33193)
- **lib**: add EventTarget-related browser globals (Anna Henningsen)
(https://github.com/nodejs/node/pull/35496)
- **lib**: remove ERR\_INVALID\_OPT\_VALUE and
ERR\_INVALID\_OPT\_VALUE\_ENCODING (Denys Otrishko)
(https://github.com/nodejs/node/pull/34682)
- **lib**: handle one of args case in ERR\_MISSING\_ARGS (Denys
Otrishko) (https://github.com/nodejs/node/pull/34022)
- **lib**: remove NodeError from the prototype of errors with code
(Michaël Zasso) (https://github.com/nodejs/node/pull/33857)
- **lib**: unflag AbortController (James M Snell)
(https://github.com/nodejs/node/pull/33527)
- **lib**: initial experimental AbortController implementation (James M
Snell) (https://github.com/nodejs/node/pull/33527)
- **net**: check args in net.connect() and socket.connect() calls
(Denys Otrishko) (https://github.com/nodejs/node/pull/34022)
- **net**: remove long deprecated server.connections property (James M
Snell) (https://github.com/nodejs/node/pull/33647)
- **net**: autoDestroy Socket (Robert Nagy)
(https://github.com/nodejs/node/pull/31806)
- **process**: update v8 fast api calls usage (Maya Lekova)
(https://github.com/nodejs/node/pull/35415)
- **process**: change default --unhandled-rejections=throw (Dan
Fabulich) (https://github.com/nodejs/node/pull/33021)
- **process**: use v8 fast api calls for hrtime (Gus Caplan)
(https://github.com/nodejs/node/pull/33600)
- **process**: delay throwing an error using `throwDeprecation` (Ruben
Bridgewater) (https://github.com/nodejs/node/pull/32312)
- **repl**: remove deprecated repl.memory function (Ruben Bridgewater)
(https://github.com/nodejs/node/pull/33286)
- **repl**: remove deprecated repl.turnOffEditorMode() function (Ruben
Bridgewater) (https://github.com/nodejs/node/pull/33286)
- **repl**: remove deprecated repl.parseREPLKeyword() function (Ruben
Bridgewater) (https://github.com/nodejs/node/pull/33286)
- **repl**: remove deprecated bufferedCommand property (Ruben
Bridgewater) (https://github.com/nodejs/node/pull/33286)
- **repl**: remove deprecated .rli (Ruben Bridgewater)
(https://github.com/nodejs/node/pull/33286)
- **src**: implement NodePlatform::PostJob (Clemens Backes)
(https://github.com/nodejs/node/pull/35415)
- **src**: update NODE\_MODULE\_VERSION to 88 (Michaël Zasso)
(https://github.com/nodejs/node/pull/35415)
- **src**: error reporting on CPUUsage (Yash Ladha)
(https://github.com/nodejs/node/pull/34762)
- **src**: use node:moduleName as builtin module filename (Michaël
Zasso) (https://github.com/nodejs/node/pull/35498)
- **src**: enable wasm trap handler on windows (Gus Caplan)
(https://github.com/nodejs/node/pull/35033)
- **src**: update NODE\_MODULE\_VERSION to 86 (Michaël Zasso)
(https://github.com/nodejs/node/pull/33579)
- **src**: disallow JS execution inside FreeEnvironment (Anna
Henningsen) (https://github.com/nodejs/node/pull/33874)
- **src**: remove \_third\_party\_main support (Anna Henningsen)
(https://github.com/nodejs/node/pull/33971)
- **src**: remove deprecated node debug command (James M Snell)
(https://github.com/nodejs/node/pull/33648)
- **src**: remove unused CancelPendingDelayedTasks (Anna Henningsen)
(https://github.com/nodejs/node/pull/32859)
- **stream**: try to wait for flush to complete before 'finish' (Robert
Nagy) (https://github.com/nodejs/node/pull/34314)
- **stream**: cleanup and fix Readable.wrap (Robert Nagy)
(https://github.com/nodejs/node/pull/34204)
- **stream**: add promises version to utility functions (rickyes)
(https://github.com/nodejs/node/pull/33991)
- **stream**: fix writable.end callback behavior (Robert Nagy)
(https://github.com/nodejs/node/pull/34101)
- **stream**: construct (Robert Nagy)
(https://github.com/nodejs/node/pull/29656)
- **stream**: write should throw on unknown encoding (Robert Nagy)
(https://github.com/nodejs/node/pull/33075)
- **stream**: fix \_final and 'prefinish' timing (Robert Nagy)
(https://github.com/nodejs/node/pull/32780)
- **stream**: simplify Transform stream implementation (Robert Nagy)
(https://github.com/nodejs/node/pull/32763)
- **stream**: use callback to properly propagate error (Robert Nagy)
(https://github.com/nodejs/node/pull/29179)
- **test**: update tests after increasing typed array size to 4GB
(Kim-Anh Tran) (https://github.com/nodejs/node/pull/35415)
- **test**: fix tests for npm 7.0.0 (Myles Borins)
(https://github.com/nodejs/node/pull/35631)
- **test**: fix test suite to work with npm 7 (Myles Borins)
(https://github.com/nodejs/node/pull/35474)
- **test**: update WPT harness and tests (Michaël Zasso)
(https://github.com/nodejs/node/pull/33770)
- **timers**: introduce timers/promises (James M Snell)
(https://github.com/nodejs/node/pull/33950)
- **tools**: disable x86 safe exception handlers in V8 (Michaël Zasso)
(https://github.com/nodejs/node/pull/35415)
- **tools**: update V8 gypfiles for 8.6 (Ujjwal Sharma)
(https://github.com/nodejs/node/pull/35415)
- **tools**: update V8 gypfiles for 8.5 (Ujjwal Sharma)
(https://github.com/nodejs/node/pull/35415)
- **url**: file URL path normalization (Daijiro Wachi)
(https://github.com/nodejs/node/pull/35477)
- **url**: verify domain is not empty after "ToASCII" (Michaël Zasso)
(https://github.com/nodejs/node/pull/33770)
- **url**: remove U+0000 case in the fragment state (Michaël Zasso)
(https://github.com/nodejs/node/pull/33770)
- **url**: remove gopher from special schemes (Michaël Zasso)
(https://github.com/nodejs/node/pull/33325)
- **url**: forbid lt and gt in url host code point (Yash Ladha)
(https://github.com/nodejs/node/pull/33328)
- **util**: change default value of `maxStringLength` to 10000
(unknown) (https://github.com/nodejs/node/pull/32744)
- **wasi**: drop --experimental-wasm-bigint requirement (Colin Ihrig)
(https://github.com/nodejs/node/pull/35415)
- **win, child_process**: sanitize env variables (Bartosz Sosnowski)
(https://github.com/nodejs/node/pull/35210)
- **worker**: make MessageEvent class more Web-compatible (Anna
Henningsen) (https://github.com/nodejs/node/pull/35496)
- **worker**: set trackUnmanagedFds to true by default (Anna
Henningsen) (https://github.com/nodejs/node/pull/34394)
- **worker**: rename error code to be more accurate (Anna Henningsen)
(https://github.com/nodejs/node/pull/33872)

PR-URL: https://github.com/nodejs/node/pull/35014
2020-10-20 15:42:45 +01:00
Myles Borins
59d578e1fc
2020-10-15, Version 14.14.0 (Current)
Notable changes:

crypto:
  * update certdata to NSS 3.56 (Shelley Vohr) https://github.com/nodejs/node/pull/35546
doc:
  * add aduh95 to collaborators (Antoine du Hamel) https://github.com/nodejs/node/pull/35542
fs:
  * (SEMVER-MINOR) add rm method (Ian Sutherland) https://github.com/nodejs/node/pull/35494
http:
  * (SEMVER-MINOR) allow passing array of key/val into writeHead (Robert Nagy) https://github.com/nodejs/node/pull/35274
src:
  * (SEMVER-MINOR) expose v8::Isolate setup callbacks (Shelley Vohr) https://github.com/nodejs/node/pull/35512

PR-URL: https://github.com/nodejs/node/pull/35648
2020-10-15 19:29:09 -04:00
Danielle Adams
d0438a629a
2020-10-07, Version 14.13.1 (Current)
Notable changes:

* fs:
  * remove experimental from rmdir recursive (Benjamin Coe) [#35171](https://github.com/nodejs/node/pull/35171)

PR-URL: https://github.com/nodejs/node/pull/35525
2020-10-07 17:22:52 -04:00
Shelley Vohr
1cef9c656f
2020-10-06, Version 12.19.0 'Erbium' (LTS)
Notable changes:

assert:
  * (SEMVER-MINOR) port common.mustCall() to assert (ConorDavenport) https://github.com/nodejs/node/pull/31982
async_hooks:
  * (SEMVER-MINOR) add AsyncResource.bind utility (James M Snell) https://github.com/nodejs/node/pull/34574
buffer:
  * (SEMVER-MINOR) also alias BigUInt methods (Anna Henningsen) https://github.com/nodejs/node/pull/34960
  * (SEMVER-MINOR) alias UInt ➡️ Uint in buffer methods (Anna Henningsen) https://github.com/nodejs/node/pull/34729
build:
  * (SEMVER-MINOR) add build flag for OSS-Fuzz integration (davkor) https://github.com/nodejs/node/pull/34761
cli:
  * (SEMVER-MINOR) add alias for report-directory to make it consistent (Ash Cripps) https://github.com/nodejs/node/pull/33587
crypto:
  * (SEMVER-MINOR) allow KeyObjects in postMessage (Tobias Nießen) https://github.com/nodejs/node/pull/33360
  * (SEMVER-MINOR) add randomInt function (Oli Lalonde) https://github.com/nodejs/node/pull/34600
deps:
  * upgrade to libuv 1.39.0 (Colin Ihrig) https://github.com/nodejs/node/pull/34915
  * upgrade npm to 6.14.7 (claudiahdz) https://github.com/nodejs/node/pull/34468
  * upgrade to libuv 1.38.1 (Colin Ihrig) https://github.com/nodejs/node/pull/34187
dgram:
  * (SEMVER-MINOR) add IPv6 scope id suffix to received udp6 dgrams (Pekka Nikander) https://github.com/nodejs/node/pull/14500
  * (SEMVER-MINOR) allow typed arrays in .send() (Sarat Addepalli) https://github.com/nodejs/node/pull/22413
doc:
  * (SEMVER-MINOR) Add maxTotalSockets option to agent constructor (rickyes) https://github.com/nodejs/node/pull/33617
  * (SEMVER-MINOR) add basic embedding example documentation (Anna Henningsen) https://github.com/nodejs/node/pull/30467
  * add Ricky Zhou to collaborators (rickyes) https://github.com/nodejs/node/pull/34676
  * add release key for Ruy Adorno (Ruy Adorno) https://github.com/nodejs/node/pull/34628
  * add DerekNonGeneric to collaborators (Derek Lewis) https://github.com/nodejs/node/pull/34602
  * add AshCripps to collaborators (Ash Cripps) https://github.com/nodejs/node/pull/34494
  * add HarshithaKP to collaborators (Harshitha K P) https://github.com/nodejs/node/pull/34417
  * add rexagod to collaborators (Pranshu Srivastava) https://github.com/nodejs/node/pull/34457
  * add release key for Richard Lau (Richard Lau) https://github.com/nodejs/node/pull/34397
  * add danielleadams to collaborators (Danielle Adams) https://github.com/nodejs/node/pull/34360
  * add sxa as collaborator (Stewart X Addison) https://github.com/nodejs/node/pull/34338
  * add ruyadorno to collaborators (Ruy Adorno) https://github.com/nodejs/node/pull/34297
  * (SEMVER-MAJOR) deprecate process.umask() with no arguments (Colin Ihrig) https://github.com/nodejs/node/pull/32499
embedding:
  * (SEMVER-MINOR) make Stop() stop Workers (Anna Henningsen) https://github.com/nodejs/node/pull/32531
  * (SEMVER-MINOR) provide hook for custom process.exit() behaviour (Anna Henningsen) https://github.com/nodejs/node/pull/32531
fs:
  * (SEMVER-MINOR) implement lutimes (Maël Nison) https://github.com/nodejs/node/pull/33399
http:
  * (SEMVER-MINOR) add maxTotalSockets to agent class (rickyes) https://github.com/nodejs/node/pull/33617
  * (SEMVER-MINOR) return this from IncomingMessage#destroy() (Colin Ihrig) https://github.com/nodejs/node/pull/32789
  * (SEMVER-MINOR) expose host and protocol on ClientRequest (wenningplus) https://github.com/nodejs/node/pull/33803
http2:
  * (SEMVER-MINOR) return this for Http2ServerRequest#setTimeout (Pranshu Srivastava) https://github.com/nodejs/node/pull/33994
  * (SEMVER-MINOR) do not modify explicity set date headers (Pranshu Srivastava) https://github.com/nodejs/node/pull/33160
module:
  * (SEMVER-MINOR) named exports for CJS via static analysis (Guy Bedford) https://github.com/nodejs/node/pull/35249
  * (SEMVER-MINOR) exports pattern support (Guy Bedford) https://github.com/nodejs/node/pull/34718
  * (SEMVER-MINOR) package "imports" field (Guy Bedford) https://github.com/nodejs/node/pull/34117
  * (SEMVER-MINOR) deprecate module.parent (Antoine du HAMEL) https://github.com/nodejs/node/pull/32217
n-api:
  * (SEMVER-MINOR) create N-API version 7 (Gabriel Schulhof) https://github.com/nodejs/node/pull/35199
  * (SEMVER-MINOR) support type-tagging objects (Gabriel Schulhof) https://github.com/nodejs/node/pull/28237
n-api,src:
  * (SEMVER-MINOR) provide asynchronous cleanup hooks (Anna Henningsen) https://github.com/nodejs/node/pull/34572
perf_hooks:
  * (SEMVER-MINOR) add idleTime and event loop util (Trevor Norris) https://github.com/nodejs/node/pull/34938
timers:
  * (SEMVER-MINOR) allow timers to be used as primitives (Denys Otrishko) https://github.com/nodejs/node/pull/34017
tls:
  * (SEMVER-MINOR) make 'createSecureContext' honor more options (Mateusz Krawczuk) https://github.com/nodejs/node/pull/33974
worker:
  * (SEMVER-MINOR) add public method for marking objects as untransferable (Anna Henningsen) https://github.com/nodejs/node/pull/33979
  * (SEMVER-MINOR) emit `'messagerror'` events for failed deserialization (Anna Henningsen) https://github.com/nodejs/node/pull/33772
  * (SEMVER-MINOR) allow passing JS wrapper objects via postMessage (Anna Henningsen) https://github.com/nodejs/node/pull/33772
  * (SEMVER-MINOR) allow transferring/cloning generic BaseObjects (Anna Henningsen) https://github.com/nodejs/node/pull/33772
  * (SEMVER-MINOR) add option to track unmanaged file descriptors (Anna Henningsen) https://github.com/nodejs/node/pull/34303
  * (SEMVER-MINOR) add stack size resource limit option (Anna Henningsen) https://github.com/nodejs/node/pull/33085
worker,fs:
  * (SEMVER-MINOR) make FileHandle transferable (Anna Henningsen) https://github.com/nodejs/node/pull/33772
zlib:
  * (SEMVER-MINOR) add `maxOutputLength` option (unknown) https://github.com/nodejs/node/pull/33516
  * switch to lazy init for zlib streams (Andrey Pechkurov) https://github.com/nodejs/node/pull/34048

PR-URL: https://github.com/nodejs/node/pull/35401
2020-10-06 13:34:04 -07:00
Myles Borins
cd884cc684
2020-09-29, Version 14.13.0 (Current)
Notable changes:

deps:
  * (SEMVER-MINOR) upgrade to libuv 1.40.0 (Colin Ihrig) https://github.com/nodejs/node/pull/35333
module:
  * (SEMVER-MINOR) named exports for CJS via static analysis (Guy Bedford) https://github.com/nodejs/node/pull/35249
  * (SEMVER-MINOR) exports pattern support (Guy Bedford) https://github.com/nodejs/node/pull/34718
src:
  * (SEMVER-MINOR) allow N-API addon in `AddLinkedBinding()` (Anna Henningsen) https://github.com/nodejs/node/pull/35301

PR-URL: https://github.com/nodejs/node/pull/35419
2020-09-29 15:45:07 -04:00
Ruy Adorno
25d8456563
2020-09-22, Version 14.12.0 (Current)
Notable changes:

- deps:
  - update to uvwasi 0.0.11 (Colin Ihrig)
  [#35104](https://github.com/nodejs/node/pull/35104)
- n-api:
  - create N-API version 7 (Gabriel Schulhof)
  [#35199](https://github.com/nodejs/node/pull/35199)
  - add more property defaults (Gerhard Stoebich)
  [#35214](https://github.com/nodejs/node/pull/35214)

PR-URL: https://github.com/nodejs/node/pull/35285
2020-09-22 14:04:14 -04:00
Richard Lau
8e17383653
2020-09-15, Version 14.11.0 (Current)
This is a security release.

Notable changes:

Vulnerabilities fixed:

- CVE-2020-8251: Denial of Service by resource exhaustion CWE-400 due
  to unfinished HTTP/1.1 requests (Critical).
- CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion
  (High).

PR-URL: https://github.com/nodejs-private/node-private/pull/225
2020-09-15 16:49:55 -04:00
Michaël Zasso
9ab5c6b96c
2020-09-15, Version 12.18.4 'Erbium' (LTS)
This is a security release.

Notable changes:

Vulnerabilities fixed:

- CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion (High).
- CVE-2020-8252: fs.realpath.native on may cause buffer overflow (Medium).

PR-URL: https://github.com/nodejs-private/node-private/pull/223
2020-09-15 21:43:35 +01:00
Beth Griggs
3bdac31c4b
2020-09-15, Version 10.22.1 'Dubnium' (LTS)
This is a security release.

Notable changes:

Vulnerabilities fixed:

- CVE-2020-8252: fs.realpath.native on may cause buffer overflow
  (Medium).

PR-URL: https://github.com/nodejs-private/node-private/pull/222
2020-09-15 21:30:09 +01:00
Richard Lau
b7f3e83086
2020-09-10, Version 14.10.1 (Current)
Notable changes:

Node.js 14.10.0 included a streams regression with async generators
and a docs rendering regression that are being fixed in this release.

PR-URL: https://github.com/nodejs/node/pull/35137
2020-09-10 10:51:03 -04:00
Richard Lau
b5a47ca2d1
2020-09-08, Version 14.10.0 (Current)
Notable changes:

- buffer: also alias BigUInt methods (Anna Henningsen)
  https://github.com/nodejs/node/pull/34960
- crypto: add randomInt function (Oli Lalonde)
  https://github.com/nodejs/node/pull/34600
- perf_hooks: add idleTime and event loop util (Trevor Norris)
  https://github.com/nodejs/node/pull/34938
- stream: simpler and faster Readable async iterator (Robert Nagy)
  https://github.com/nodejs/node/pull/34035
- stream: save error in state (Robert Nagy)
  https://github.com/nodejs/node/pull/34103

PR-URL: https://github.com/nodejs/node/pull/35023

Conflicts:
	src/node_version.h
2020-09-08 11:35:08 -04:00
Danielle Adams
3089f96ed0
2020-08-27, Version 14.9.0 (Current)
Notable changes:

- build: set --v8-enable-object-print by default (Mary Marchini)
  [#34705](https://github.com/nodejs/node/pull/34705)
- deps:
  - upgrade to libuv 1.39.0 (cjihrig)
    [#34915](https://github.com/nodejs/node/pull/34915)
  - upgrade npm to 6.14.8 (Ruy Adorno)
    [#34834](https://github.com/nodejs/node/pull/34834)
  - V8: cherry-pick e06ace6b5cdb (Anna Henningsen)
    [#34673](https://github.com/nodejs/node/pull/34673)
- n-api: handle weak no-finalizer refs correctly (Gabriel Schulhof)
  [#34839](https://github.com/nodejs/node/pull/34839)
- tools: add debug entitlements for macOS 10.15+ (Gabriele Greco)
  [#34378](https://github.com/nodejs/node/pull/34378)

PR-URL: https://github.com/nodejs/node/pull/34852
2020-08-27 15:44:13 +01:00
Juan José Arboleda
79402c0eaa doc: fix CHANGELOG.md parsing issue
PR-URL: https://github.com/nodejs/node/pull/34923
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
2020-08-27 07:26:25 -07:00
Shelley Vohr
6e1f6ec573
2020-08-11, Version 14.8.0 (Current)
Notable changes:

async_hooks:
  * (SEMVER-MINOR) add AsyncResource.bind utility (James M Snell) https://github.com/nodejs/node/pull/34574
doc:
  * add Ricky Zhou to collaborators (rickyes) https://github.com/nodejs/node/pull/34676
  * add release key for Ruy Adorno (Ruy Adorno) https://github.com/nodejs/node/pull/34628
  * add DerekNonGeneric to collaborators (Derek Lewis) https://github.com/nodejs/node/pull/34602
module:
  * (SEMVER-MINOR) unflag Top-Level Await (Myles Borins) https://github.com/nodejs/node/pull/34558
n-api:
  * (SEMVER-MINOR) support type-tagging objects (Gabriel Schulhof) https://github.com/nodejs/node/pull/28237
n-api,src:
  * (SEMVER-MINOR) provide asynchronous cleanup hooks (Anna Henningsen) https://github.com/nodejs/node/pull/34572

PR-URL: https://github.com/nodejs/node/pull/34704
2020-08-11 09:40:48 -07:00
Ruy Adorno
168b22ba07
2020-07-29, Version 14.7.0 (Current)
Notable changes:

deps:
  * upgrade npm to 6.14.7 (claudiahdz) https://github.com/nodejs/node/pull/34468
dgram:
  * (SEMVER-MINOR) add IPv6 scope id suffix to received udp6 dgrams (Pekka Nikander) https://github.com/nodejs/node/pull/14500
doc:
  * add AshCripps to collaborators (AshCripps) https://github.com/nodejs/node/pull/34494
  * add HarshithaKP to collaborators (Harshitha K P) https://github.com/nodejs/node/pull/34417
  * add rexagod to collaborators (Pranshu Srivastava) https://github.com/nodejs/node/pull/34457
  * add release key for Richard Lau (Richard Lau) https://github.com/nodejs/node/pull/34397
events:
  * (SEMVER-MINOR) expand NodeEventTarget functionality (Anna Henningsen) https://github.com/nodejs/node/pull/34057
src:
  * (SEMVER-MINOR) allow preventing SetPromiseRejectCallback (Shelley Vohr) https://github.com/nodejs/node/pull/34387
  * (SEMVER-MINOR) allow setting a dir for all diagnostic output (AshCripps) https://github.com/nodejs/node/pull/33584
worker:
  * (SEMVER-MINOR) make MessagePort inherit from EventTarget (Anna Henningsen) https://github.com/nodejs/node/pull/34057
zlib:
  * switch to lazy init for zlib streams (Andrey Pechkurov) https://github.com/nodejs/node/pull/34048

PR-URL: https://github.com/nodejs/node/pull/34542
2020-07-29 14:38:50 -04:00
Shelley Vohr
90ee98a7d1
2020-07-22, Version 12.18.3 'Erbium' (LTS)
Notable changes:

deps:
  * upgrade npm to 6.14.6 (claudiahdz) [#34246](https://github.com/nodejs/node/pull/34246)
  * update node-inspect to v2.0.0 (Jan Krems) [#33447](https://github.com/nodejs/node/pull/33447)
  * uvwasi: cherry-pick 9e75217 (Colin Ihrig) [#33521](https://github.com/nodejs/node/pull/33521)

PR-URL: https://github.com/nodejs/node/pull/34343
2020-07-22 09:54:26 -07:00
Myles Borins
a981c65b90
2020-07-21, Version 14.6.0 (Current)
Notable changes:

deps:
  * upgrade npm to 6.14.6 (claudiahdz) https://github.com/nodejs/node/pull/34246
  * upgrade to libuv 1.38.1 (Colin Ihrig) https://github.com/nodejs/node/pull/34187
  * (SEMVER-MINOR) update V8 to 8.4.371.19 (Michaël Zasso) [#33579](https://github.com/nodejs/node/pull/33579)
module:
  * (SEMVER-MINOR) deprecate module.parent (Antoine du HAMEL) https://github.com/nodejs/node/pull/32217
  * (SEMVER-MINOR) package "imports" field (Guy Bedford) https://github.com/nodejs/node/pull/34117
src:
  * (SEMVER-MINOR) add option to track unmanaged file descriptors (Anna Henningsen) https://github.com/nodejs/node/pull/34303
  * (SEMVER-MINOR) allow embedders to disable esm loader (Shelley Vohr) https://github.com/nodejs/node/pull/34060
tls:
  * (SEMVER-MINOR) make 'createSecureContext' honor more options (Mateusz Krawczuk) https://github.com/nodejs/node/pull/33974
vm:
  * (SEMVER-MINOR) add run-after-evaluate microtask mode (Anna Henningsen) https://github.com/nodejs/node/pull/34023
worker:
  * (SEMVER-MINOR) add option to track unmanaged file descriptors (Anna Henningsen) https://github.com/nodejs/node/pull/34303
New Collaborators:
  * add danielleadams to collaborators (Danielle Adams) https://github.com/nodejs/node/pull/34360
  * add sxa as collaborator (Stewart X Addison) https://github.com/nodejs/node/pull/34338
  * add ruyadorno to collaborators (Ruy Adorno) https://github.com/nodejs/node/pull/34297

PR-URL: https://github.com/nodejs/node/pull/34371
2020-07-21 17:45:12 -04:00
Richard Lau
95770df2fb
2020-07-21, Version 10.22.0 'Dubnium' (LTS)
Notable changes:

- deps:
  - upgrade npm to 6.14.6 (claudiahdz)
    https://github.com/nodejs/node/pull/34246
  - upgrade openssl sources to 1.1.1g (Hassaan Pasha)
    https://github.com/nodejs/node/pull/32982
- n-api:
  - add `napi_detach_arraybuffer` (legendecas)
    https://github.com/nodejs/node/pull/29768

PR-URL: https://github.com/nodejs/node/pull/34170
2020-07-21 16:52:47 +01:00
Antoine du Hamel
01bd8102ef
doc: mark Node.js 13 as End-of-Life
Remove the "Current" label for Node.js 13 in the CHANGELOG.

PR-URL: https://github.com/nodejs/node/pull/34436
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
2020-07-20 18:29:09 +02:00
Shelley Vohr
eb8fc2bf0f
2020-06-30, Version 14.5.0 (Current)
Notable changes:

build:
  * (SEMVER-MINOR) reset embedder string to "-node.0" (Michaël Zasso) https://github.com/nodejs/node/pull/33376
cli:
  * (SEMVER-MINOR) add alias for report-directory to make it consistent (AshCripps) https://github.com/nodejs/node/pull/33587
crypto:
  * (SEMVER-MINOR) allow KeyObjects in postMessage (Tobias Nießen) https://github.com/nodejs/node/pull/33360
deps:
  * (SEMVER-MINOR) V8: cherry-pick 0d6debcc5f08 (Michaël Zasso) https://github.com/nodejs/node/pull/33376
  * (SEMVER-MINOR) update V8 to 8.3.110.9 (Michaël Zasso) https://github.com/nodejs/node/pull/33376
dgram:
  * (SEMVER-MINOR) allow typed arrays in .send() (Sarat Addepalli) https://github.com/nodejs/node/pull/22413
events:
  * (SEMVER-MINOR) initial implementation of experimental EventTarget (James M Snell) https://github.com/nodejs/node/pull/33556
fs:
  * (SEMVER-MINOR) implement lutimes (Maël Nison) https://github.com/nodejs/node/pull/33399
http:
  * (SEMVER-MINOR) expose host and protocol on ClientRequest (wenningplus) https://github.com/nodejs/node/pull/33803
  * (SEMVER-MINOR) add maxTotalSockets to agent class (rickyes) https://github.com/nodejs/node/pull/33617
  * (SEMVER-MINOR) return this from OutgoingMessage#destroy() (Colin Ihrig) https://github.com/nodejs/node/pull/32789
  * (SEMVER-MINOR) return this from ClientRequest#destroy() (Colin Ihrig) https://github.com/nodejs/node/pull/32789
  * (SEMVER-MINOR) return this from IncomingMessage#destroy() (Colin Ihrig) https://github.com/nodejs/node/pull/32789
  * (SEMVER-MINOR) added scheduling option to http agent (delvedor) https://github.com/nodejs/node/pull/33278
http2:
  * (SEMVER-MINOR) return this for Http2ServerRequest#setTimeout (Pranshu Srivastava) https://github.com/nodejs/node/pull/33994
  * (SEMVER-MINOR) do not modify explicity set date headers (Pranshu Srivastava) https://github.com/nodejs/node/pull/33160
process:
  * (SEMVER-MINOR) add unhandled-rejection throw and warn-with-error-code (Dan Fabulich) https://github.com/nodejs/node/pull/33475
src:
  * (SEMVER-MINOR) store key data in separate class (Tobias Nießen) https://github.com/nodejs/node/pull/33360
  * (SEMVER-MINOR) add NativeKeyObject base class (Tobias Nießen) https://github.com/nodejs/node/pull/33360
  * (SEMVER-MINOR) rename internal key handles to KeyObjectHandle (Tobias Nießen) https://github.com/nodejs/node/pull/33360
  * (SEMVER-MINOR) add equality operators for BaseObjectPtr (Anna Henningsen) https://github.com/nodejs/node/pull/33772
  * (SEMVER-MINOR) introduce BaseObject base FunctionTemplate (Anna Henningsen) https://github.com/nodejs/node/pull/33772
  * (SEMVER-MINOR) add public APIs to manage v8::TracingController (Anna Henningsen) https://github.com/nodejs/node/pull/33850
stream*:
  * runtime deprecate Transform._transformState (Robert Nagy) https://github.com/nodejs/node/pull/32763
win:
  * (SEMVER-MINOR) allow skipping the supported platform check (João Reis) https://github.com/nodejs/node/pull/33176
worker:
  * (SEMVER-MINOR) add public method for marking objects as untransferable (Anna Henningsen) https://github.com/nodejs/node/pull/33979
  * (SEMVER-MINOR) emit `'messagerror'` events for failed deserialization (Anna Henningsen) https://github.com/nodejs/node/pull/33772
  * (SEMVER-MINOR) allow passing JS wrapper objects via postMessage (Anna Henningsen) https://github.com/nodejs/node/pull/33772
  * (SEMVER-MINOR) allow transferring/cloning generic BaseObjects (Anna Henningsen) https://github.com/nodejs/node/pull/33772
worker,fs:
  * (SEMVER-MINOR) make FileHandle transferable (Anna Henningsen) https://github.com/nodejs/node/pull/33772
zlib:
  * (SEMVER-MINOR) add `maxOutputLength` option (unknown) https://github.com/nodejs/node/pull/33516

PR-URL: https://github.com/nodejs/node/pull/34093
2020-06-30 15:27:43 -07:00
Beth Griggs
cb673e1b61
2020-06-30, Version 12.18.2 'Erbium' (LTS)
Notable changes:

- deps: V8: backport fb26d0bb1835 (Matheus Marchini)
  [#33573](https://github.com/nodejs/node/pull/33573)
- src: use symbol to store `AsyncWrap` resource (Anna Henningsen)
  [#31745](https://github.com/nodejs/node/pull/31745)

PR-URL: https://github.com/nodejs/node/pull/34077
2020-06-30 14:31:59 +01:00
Shelley Vohr
e9145dbaef
2020-06-17, Version 12.18.1 'Erbium' (LTS)
Notable changes:

deps:
  * V8: cherry-pick 548f6c81d424 (Dominykas Blyžė) [#33484](https://github.com/nodejs/node/pull/33484)
  * update to uvwasi 0.0.9 (Colin Ihrig) [#33445](https://github.com/nodejs/node/pull/33445)
  * upgrade to libuv 1.38.0 (Colin Ihrig) [#33446](https://github.com/nodejs/node/pull/33446)
  * upgrade npm to 6.14.5 (Ruy Adorno) [#33239](https://github.com/nodejs/node/pull/33239)

PR-URL: https://github.com/nodejs/node/pull/33811
2020-06-17 09:26:19 -07:00
Beth Griggs
f46ca0fd29
2020-06-02, Version 10.21.0 'Dubnium' (LTS)
This is a security release.

Vulnerabilities fixed:

- CVE-2020-8174: napi_get_value_string_*() allows various kinds of
                 memory corruption (High).
- CVE-2020-10531: ICU-20958 Prevent SEGV_MAPERR in append (High).
- CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).

PR-URL: https://github.com/nodejs-private/node-private/pull/211
2020-06-02 20:35:52 +02:00
Michaël Zasso
12bcee8628
2020-06-02, Version 12.18.0 'Erbium' (LTS)
This is a security release.

Notable changes:

Vulnerabilities fixed:
CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
CVE-2020-8174: `napi_get_value_string_*()` allows various kinds of memory corruption (High).

PR-URL: https://github.com/nodejs-private/node-private/pull/213
2020-06-02 20:35:52 +02:00
Michaël Zasso
64e33dc952
2020-06-02, Version 14.4.0 (Current)
This is a security release.

Notable changes:

Vulnerabilities fixed:
CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
CVE-2020-8174: `napi_get_value_string_*()` allows various kinds of memory corruption (High).

PR-URL: https://github.com/nodejs-private/node-private/pull/212
2020-06-02 20:35:52 +02:00
Michaël Zasso
dcc112b7f7
2020-05-26, Version 12.17.0 'Erbium' (LTS)
Notable changes:

* ECMAScript Modules - `--experimental-modules` flag removal
* AsyncLocalStorage API (experimental)
* REPL previews
* REPL reverse-i-search
* REPL substring-based search
* Error monitoring
  * Monitoring `error` events
  * Monitoring uncaught exceptions
* File system APIs
  * New function: `fs.readv`
  * Optional parameters in `fs.read`
* Console `groupIndentation` option
* `maxStringLength` option for `util.inspect()`
* Stable N-API release 6
* Stable diagnostic reports
* Increase of the default server headers timeout
* New `--trace-sigint` CLI flag
* Various crypto APIs now support Diffie-Hellman secrets
* Added support for the `dns.ALL` flag in `dns.lookup()`
* Added a new experimental API to interact with Source Map V3 data
* Added support for passing a `transferList` along with `workerData` to
  the `Worker` constructor

PR-URL: https://github.com/nodejs/node/pull/33197
2020-05-26 15:55:39 +02:00
Shelley Vohr
c841f516d5
2020-05-19, Version 14.3.0 (Current)
Notable changes:

async_hooks:
  * (SEMVER-MINOR) move PromiseHook handler to JS (Stephen Belanger) https://github.com/nodejs/node/pull/32891
cli:
  * (SEMVER-MINOR) add `--trace-atomics-wait` flag (Anna Henningsen) https://github.com/nodejs/node/pull/33292
fs:
  * (SEMVER-MINOR) add .ref() and .unref() methods to watcher classes (rickyes) https://github.com/nodejs/node/pull/33134
http:
  * (SEMVER-MINOR) expose http.validate-header-name/value (osher) https://github.com/nodejs/node/pull/33119
repl:
  * (SEMVER-MINOR) deprecate repl._builtinLibs (Ruben Bridgewater) https://github.com/nodejs/node/pull/33294
  * (SEMVER-MINOR) deprecate repl.inputStream and repl.outputStream (Ruben Bridgewater) https://github.com/nodejs/node/pull/33294
  * (SEMVER-MINOR) show reference errors during preview (Ruben Bridgewater) https://github.com/nodejs/node/pull/33282
  * (SEMVER-MINOR) improve repl preview (Ruben Bridgewater) https://github.com/nodejs/node/pull/33282
src:
  * add support for TLA (Gus Caplan) https://github.com/nodejs/node/pull/30370

PR-URL: https://github.com/nodejs/node/pull/33452
2020-05-19 14:28:43 -07:00
Michaël Zasso
f446b2058d
2020-05-05, Version 14.2.0 (Current)
Notable changes:

* Track function calls with `assert.CallTracker` (experimental).
  https://github.com/nodejs/node/pull/31982
* Added a `groupIndentation` option to the `Console` constructor.
  https://github.com/nodejs/node/pull/32964

PR-URL: https://github.com/nodejs/node/pull/33232
2020-05-05 20:24:37 +02:00
Ruben Bridgewater
d7b02c3cad
2020-04-29, Version 13.14.0 (Current)
Notable Changes:

* async_hooks**:
  * Merge `run` and `exit` methods (Andrey Pechkurov)
    https://github.com/nodejs/node/pull/31950
  * Prevent sync methods of async storage exiting outer context
    (Stephen Belanger)
    https://github.com/nodejs/node/pull/31950
* vm:
  * Add `importModuleDynamically` option to compileFunction (Gus
    Caplan)
    https://github.com/nodejs/node/pull/32985

New core collaborators:

With this release, we welcome two new Node.js core collaborators:

* Juan José Arboleda @juanarbol
  https://github.com/nodejs/node/pull/32906
* Andrey Pechkurov @puzpuzpuz
  https://github.com/nodejs/node/pull/32817

PR-URL: https://github.com/nodejs/node/pull/33122
2020-04-30 00:24:31 +02:00
Beth Griggs
49db211846
2020-04-29, Version 14.1.0 (Current)
Notable changes:

- deps: upgrade openssl sources to 1.1.1g (Hassaan Pasha)
  [#32971](https://github.com/nodejs/node/pull/32971)
- doc: add juanarbol as collaborator (Juan José Arboleda)
  [#32906](https://github.com/nodejs/node/pull/32906)
- http: doc deprecate abort and improve docs (Robert Nagy)
  [#32807](https://github.com/nodejs/node/pull/32807)
- module: do not warn when accessing `__esModule` of unfinished exports
  (Anna Henningsen) [#33048](https://github.com/nodejs/node/pull/33048)
- n-api: detect deadlocks in thread-safe function (Gabriel Schulhof)
  [#32860](https://github.com/nodejs/node/pull/32860)
- src: deprecate embedder APIs with replacements (Anna Henningsen)
  [#32858](https://github.com/nodejs/node/pull/32858)
- stream:
  - don't emit end after close (Robert Nagy)
    [#33076](https://github.com/nodejs/node/pull/33076)
  - don't wait for close on legacy streams (Robert Nagy)
    [#33058](https://github.com/nodejs/node/pull/33058)
  - pipeline should only destroy un-finished streams (Robert Nagy)
    [#32968](https://github.com/nodejs/node/pull/32968)
- vm: add importModuleDynamically option to compileFunction (Gus Caplan)
  [#32985](https://github.com/nodejs/node/pull/32985)

PR-URL: https://github.com/nodejs/node/pull/33103
2020-04-29 19:33:51 +01:00
Michaël Zasso
165011ea98
2020-04-28, Version 12.16.3 'Erbium' (LTS)
Notable changes:

Dependencies:
  * Updated OpenSSL to 1.1.1g.
    https://github.com/nodejs/node/pull/32971
  * Updated c-ares to 1.16.0.
    https://github.com/nodejs/node/pull/32246
  * Updated experimental uvwasi to 0.0.6.
    https://github.com/nodejs/node/pull/32309
ESM (experimental):
  * Additional warnings are no longer printed for modules that use
    conditional exports or package name self resolution.
    https://github.com/nodejs/node/pull/31845

PR-URL: https://github.com/nodejs/node/pull/33009
2020-04-28 15:24:52 +02:00
Beth Griggs
372c7cc3c2
2020-04-21, Version 14.0.0 (Current)
Deprecations:

- (SEMVER-MAJOR) crypto: move pbkdf2 without digest to EOL
  (James M Snell) [#31166](https://github.com/nodejs/node/pull/31166)
- (SEMVER-MAJOR) fs: deprecate closing FileHandle on garbage collection
  (James M Snell) [#28396](https://github.com/nodejs/node/pull/28396)
- (SEMVER-MAJOR) http: move OutboundMessage.prototype.flush to EOL
  (James M Snell) [#31164](https://github.com/nodejs/node/pull/31164)
- (SEMVER-MAJOR) lib: move GLOBAL and root aliases to EOL
  (James M Snell) [#31167](https://github.com/nodejs/node/pull/31167)
- (SEMVER-MAJOR) os: move tmpDir() to EOL
  (James M Snell)[#31169](https://github.com/nodejs/node/pull/31169)
- (SEMVER-MAJOR) src: remove deprecated wasm type check
  (Clemens Backes) [#32116](https://github.com/nodejs/node/pull/32116)
- (SEMVER-MAJOR) stream: move \_writableState.buffer to EOL
  (James M Snell) [#31165](https://github.com/nodejs/node/pull/31165)
- (SEMVER-MINOR) doc: deprecate process.mainModule
  (Antoine du HAMEL) [#32232](https://github.com/nodejs/node/pull/32232)
- (SEMVER-MINOR) doc: deprecate process.umask() with no arguments
  (Colin Ihrig) [#32499](https://github.com/nodejs/node/pull/32499)

ECMAScript Modules - Experimental Warning Removal:

- module: remove experimental modules warning
  (Guy Bedford) [#31974](https://github.com/nodejs/node/pull/31974)

In Node.js 13 we removed the need to include the --experimental-modules
flag, but when running EcmaScript Modules in Node.js, this would still
result in a warning ExperimentalWarning: The ESM module loader is
experimental.

As of Node.js 14 there is no longer this warning when using ESM in
Node.js. However, the ESM implementation in Node.js remains
experimental. As per our stability index: “The feature is not subject
to Semantic Versioning rules. Non-backward compatible changes or
removal may occur in any future release.” Users should be cautious when
using the feature in production environments.

Please keep in mind that the implementation of ESM in Node.js differs
from the developer experience you might be familiar with. Most
transpilation workflows support features such as optional file
extensions or JSON modules that the Node.js ESM implementation does not
support. It is highly likely that modules from transpiled environments
will require a certain degree of refactoring to work in Node.js. It is
worth mentioning that many of our design decisions were made with two
primary goals. Spec compliance and Web Compatibility. It is our belief
that the current implementation offers a future proof model to
authoring ESM modules that paves the path to Universal JavaScript.
Please read more in our documentation.

The ESM implementation in Node.js is still experimental but we do believe
that we are getting very close to being able to call ESM in Node.js
“stable”. Removing the warning is a huge step in that direction.

New V8 ArrayBuffer API:

* **src**: migrate to new V8 ArrayBuffer API
  (Thang Tran) [#30782](https://github.com/nodejs/node/pull/30782)

Multiple ArrayBuffers pointing to the same base address are no longer
allowed by V8. This may impact native addons.

Toolchain and Compiler Upgrades:

- (SEMVER-MAJOR) build: update macos deployment target to 10.13 for 14.x
  (AshCripps)[#32454](https://github.com/nodejs/node/pull/32454)
- (SEMVER-MAJOR) doc: update cross compiler machine for Linux armv7
  (Richard Lau) [#32812](https://github.com/nodejs/node/pull/32812)
- (SEMVER-MAJOR) doc: update Centos/RHEL releases use devtoolset-8
  (Richard Lau) [#32812](https://github.com/nodejs/node/pull/32812)
- (SEMVER-MAJOR) doc: remove SmartOS from official binaries
  (Richard Lau) [#32812](https://github.com/nodejs/node/pull/32812)
- (SEMVER-MAJOR) win: block running on EOL Windows versions
  (João Reis) [#31954](https://github.com/nodejs/node/pull/31954)

It is expected that there will be an ABI mismatch on ARM between the
Node.js binary and native addons. Native addons are only broken if they
interact with `std::shared_ptr`. This is expected to be fixed in a
later version of Node.js 14.
- [#30786](https://github.com/nodejs/node/issues/30786)

Update to V8 8.1:

- (SEMVER-MAJOR) deps: update V8 to 8.1.307.20
  (Matheus Marchini) [#32116](https://github.com/nodejs/node/pull/32116)

Other Notable Changes:

- cli, report: move --report-on-fatalerror to stable
  (Colin Ihrig) [#32496](https://github.com/nodejs/node/pull/32496)
- deps: upgrade to libuv 1.37.0
  (Colin Ihrig) [#32866](https://github.com/nodejs/node/pull/32866)
- fs: add fs/promises alias module
  (Gus Caplan) [#31553](https://github.com/nodejs/node/pull/31553)

PR-URL: https://github.com/nodejs/node/pull/32181
2020-04-21 15:50:14 +01:00
Michaël Zasso
cf4c332b7a
2020-04-14, Version 13.13.0 (Current)
Notable changes:

New file system APIs:
* Added a new function, `fs.readv` (with sync and promisified versions).
  This function takes an array of `ArrayBufferView` elements and will
  write the data it reads sequentially to the buffers
  (Sk Sajidul Kadir). https://github.com/nodejs/node/pull/32356
* A new overload is available for `fs.readSync`, which allows to
  optionally pass any of the `offset`, `length` and `position`
  parameters. https://github.com/nodejs/node/pull/32460

Other changes:
* dns:
  * Added the `dns.ALL` flag, that can be passed to `dns.lookup()` with
    `dns.V4MAPPED` to return resolved IPv6 addresses as well as IPv4
    mapped IPv6 addresses (murgatroid99).
    https://github.com/nodejs/node/pull/32183
* http:
  * The default maximum HTTP header size was changed from 8KB to 16KB
    (rosaxny). https://github.com/nodejs/node/pull/32520
* n-api:
  * Calls to `napi_call_threadsafe_function` from the main thread can
    now return the `napi_would_deadlock` status in certain
    circumstances (Gabriel Schulhof).
    https://github.com/nodejs/node/pull/32689
* util:
  * Added a new `maxStrLength` option to `util.inspect`, to control the
    maximum length of printed strings. Its default value is `Infinity`
    (rosaxny). https://github.com/nodejs/node/pull/32392
* worker:
  * Added support for passing a `transferList` along with `workerData`
    to the `Worker` constructor (Juan José Arboleda).
    https://github.com/nodejs/node/pull/32278

New core collaborators:
With this release, we welcome three new Node.js core collaborators:
* himself65. https://github.com/nodejs/node/pull/32734
* flarna (Gerhard Stoebich). https://github.com/nodejs/node/pull/32620
* mildsunrise (Alba Mendez). https://github.com/nodejs/node/pull/32525

PR-URL: https://github.com/nodejs/node/pull/32813
2020-04-14 20:22:41 +02:00
Beth Griggs
8d93df41b0
2020-04-12 Node.js v10.20.1 'Dubnium' (LTS) Release
Notable changes:

Due to release process failures, Node.js v10.20.0 shipped with source
and header tarballs that did not properly match the final release
commit that was used to build the binaries. We recommend that Node.js
v10.20.0 not be used, particularly in any applications using native
add-ons or where compiling Node.js from source is involved.

Node.js v10.20.1 is a clean release with the correct sources and is
strongly recommended in place of v10.20.0.

PR-URL: https://github.com/nodejs/node/pull/32768
2020-04-12 13:55:01 +01:00
Shelley Vohr
6ec0285478
2020-04-08 Version 12.16.2 'Erbium' (LTS)
Notable changes:

doc:
  * add ronag to collaborators (Robert Nagy) [#31498](https://github.com/nodejs/node/pull/31498)
  * add GeoffreyBooth to collaborators (Geoffrey Booth) [#31306](https://github.com/nodejs/node/pull/31306)
deps:
  * upgrade npm to 6.13.6 (Ruy Adorno) [#31304](https://github.com/nodejs/node/pull/31304)
  * update openssl to 1.1.1e (Hassaan Pasha) [#32328](https://github.com/nodejs/node/pull/32328)
2020-04-08 11:10:14 -07:00
Beth Griggs
9b46e3f7cc
2020-04-08, Version 10.20.0 'Dubnium' (LTS)
macOS package notarization and a change in builder configuration

The macOS binaries for this release, and future 10.x releases, are now
being compiled on macOS 10.15 (Catalina) with Xcode 11 to support
package notarization, a requirement for installing .pkg files on macOS
10.15 and later. Previous builds of Node.js 10.x were compiled on macOS
10.10 (Yosemite) with a minimum deployment target of macOS 10.7 (Lion).
As binaries are still being compiled to support a minimum of macOS 10.7
(Lion) we do not anticipate this having a negative impact on Node.js
10.x users with older versions of macOS.

Notable changes:

- buffer: add {read|write}Big\[U\]Int64{BE|LE} methods (garygsc)
  [#19691](https://github.com/nodejs/node/pull/19691)
- build: macOS package notarization (Rod Vagg)
  [#31459](https://github.com/nodejs/node/pull/31459)
- deps:
  - update npm to 6.14.3 (Myles Borins)
    [#32368](https://github.com/nodejs/node/pull/32368)
  - upgrade openssl sources to 1.1.1e (Hassaan Pasha)
    [#32328](https://github.com/nodejs/node/pull/32328)
  - upgrade to libuv 1.34.2 (cjihrig)
    [#31477](https://github.com/nodejs/node/pull/31477)
- n-api:
  - add napi\_get\_all\_property\_names (himself65)
    [#30006](https://github.com/nodejs/node/pull/30006)
  - add APIs for per-instance state management (Gabriel Schulhof)
    [#28682](https://github.com/nodejs/node/pull/28682)
  - define release 6
    [#32058](https://github.com/nodejs/node/pull/32058)
  - turn NAPI\_CALL\_INTO\_MODULE into a function (Anna Henningsen)
    [#26128](https://github.com/nodejs/node/pull/26128)
- tls:
  - expose keylog event on TLSSocket (Alba Mendez)
    [#27654](https://github.com/nodejs/node/pull/27654)
  - support TLS min/max protocol defaults in CLI (Sam Roberts)
    [#27946](https://github.com/nodejs/node/pull/27946)
- url: handle quasi-WHATWG URLs in urlToOptions() (cjihrig)
  [#26226](https://github.com/nodejs/node/pull/26226)

PR-URL: https://github.com/nodejs/node/pull/31984
2020-04-08 16:50:11 +01:00
Myles Borins
113c04c524
2020-03-26 Version 13.12.0 (Current)
macOS package notarization and a change in builder configuration:

The macOS binaries for this release, and future 13.x releases, are now
being compiled on macOS 10.15 (Catalina) with Xcode 11 to support
package notarization, a requirement for installing on .pkg files on
macOS 10.15 and later. Previous builds of Node.js 13.x were compiled on
macOS 10.11 (El Capitan) with Xcode 10. As binaries are still being
compiled to support a minimum of macOS 10.10 (Yosemite) we do not
anticipate this having a negative impact on Node.js 13.x users with
older versions of macOS.

Notable changes:

* build:
  * macOS package notarization (Rod Vagg)
    https://github.com/nodejs/node/pull/31459
* deps:
  * upgrade npm to 6.14.4 (Ruy Adorno)
    https://github.com/nodejs/node/pull/32495
  * update to uvwasi 0.0.6 (Colin Ihrig)
    https://github.com/nodejs/node/pull/32309
  * upgrade to libuv 1.35.0 (Colin Ihrig)
    https://github.com/nodejs/node/pull/32204
* lib:
  * add --disable-proto option to cli (Gus Caplan)
    https://github.com/nodejs/node/pull/32279
* node_report:
  * move diagnostic reports to stable (Colin Ihrig)
    https://github.com/nodejs/node/pull/32242
* worker:
  * allow URL in Worker constructor (Antoine du HAMEL)
    https://github.com/nodejs/node/pull/31664
* util:
  * use a global symbol for `util.promisify.custom` (ExE Boss)
    https://github.com/nodejs/node/pull/31672

PR-URL: https://github.com/nodejs/node/pull/32376
2020-03-26 18:49:28 -04:00
Myles Borins
5bfbd75e47
2020-03-11 Version 13.11.0 (Current)
Notable changes:

* async_hooks:
  - add sync enterWith to ALS (Stephen Belanger)
    https://github.com/nodejs/node/pull/31945
* cli:
  - allow --jitless V8 flag in NODE\_OPTIONS (Andrew Neitsch)
    https://github.com/nodejs/node/pull/32100
* fs:
  - return first folder made by mkdir recursive (Benjamin Coe)
    https://github.com/nodejs/node/pull/31530
* n-api:
  - define release 6 (Gabriel Schulhof)
    https://github.com/nodejs/node/pull/32058
* src:
  - create a getter for kernel version (Juan José Arboleda)
    https://github.com/nodejs/node/pull/31732
* wasi:
  - add returnOnExit option (Colin Ihrig)
    https://github.com/nodejs/node/pull/32101

PR-URL: https://github.com/nodejs/node/pull/32185
2020-03-11 23:54:53 -04:00
Rich Trott
b6cd2155c3 doc: remove em dashes
Our documentation uses em dashes inconsistently. They are treated
inconsistently typographically too. (For example, they are sometimes
surrounded by spaces and sometimes not.) They are also often confused
with ordinary hyphens such as in the CHANGELOG, where they are
inadvertently mixed together in a single list. The difference is
not obvious in the raw markdown but is very noticeable when rendered,
appearing to be a typographical error (which it in fact is).

The em dash is never needed. There are always alternatives. Remove em
dashes entirely.

PR-URL: https://github.com/nodejs/node/pull/32080
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
2020-03-05 22:25:42 -08:00
Myles Borins
67d45fb298
2020-03-04 Version 13.10.1 (Current)
Notable changes:

In Node.js 13.9.0 deps/zlib was switched to the chromium maintained
implementation. This change had the unforseen consequence of breaking
building from the tarballs we release as we were too aggressively
removing `unneccessary files` from the `deps/zlib` folder. This release
includes a patch that ensures that individuals will once again be able
to build Node.js from source.

PR-URL: https://github.com/nodejs/node/pull/32099
2020-03-04 20:37:29 -05:00
Shelley Vohr
75466869fb
2020-03-04 Version 13.10.0 (Current)
Notable changes:

* async_hooks
  * introduce async-context API (vdeturckheim) #26540
* stream
  * support passing generator functions into pipeline() (Robert Nagy) #31223
* tls
  * expose SSL\_export\_keying\_material (simon) #31814
* vm
  * implement vm.measureMemory() for per-context memory measurement (Joyee Cheung) #31824

PR-URL: https://github.com/nodejs/node/pull/32027
2020-03-04 09:53:11 -08:00
Shelley Vohr
0c3c0e7184
2020-02-18, Version 13.9.0 (Current)
Notable changes:

* async_hooks
  * add executionAsyncResource (Matteo Collina) #30959
* crypto
  * add crypto.diffieHellman (Tobias Nießen) #31178
  * add DH support to generateKeyPair (Tobias Nießen) #31178
  * simplify DH groups (Tobias Nießen) #31178
  * add key type 'dh' (Tobias Nießen) #31178
* test
  * skip keygen tests on arm systems (Tobias Nießen) #31178
* perf_hooks
  * add property flags to GCPerformanceEntry (Kirill Fomichev) #29547
* process
  * report ArrayBuffer memory in `memoryUsage()` (Anna Henningsen) #31550
* readline
  * make tab size configurable (Ruben Bridgewater) #31318
* report
  * add support for Workers (Anna Henningsen) #31386
* worker
  * add ability to take heap snapshot from parent thread (Anna Henningsen) #31569
* added new collaborators
  * add ronag to collaborators (Robert Nagy) #31498

PR-URL: https://github.com/nodejs/node/pull/31837
2020-02-18 12:40:21 -08:00
Myles Borins
1c2d77d3d9
2020-02-18, Version 12.16.1 'Erbium' (LTS)
Notable changes:

Node.js 12.16.0 included 6 regressions that are being fixed in this
release

**Accidental Unflagging of Self Resolving Modules**:

12.16.0 included a large update to the ESM implementation. One of the
new features, Self Referential Modules, was accidentally released
without requiring the `--experimental-modules` flag. This release is
being made to appropriately flag the feature.

**Process Cleanup Changed Introduced WASM-Related Assertion**:

A change during Node.js process cleanup led to a crash in combination
with specific usage of WASM. This has been fixed by partially reverted
said change. A regression test and a full fix are being worked on and
will likely be included in future 12.x and 13.x releases.

**Use Largepages Runtime Option Introduced Linking Failure**:

A Semver-Minor change to introduce `--use-largepages` as a runtime
option introduced a linking failure. This had been fixed in master but
regressed as the fix has not yet gone out in a Current release. The
feature has been reverted, but will be able to reland with a fix in a
future Semver-Minor release.

**Async Hooks was Causing an Exception When Handling Errors**:

Changes in async hooks internals introduced a case where an internal
api call could be called with undefined causing a process to crash. The
change to async hooks was reverted. A regression test and fix has been
proposed and the change could re land in a future Semver-Patch release
if the regression is reliably fixed.

**New Enumerable Read-Only Property on EventEmitter breaks @types/extend**

A new property for enumerating events was added to the EventEmitter
class. This broke existing code that was using the `@types/extend`
module for extending classses as `@types/extend` was attemping to write
over the existing field which the new change made read-only. As this is
the first property on EventEmitter that is read-only this feature could
be considered Semver-Major. The new feature has been reverted but could
re land in a future Semver-Minor release if a non breaking way of
applying it is found.

**Exceptions in the HTTP parser were not emitting an uncaughtException**

A refactoring to Node.js interanls resulted in a bug where errors in
the HTTP parser were not being emitted by
`process.on('uncaughtException')`. The fix to this bug has been
included in this release.

PR-URL: https://github.com/nodejs/node/pull/31781
2020-02-18 14:46:29 -05:00
Myles Borins
1c11ea4388
2020-02-11, Version 12.16.0 'Erbium' (LTS)
Notable changes:

New assert APIs

The `assert` module now provides experimental `assert.match()` and
`assert.doesNotMatch()` methods. They will validate that the first argument is a
string and matches (or does not match) the provided regular expression

This is an experimental feature.

Ruben Bridgewater [#30929](https://github.com/nodejs/node/pull/30929).

Advanced serialization for IPC

The `child_process` and `cluster` modules now support a `serialization` option
to change the serialization mechanism used for IPC. The option can have one of
two values:

* `'json'` (default): `JSON.stringify()` and `JSON.parse()` are used. This is
  how message serialization was done before.
* `'advanced'`: The serialization API of the `v8` module is used. It is based on
  the HTML structured clone algorithm.
  and is able to serialize more built-in JavaScript object types, such as
  `BigInt`, `Map`, `Set` etc. as well as circular data structures.

Anna Henningsen [#30162](https://github.com/nodejs/node/pull/30162).

CLI flags

The new `--trace-exit` CLI flag makes Node.js print a stack trace whenever the
Node.js environment is exited proactively (i.e. by invoking the `process.exit()`
function or pressing Ctrl+C).

legendecas [#30516](https://github.com/nodejs/node/pull/30516).

___

The new `--trace-uncaught` CLI flag makes Node.js print a stack trace at the
time of throwing uncaught exceptions, rather than at the creation of the `Error`
object, if there is any.
This option is not enabled by default because it may affect garbage collection
behavior negatively.

Anna Henningsen [#30025](https://github.com/nodejs/node/pull/30025).

___

The `--disallow-code-generation-from-strings` V8 CLI flag is now whitelisted in
the `NODE_OPTIONS` environment variable.

Shelley Vohr [#30094](https://github.com/nodejs/node/pull/30094).

New crypto APIs

For DSA and ECDSA, a new signature encoding is now supported in addition to the
existing one (DER). The `verify` and `sign` methods accept a `dsaEncoding`
option, which can have one of two values:

* `'der'` (default): DER-encoded ASN.1 signature structure encoding `(r, s)`.
* `'ieee-p1363'`: Signature format `r || s` as proposed in IEEE-P1363.

Tobias Nießen [#29292](https://github.com/nodejs/node/pull/29292).

___

A new method was added to `Hash`: `Hash.prototype.copy`. It makes it possible to
clone the internal state of a `Hash` object into a new `Hash` object, allowing
to compute the digest between updates.

Ben Noordhuis [#29910](https://github.com/nodejs/node/pull/29910).

Dependency updates

libuv was updated to 1.34.0. This includes fixes to `uv_fs_copyfile()` and
`uv_interface_addresses()` and adds two new functions: `uv_sleep()` and
`uv_fs_mkstemp()`.

Colin Ihrig [#30783](https://github.com/nodejs/node/pull/30783).

___

V8 was updated to 7.8.279.23. This includes performance improvements to object
destructuring, RegExp match failures and WebAssembly startup time.
The official release notes are available at https://v8.dev/blog/v8-release-78.

Michaël Zasso [#30109](https://github.com/nodejs/node/pull/30109).

New EventEmitter APIs

The new `EventEmitter.on` static method allows to async iterate over events.

Matteo Collina [#27994](https://github.com/nodejs/node/pull/27994).

___

It is now possible to monitor `'error'` events on an `EventEmitter` without
consuming the emitted error by installing a listener using the symbol
`EventEmitter.errorMonitor`.

Gerhard Stoebich [#30932](https://github.com/nodejs/node/pull/30932).

___

Using `async` functions with event handlers is problematic, because it
can lead to an unhandled rejection in case of a thrown exception.

The experimental `captureRejections` option in the `EventEmitter` constructor or
the global setting change this behavior, installing a
`.then(undefined, handler)` handler on the `Promise`. This handler routes the
exception asynchronously to the `Symbol.for('nodejs.rejection')` method if there
is one, or to the `'error'` event handler if there is none.

Setting `EventEmitter.captureRejections = true` will change the default for all
new instances of `EventEmitter`.

This is an experimental feature.

Matteo Collina [#27867](https://github.com/nodejs/node/pull/27867).

Performance Hooks are no longer experimental

The `perf_hooks` module is now considered a stable API.

legendecas [#31101](https://github.com/nodejs/node/pull/31101).

Introduction of experimental WebAssembly System Interface (WASI) support

A new core module, `wasi`, is introduced to provide an implementation of the
[WebAssembly System Interface](https://wasi.dev/) specification.
WASI gives sandboxed WebAssembly applications access to the
underlying operating system via a collection of POSIX-like functions.

This is an experimental feature.

Colin Ihrig [#30258](https://github.com/nodejs/node/pull/30258).

PR-URL: https://github.com/nodejs/node/pull/31691
2020-02-11 19:20:59 +01:00
Beth Griggs
d602e586bf
2020-02-06, Version 10.19.0 'Dubnium' (LTS)
This is a security release.

Vulnerabilities fixed:
* **CVE-2019-15606**:
          HTTP header values do not have trailing OWS trimmed.
* **CVE-2019-15605**:
          HTTP request smuggling using malformed Transfer-Encoding header.
* **CVE-2019-15604**:
          Remotely trigger an assertion on a TLS server with a malformed
          certificate string.

Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.

PR-URL: https://github.com/nodejs-private/node-private/pull/198
2020-02-06 03:05:04 +00:00
Beth Griggs
e65ae42785
2020-02-06, Version 12.15.0 'Erbium' (LTS)
This is a security release.

Vulnerabilities fixed:
* **CVE-2019-15606**:
      HTTP header values do not have trailing OWS trimmed.
* **CVE-2019-15605**:
      HTTP request smuggling using malformed Transfer-Encoding header.
* **CVE-2019-15604**:
      Remotely trigger an assertion on a TLS server with a malformed
      certificate string.

Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.

PR-URL: https://github.com/nodejs-private/node-private/pull/197
2020-02-06 02:55:47 +00:00
Beth Griggs
f0f2583c91
2020-02-06, Version 13.8.0 (Current)
This is a security release.

Vulnerabilities fixed:
* **CVE-2019-15606**:
      HTTP header values do not have trailing OWS trimmed.
* **CVE-2019-15605**:
      HTTP request smuggling using malformed Transfer-Encoding header.
* **CVE-2019-15604**:
      Remotely trigger an assertion on a TLS server with a malformed
      certificate string.

Also, HTTP parsing is more strict to be more secure. Since this may
cause problems in interoperability with some non-conformant HTTP
implementations, it is possible to disable the strict checks with the
`--insecure-http-parser` command line flag, or the `insecureHTTPParser`
http option. Using the insecure HTTP parser should be avoided.

PR-URL: https://github.com/nodejs-private/node-private/pull/196
2020-02-06 02:39:39 +00:00
Shelley Vohr
a484f1acf3
2020-01-21, Version 13.7.0 (Current)
Notable changes:

* deps:
  * upgrade to libuv 1.34.1 (cjihrig) https://github.com/nodejs/node/pull/31332
  * upgrade npm to 6.13.6 (Ruy Adorno) https://github.com/nodejs/node/pull/31304
* module
  * add API for interacting with source maps (bcoe) https://github.com/nodejs/node/pull/31132
  * loader getSource, getFormat, transform hooks (Geoffrey Booth) https://github.com/nodejs/node/pull/30986
  * logical conditional exports ordering (Guy Bedford) https://github.com/nodejs/node/pull/31008
  * unflag conditional exports (Guy Bedford) https://github.com/nodejs/node/pull/31001
* process:
  * allow monitoring uncaughtException (Gerhard Stoebich) https://github.com/nodejs/node/pull/31257
* Added new collaborators:
  * [GeoffreyBooth](https://github.com/GeoffreyBooth) - Geoffrey Booth. https://github.com/nodejs/node/pull/31306

PR-URL: https://github.com/nodejs/node/pull/31382
2020-01-21 09:58:13 -08:00
Beth Griggs
9d5d4f84e3
2020-01-09, Version 10.18.1 'Dubnium' (LTS)
- http2: fix session memory accounting after pausing (Michael Lehenbauer)
  [#30684](https://github.com/nodejs/node/pull/30684)
- n-api: correct bug in napi_get_last_error (Octavian Soldea)
  [#28702](https://github.com/nodejs/node/pull/28702)
- tools: update tzdata to 2019c (Myles Borins)
  [#30479](https://github.com/nodejs/node/pull/30479)

PR-URL: https://github.com/nodejs/node/pull/31248
2020-01-09 21:48:45 +00:00
Ruben Bridgewater
e908323b7e
2020-01-07, Version v13.6.0 (Current)
Notable changes:

* assert:
  * Implement `assert.match()` and `assert.doesNotMatch()` (Ruben
    Bridgewater) https://github.com/nodejs/node/pull/30929
* events:
  * Add `EventEmitter.on` to async iterate over events (Matteo Collina)
    https://github.com/nodejs/node/pull/27994
  * Allow monitoring error events (Gerhard Stoebich)
    https://github.com/nodejs/node/pull/30932
* fs:
  * Allow overriding `fs` for streams (Robert Nagy)
    https://github.com/nodejs/node/pull/29083
* perf_hooks:
  * Move `perf_hooks` out of experimental (legendecas)
    https://github.com/nodejs/node/pull/31101
* repl:
  * Implement ZSH-like reverse-i-search (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/31006
* tls:
  * Add PSK (pre-shared key) support (Denys Otrishko)
    https://github.com/nodejs/node/pull/23188

PR-URL: https://github.com/nodejs/node/pull/31238
2020-01-08 00:10:43 +01:00
Beth Griggs
f5512ff61e
2020-01-07, Version 12.14.1 'Erbium' (LTS)
Notable changes:

- crypto: fix key requirements in asymmetric cipher (Tobias Nießen)
  https://github.com/nodejs/node/pull/30249
- deps:
    - update llhttp to 2.0.1 (Fedor Indutny)
      https://github.com/nodejs/node/pull/30553
    - update nghttp2 to 1.40.0 (gengjiawen)
      https://github.com/nodejs/node/pull/30493
- v8: mark serdes API as stable (Anna Henningsen)
  https://github.com/nodejs/node/pull/30234

PR-URL: https://github.com/nodejs/node/pull/31069
2020-01-07 17:25:49 +00:00
Beth Griggs
d845915d46 doc: mark Node.js 8 End-of-Life in CHANGELOG
PR-URL: https://github.com/nodejs/node/pull/31152
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Yuta Hiroto <hello@hiroppy.me>
2020-01-03 20:11:54 -08:00
Myles Borins
24263ff718
2019-12-18, Version 13.5.0 (Current)
Notable Changes:

* cli:
  * add --trace-exit cli option (legendecas)
    https://github.com/nodejs/node/pull/30516
* http,https:
  * increase server headers timeout (Tim Costa)
    https://github.com/nodejs/node/pull/30071
* readline:
  * update ansi-regex (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/30907
  * promote \_getCursorPos to public api (Jeremy Albright)
    https://github.com/nodejs/node/pull/30687
* repl:
  * add completion preview (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/30907
* util:
  * add Set and map size to inspect output (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/30225
* wasi:
  * require CLI flag to require() wasi module (Colin Ihrig)
    https://github.com/nodejs/node/pull/30963

PR-URL: https://github.com/nodejs/node/pull/31010
2019-12-18 13:51:03 -05:00
Myles Borins
bef1e87e1c
2019-12-17, Version 13.4.0 (Current)
This is a security release.

For more details about the vulnerability please consult the npm blog:

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Notable Changes:
* deps:
  * update npm to 6.13.4
    https://github.com/nodejs/node/pull/30904
  * update uvwasi (Anna Henningsen)
    https://github.com/nodejs/node/pull/30745
  * upgrade to libuv 1.34.0 (Colin Ihrig)
    https://github.com/nodejs/node/pull/30783
* doc:
  * docs deprecate http finished (Robert Nagy)
    https://github.com/nodejs/node/pull/28679
* events:
  * add captureRejection option (Matteo Collina)
    https://github.com/nodejs/node/pull/27867
* http:
  * add captureRejection support (Matteo Collina)
    https://github.com/nodejs/node/pull/27867
  * llhttp opt-in insecure HTTP header parsing (Sam Roberts)
    https://github.com/nodejs/node/pull/30567
* http2:
  * implement capture rection for 'request' and 'stream' events (Matteo Collina)
    https://github.com/nodejs/node/pull/27867
* net:
  * implement capture rejections for 'connection' event (Matteo Collina)
    https://github.com/nodejs/node/pull/27867
* repl:
  * support previews by eager evaluating input (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/30811
* stream:
  * add support for captureRejection option (Matteo Collina)
    https://github.com/nodejs/node/pull/27867
* tls:
  * implement capture rejections for 'secureConnection' event (Matteo Collina)
    https://github.com/nodejs/node/pull/27867
  * expose IETF name for current cipher suite (Sam Roberts)
    https://github.com/nodejs/node/pull/30637
* worker:
  * add argv constructor option (legendecas)
    https://github.com/nodejs/node/pull/30559

PR-URL: https://github.com/nodejs/node/pull/30937
2019-12-17 17:29:02 -05:00
Myles Borins
75c5de2218
2019-12-17, Version 12.14.0 'Erbium' (LTS)
This is a security release.

For more details about the vulnerability please consult the npm blog:

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Notable Changes:

* deps: update npm to 6.13.4
  https://github.com/nodejs/node/pull/30904

PR-URL: https://github.com/nodejs/node/pull/30938
2019-12-17 17:16:25 -05:00
Myles Borins
178c5d86b0
2019-12-17, Version 10.18.0 'Dubnium' (LTS)
This is a security release.

For more details about the vulnerability please consult the npm blog:

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Notable Changes:

* deps: update npm to 6.13.4
  https://github.com/nodejs/node/pull/30904

PR-URL: https://github.com/nodejs/node/pull/30940
2019-12-17 17:15:40 -05:00
Myles Borins
8bfa4d0480
2019-12-17, Version 8.17.0 'Carbon' (LTS)
This is a security release.

For more details about the vulnerability please consult the npm blog:

https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli

Notable Changes:

* deps: update npm to 6.13.4
  https://github.com/nodejs/node/pull/30904

PR-URL: https://github.com/nodejs/node/pull/30941
2019-12-17 17:15:09 -05:00
Ruben Bridgewater
4091ea90b6
2019-12-03, Version 13.3.0 (Current)
Notable changes:

* fs:
  * Reworked experimental recursive `rmdir()`  (cjihrig)
    https://github.com/nodejs/node/pull/30644
    * The `maxBusyTries` option is renamed to `maxRetries`, and its
      default is set to 0. The `emfileWait` option has been removed,
      and `EMFILE` errors use the same retry logic as other errors.
      The `retryDelay` option is now supported. `ENFILE` errors are
      now retried.
* http:
  * Make maximum header size configurable per-stream or per-server
    (Anna Henningsen) https://github.com/nodejs/node/pull/30570
* http2:
  * Make maximum tolerated rejected streams configurable (Denys
    Otrishko) https://github.com/nodejs/node/pull/30534
  * Allow to configure maximum tolerated invalid frames (Denys
    Otrishko) https://github.com/nodejs/node/pull/30534
* wasi:
  * Introduce initial WASI support (cjihrig)
    https://github.com/nodejs/node/pull/30258

PR-URL: https://github.com/nodejs/node/pull/30774
2019-12-03 22:57:31 +01:00
Myles Borins
b8f8f05002
2019-11-21, Version 13.2.0 (Current)
Notable changes:

* addons:
  * Deprecate one- and two-argument `AtExit()`. Use the three-argument
    variant of `AtExit()` or `AddEnvironmentCleanupHook()` instead
    (Anna Henningsen) https://github.com/nodejs/node/pull/30227
* child_process,cluster:
  * The `serialization` option is added that allows child process
    IPC to use the V8 serialization API (to e.g., pass through data
    types like sets or maps) (Anna Henningsen)
    https://github.com/nodejs/node/pull/30162
* deps:
  * Update V8 to 7.9
  * Update `npm` to 6.13.0 (Ruy Adorno)
    https://github.com/nodejs/node/pull/30271
* embedder:
  * Exposes the ability to pass cli flags / options through an API
    as embedder (Shelley Vohr)
    https://github.com/nodejs/node/pull/30466
  * Allow adding linked bindings to Environment (Anna Henningsen)
    https://github.com/nodejs/node/pull/30274
* esm:
  * Unflag --experimental-modules (Guy Bedford)
    https://github.com/nodejs/node/pull/29866
* stream:
  * Add `writable.writableCorked` property (Robert Nagy)
    https://github.com/nodejs/node/pull/29012
* worker:
  * Allow specifying resource limits (Anna Henningsen)
    https://github.com/nodejs/node/pull/26628
* v8:
  * The Serialization API is now stable (Anna Henningsen)
    https://github.com/nodejs/node/pull/30234

PR-URL: https://github.com/nodejs/node/pull/30547
2019-11-21 17:14:59 -05:00
Michaël Zasso
b351d30701
2019-11-19, Version 12.13.1 'Erbium' (LTS)
Notable changes:

* Experimental support for building Node.js with Python 3 is improved.
* ICU time zone data is updated to version 2019c. This fixes the date
  offset in Brazil.

PR-URL: https://github.com/nodejs/node/issues/30352
2019-11-19 11:50:23 +01:00
Michaël Zasso
309e1eae79
2019-11-05, Version 13.1.0 (Current)
Notable changes:

* cli:
  * Added a new flag (`--trace-uncaught`) that makes Node.js print the
    stack trace at the time of throwing uncaught exceptions, rather than
    at the creation of the `Error` object, if there is any. This is
    disabled by default because it affects GC behavior.
    https://github.com/nodejs/node/pull/30025
* crypto
  * Added `Hash.prototype.copy()` method. It returns a new `Hash` object
    with its internal state cloned from the original one.
    https://github.com/nodejs/node/pull/29910
* dgram
  * Added source-specific multicast support. This adds methods to
    Datagram sockets to support RFC 4607
    (https://tools.ietf.org/html/rfc4607) for IPv4 and IPv6.
    https://github.com/nodejs/node/pull/15735
* fs
  * Added a `bufferSize` option to `fs.opendir()`. It allows to control
    the number of entries that are buffered internally when reading from
    the directory. https://github.com/nodejs/node/pull/30114
* meta
  * Added Chengzhong Wu (https://github.com/legendecas) to
    collaborators. https://github.com/nodejs/node/pull/30115

PR-URL: https://github.com/nodejs/node/pull/30262
2019-11-05 19:39:20 +01:00
Myles Borins
5a042a6b1a
2019-10-23, Version 13.0.1 (Current)
Notable changes:

* deps:
  * Fixed a bug in npm 6.12.0 where warnings are emitted on Node.js
    13.x. https://github.com/nodejs/node/pull/30079
* esm:
  * Changed file extension resolution order of
    `--es-module-specifier-resolution=node`to match that of the CommonJS
    loader. https://github.com/nodejs/node/pull/29974

PR-URL: https://github.com/nodejs/node/pull/30081
2019-10-23 12:34:20 +02:00
Beth Griggs
afbbcb050e
2019-10-22, Version 10.17.0 'Dubnium' (LTS)
Notable changes:

* crypto:
  * add support for chacha20-poly1305 for AEAD (chux0519)
    https://github.com/nodejs/node/pull/24081
  * increase maxmem range from 32 to 53 bits (Tobias Nießen)
    https://github.com/nodejs/node/pull/28799
* deps:
  * update npm to 6.11.3 (claudiahdz)
    https://github.com/nodejs/node/pull/29430
  * upgrade openssl sources to 1.1.1d (Sam Roberts)
    https://github.com/nodejs/node/pull/29921
* dns:
  * remove dns.promises experimental warning (cjihrig)
    https://github.com/nodejs/node/pull/26592
* fs:
  * remove experimental warning for fs.promises (Anna Henningsen)
    https://github.com/nodejs/node/pull/26581
* http:
  * makes response.writeHead return the response (Mark S. Everitt)
    https://github.com/nodejs/node/pull/25974
* http2:
  * makes response.writeHead return the response (Mark S. Everitt)
    https://github.com/nodejs/node/pull/25974
* n-api:
  * make func argument of napi\_create\_threadsafe\_function optional
    (legendecas)
    https://github.com/nodejs/node/pull/27791
  * mark version 5 N-APIs as stable (Gabriel Schulhof)
    https://github.com/nodejs/node/pull/29401
  * implement date object (Jarrod Connolly)
    https://github.com/nodejs/node/pull/25917
* process:
  * add --unhandled-rejections flag (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/26599
* stream:
  * implement Readable.from async iterator utility (Guy Bedford)
    https://github.com/nodejs/node/pull/27660
  * make Symbol.asyncIterator support stable (Matteo Collina)
    https://github.com/nodejs/node/pull/26989

PR-URL: https://github.com/nodejs/node/pull/29875
2019-10-22 20:15:24 +01:00
Beth Griggs
42bf0c8df2
2019-10-22, Version 13.0.0 (Current)
Notable changes:

* assert:
  * If the validation function passed to `assert.throws()` or
    `assert.rejects()` returns a value other than `true`, an assertion
    error will be thrown instead of the original error to highlight the
    programming mistake (Ruben Bridgewater).
    https://github.com/nodejs/node/pull/28263
  * If a constructor function is passed to validate the instance of
    errors thrown in `assert.throws()` or `assert.reject()`, an
    assertion error will be thrown instead of the original error
    (Ruben Bridgewater).
    https://github.com/nodejs/node/pull/28263
* build:
  * Node.js releases are now built with default full-icu support. This
    means that all locales supported by ICU are now included and
    Intl-related APIs may return different values than before
    (Richard Lau).
    https://github.com/nodejs/node/pull/29887
  * The minimum Xcode version supported for macOS was increased to 10.
    It is still possible to build Node.js with Xcode 8 but this may no
    longer be the case in a future v13.x release (Michael Dawson).
    https://github.com/nodejs/node/pull/29622
* child_process:
  * `ChildProcess._channel` (DEP0129) is now a Runtime deprecation
    (cjihrig).
    https://github.com/nodejs/node/pull/27949
* console:
  * The output `console.timeEnd()` and `console.timeLog()` will now
    automatically select a suitable time unit instead of always using
    milliseconds (Xavier Stouder).
    https://github.com/nodejs/node/pull/29251
* deps:
  * The V8 engine was updated to version 7.8. This includes performance
    improvements to object destructuring, memory usage and WebAssembly
    startup time (Myles Borins).
    https://github.com/nodejs/node/pull/29694)
* domain:
  * The domain's error handler is now executed with the active domain
    set to the domain's parent to prevent inner recursion
    (Julien Gilli).
    https://github.com/nodejs/node/pull/26211
* fs:
  * The undocumented method `FSWatcher.prototype.start()` was removed
    (Lucas Holmquist).
    https://github.com/nodejs/node/pull/29905
  * Calling the `open()` method on a `ReadStream` or `WriteStream` now
    emits a runtime deprecation warning. The methods are supposed to be
    internal and should not be called by user code (Robert Nagy).
    https://github.com/nodejs/node/pull/29061
  * `fs.read/write`, `fs.readSync/writeSync` and `fd.read/write` now
    accept any safe integer as their `offset` parameter. The value of
    `offset` is also no longer coerced, so a valid type must be passed
    to the functions (Zach Bjornson).
    https://github.com/nodejs/node/pull/26572
* http:
  * Aborted requests no longer emit the `end` or `error` events after
    `aborted` (Robert Nagy).
    https://github.com/nodejs/node/pull/27984
    https://github.com/nodejs/node/pull/20077
  * Data will no longer be emitted after a socket error (Robert Nagy).
    https://github.com/nodejs/node/pull/28711
  * The legacy HTTP parser (previously available under the
    `--http-parser=legacy` flag) was removed (Anna Henningsen).
    https://github.com/nodejs/node/pull/29589
  * The `host` option for HTTP requests is now validated to be a string
    value (Giorgos Ntemiris).
    https://github.com/nodejs/node/pull/29568
  * The `request.connection` and `response.connection` properties are now
    runtime deprecated. The equivalent `request.socket` and `response.socket`
    should be used instead (Robert Nagy).
    https://github.com/nodejs/node/pull/29015
* http, http2:
  * The default server timeout was removed (Ali Ijaz Sheikh).
    https://github.com/nodejs/node/pull/27558
  * Brought 425 status code name into accordance with RFC 8470. The name
    changed from "Unordered Collection" to "Too Early" (Sergei Osipov).
    https://github.com/nodejs/node/pull/29880
* lib:
  * The `error.errno` property will now always be a number. To get the
    string value, use `error.code` instead (Joyee Cheung).
    https://github.com/nodejs/node/pull/28140
* module:
  * `module.createRequireFromPath()` is deprecated. Use
    `module.createRequire()` instead (cjihrig).
    https://github.com/nodejs/node/pull/27951
* src:
  * Changing the value of `process.env.TZ` will now clear the tz cache.
    This affects the default time zone used by methods such as
    `Date.prototype.toString` (Ben Noordhuis).
    https://github.com/nodejs/node/pull/20026
* stream:
  * The timing and behavior of streams was consolidated for a number of
    edge cases. Please look at the individual commits below for more
    information.

PR-URL: https://github.com/nodejs/node/pull/29504
2019-10-22 17:12:12 +01:00
Michaël Zasso
701933ca8f
2019-10-21, Version 12.13.0 'Erbium' (LTS)
This release marks the transition of Node.js 12.x into Long Term Support
(LTS) with the codename 'Erbium'. The 12.x release line now moves into
"Active LTS" and will remain so until October 2020. After that time, it
will move into "Maintenance" until end of life in April 2022.

Notable changes:

npm was updated to 6.12.0. It now includes a version of `node-gyp` that
supports Python 3 for building native modules.

PR-URL: https://github.com/nodejs/node/pull/29981
2019-10-21 11:12:52 +02:00
Ruben Bridgewater
06f6d662f6
2019-10-11, Version 12.12.0 (Current)
Notable changes:

* build:
  * Add `--force-context-aware` flag to prevent usage of native node
    addons that aren't context aware
    https://github.com/nodejs/node/pull/29631
* deprecations:
  * Add documentation-only deprecation for `process._tickCallback()`
    https://github.com/nodejs/node/pull/29781
* esm:
  * Using JSON modules is experimental again
    https://github.com/nodejs/node/pull/29754
* fs:
  * Introduce `opendir()` and `fs.Dir` to iterate through directories
    https://github.com/nodejs/node/pull/29349
* process:
  * Add source-map support to stack traces by using
    `--source-map-support` https://github.com/nodejs/node/pull/29564
* tls:
  * Honor `pauseOnConnect` option
    https://github.com/nodejs/node/pull/29635
  * Add option for private keys for OpenSSL engines
    https://github.com/nodejs/node/pull/28973

PR-URL: https://github.com/nodejs/node/pull/29919
2019-10-11 21:25:36 +02:00
Beth Griggs
a04b04f4cf
2019-10-09, Version 8.16.2 'Carbon' (LTS)
Node.js 8 is due to go End-of-Life on 31st December 2019.

Notable changes:

- **deps**: upgrade openssl sources to 1.0.2s (Sam Roberts)
  [#28230](https://github.com/nodejs/node/pull/28230)

PR-URL: https://github.com/nodejs/node/pull/29617
2019-10-09 21:25:39 +01:00
Michaël Zasso
d9fd2cd0ff
2019-10-01, Version 12.11.1 (Current)
Notable changes:

* build:
  * This release fixes a regression that prevented from building Node.js
    using the official source tarball.
    https://github.com/nodejs/node/pull/29712
* deps:
  * Updated small-icu data to support "unit" style in the
    `Intl.NumberFormat` API.
    https://github.com/nodejs/node/pull/29735

PR-URL: https://github.com/nodejs/node/pull/29796
2019-10-01 18:44:05 +02:00
Ruben Bridgewater
d36b6f8da3
2019-09-24, Version 12.11.0 (Current)
Notable changes:

* crypto:
  * Add `oaepLabel` option https://github.com/nodejs/node/pull/29489
* deps:
  * Update V8 to 7.7.299.11 https://github.com/nodejs/node/pull/28918
    * More efficient memory handling
    * Stack trace serialization got faster
    * The `Intl.NumberFormat` API gained new functionality
    * For more information: https://v8.dev/blog/v8-release-77
* events:
  * Add support for `EventTarget` in `once`
    https://github.com/nodejs/node/pull/29498
* fs:
  * Expose memory file mapping flag `UV_FS_O_FILEMAP`
    https://github.com/nodejs/node/pull/29260
* inspector:
  * New API - `Session.connectToMainThread`
    https://github.com/nodejs/node/pull/28870
* process:
  * Initial SourceMap support via `env.NODE_V8_COVERAGE`
    https://github.com/nodejs/node/pull/28960
* stream:
  * Make `_write()` optional when `_writev()` is implemented
    https://github.com/nodejs/node/pull/29639
* tls:
  * Add option to override signature algorithms
    https://github.com/nodejs/node/pull/29598
* util:
  * Add `encodeInto` to `TextEncoder`
    https://github.com/nodejs/node/pull/29524
* worker:
  * The `worker_thread` module is now stable
    https://github.com/nodejs/node/pull/29512

PR-URL: https://github.com/nodejs/node/pull/29695
2019-09-26 01:14:24 +02:00
Ruben Bridgewater
02c74e72ea
2019-09-04, Version 12.10.0 (Current)
Notable changes:

* deps:
  * Update npm to 6.10.3 (isaacs)
    https://github.com/nodejs/node/pull/29023
* fs:
  * Add recursive option to rmdir() (cjihrig)
    https://github.com/nodejs/node/pull/29168
  * Allow passing true to emitClose option (Giorgos Ntemiris)
    https://github.com/nodejs/node/pull/29212
  * Add \*timeNs properties to BigInt Stats objects (Joyee Cheung)
    https://github.com/nodejs/node/pull/21387
* net:
  * Allow reading data into a static buffer (Brian White)
    https://github.com/nodejs/node/pull/25436

PR-URL: https://github.com/nodejs/node/pull/29429
2019-09-04 20:10:18 +02:00
Nick Schonning
9e8edb0d79 doc: heading levels should only increment by one
These are flagged by Markdownlint MD001 rule.

PR-URL: https://github.com/nodejs/node/pull/29331
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
2019-08-28 22:47:21 -07:00
Michaël Zasso
d770b8a931
2019-08-26, Version 12.9.1 (Current)
Notable changes:

This release fixes two regressions in the http module:

* Fixes an event listener leak in the HTTP client. This resulted in lots
  of warnings during npm/yarn installs.
  https://github.com/nodejs/node/pull/29245
* Fixes a regression preventing the `'end'` event from being emitted for
  keepalive requests in case the full body was not parsed.
  https://github.com/nodejs/node/pull/29263

PR-URL: https://github.com/nodejs/node/pull/29321
2019-08-26 20:36:17 +02:00
Michaël Zasso
edc83a9203
2019-08-20, Version 12.9.0 (Current)
Notable changes:

* crypto:
  * Added an oaepHash option to asymmetric encryption which allows
    users to specify a hash function when using OAEP padding.
    https://github.com/nodejs/node/pull/28335
* deps:
  * Updated V8 to 7.6.303.29. https://github.com/nodejs/node/pull/28955
    * Improves the performance of various APIs such as `JSON.parse` and
      methods called on frozen arrays.
    * Adds the Promise.allSettled method.
    * Improves support of `BigInt` in `Intl` methods.
    * For more information: https://v8.dev/blog/v8-release-76
  * Updated libuv to 1.31.0. https://github.com/nodejs/node/pull/29070
    * `UV_FS_O_FILEMAP` has been added for faster access to memory
      mapped files on Windows.
    * `uv_fs_mkdir()` now returns `UV_EINVAL` for invalid filenames on
      Windows. It previously returned `UV_ENOENT`.
    * The `uv_fs_statfs()` API has been added.
    * The `uv_os_environ()` and `uv_os_free_environ()` APIs have been
      added.
* fs:
  * Added `fs.writev`, `fs.writevSync` and `filehandle.writev` (promise
    version) methods. They allow to write an array of `ArrayBufferView`s
    to a file descriptor. https://github.com/nodejs/node/pull/25925
    https://github.com/nodejs/node/pull/29186
* http:
  * Added three properties to `OutgoingMessage.prototype`:
    `writableObjectMode`, `writableLength` and `writableHighWaterMark`
    https://github.com/nodejs/node/pull/29018
* stream:
  * Added an new property `readableEnded` to readable streams. Its value
    is set to `true` when the `'end'` event is emitted.
    https://github.com/nodejs/node/pull/28814
  * Added an new property `writableEnded` to writable streams. Its value
    is set to `true` after `writable.end()` has been called.
    https://github.com/nodejs/node/pull/28934

PR-URL: https://github.com/nodejs/node/pull/29210
2019-08-20 21:37:07 +02:00
Beth Griggs
affa23bc88
2019-08-15, Version 8.16.1 'Carbon' (LTS)
This is a security release.

Notable changes:

Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.

Vulnerabilities fixed:

* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
  data from a specified resource over multiple streams. They manipulate
  window size and stream priority to force the server to queue the data
  in 1-byte chunks. Depending on how efficiently this data is queued,
  this can consume excess CPU, memory, or both, potentially leading to a
  denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
  HTTP/2 peer, causing the peer to build an internal queue of responses.
  Depending on how efficiently this data is queued, this can consume
  excess CPU, memory, or both, potentially leading to a denial of
  service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
  streams and continually shuffles the priority of the streams in a way
  that causes substantial churn to the priority tree. This can consume
  excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
  and sends an invalid request over each stream that should solicit a
  stream of RST_STREAM frames from the peer. Depending on how the peer
  queues the RST_STREAM frames, this can consume excess memory, CPU,or
  both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
  SETTINGS frames to the peer. Since the RFC requires that the peer
  reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
  frame is almost equivalent in behavior to a ping. Depending on how
  efficiently this data is queued, this can consume excess CPU, memory,
  or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
  headers with a 0-length header name and 0-length header value,
  optionally Huffman encoded into 1-byte or greater headers. Some
  implementations allocate memory for these headers and keep the
  allocation alive until the session dies. This can consume excess
  memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
  window so the peer can send without constraint; however, they leave
  the TCP window closed so the peer cannot actually write (many of) the
  bytes on the wire. The attacker then sends a stream of requests for a
  large response object. Depending on how the servers queue the
  responses, this can consume excess memory, CPU, or both, potentially
  leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
  frames with an empty payload and without the end-of-stream flag. These
  frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
  peer spends time processing each frame disproportionate to attack
  bandwidth. This can consume excess CPU, potentially leading to a
  denial of service. (Discovered by Piotr Sikora of Google)

PR-URL: https://github.com/nodejs/node/pull/29152
2019-08-15 23:30:22 +01:00
Beth Griggs
004e2b759f
2019-08-15, Version 10.16.3 'Dubnium' (LTS)
This is a security release.

Notable changes:

Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.

Vulnerabilities fixed:

* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
  data from a specified resource over multiple streams. They manipulate
  window size and stream priority to force the server to queue the data
  in 1-byte chunks. Depending on how efficiently this data is queued,
  this can consume excess CPU, memory, or both, potentially leading to a
  denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
  HTTP/2 peer, causing the peer to build an internal queue of responses.
  Depending on how efficiently this data is queued, this can consume
  excess CPU, memory, or both, potentially leading to a denial of
  service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
  streams and continually shuffles the priority of the streams in a way
  that causes substantial churn to the priority tree. This can consume
  excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
  and sends an invalid request over each stream that should solicit a
  stream of RST_STREAM frames from the peer. Depending on how the peer
  queues the RST_STREAM frames, this can consume excess memory, CPU,or
  both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
  SETTINGS frames to the peer. Since the RFC requires that the peer
  reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
  frame is almost equivalent in behavior to a ping. Depending on how
  efficiently this data is queued, this can consume excess CPU, memory,
  or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
  headers with a 0-length header name and 0-length header value,
  optionally Huffman encoded into 1-byte or greater headers. Some
  implementations allocate memory for these headers and keep the
  allocation alive until the session dies. This can consume excess
  memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
  window so the peer can send without constraint; however, they leave
  the TCP window closed so the peer cannot actually write (many of) the
  bytes on the wire. The attacker then sends a stream of requests for a
  large response object. Depending on how the servers queue the
  responses, this can consume excess memory, CPU, or both, potentially
  leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
  frames with an empty payload and without the end-of-stream flag. These
  frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
  peer spends time processing each frame disproportionate to attack
  bandwidth. This can consume excess CPU, potentially leading to a
  denial of service. (Discovered by Piotr Sikora of Google)

PR-URL: https://github.com/nodejs/node/pull/29148
2019-08-15 22:50:53 +01:00
Michaël Zasso
edc2e5be34
2019-08-15, Version 12.8.1 (Current)
This is a security release.

Notable changes:

Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.

Vulnerabilities fixed:

* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
  data from a specified resource over multiple streams. They manipulate
  window size and stream priority to force the server to queue the data
  in 1-byte chunks. Depending on how efficiently this data is queued,
  this can consume excess CPU, memory, or both, potentially leading to a
  denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
  HTTP/2 peer, causing the peer to build an internal queue of responses.
  Depending on how efficiently this data is queued, this can consume
  excess CPU, memory, or both, potentially leading to a denial of
  service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
  streams and continually shuffles the priority of the streams in a way
  that causes substantial churn to the priority tree. This can consume
  excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
  and sends an invalid request over each stream that should solicit a
  stream of RST_STREAM frames from the peer. Depending on how the peer
  queues the RST_STREAM frames, this can consume excess memory, CPU,or
  both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
  SETTINGS frames to the peer. Since the RFC requires that the peer
  reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
  frame is almost equivalent in behavior to a ping. Depending on how
  efficiently this data is queued, this can consume excess CPU, memory,
  or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
  headers with a 0-length header name and 0-length header value,
  optionally Huffman encoded into 1-byte or greater headers. Some
  implementations allocate memory for these headers and keep the
  allocation alive until the session dies. This can consume excess
  memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
  window so the peer can send without constraint; however, they leave
  the TCP window closed so the peer cannot actually write (many of) the
  bytes on the wire. The attacker then sends a stream of requests for a
  large response object. Depending on how the servers queue the
  responses, this can consume excess memory, CPU, or both, potentially
  leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
  frames with an empty payload and without the end-of-stream flag. These
  frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
  peer spends time processing each frame disproportionate to attack
  bandwidth. This can consume excess CPU, potentially leading to a
  denial of service. (Discovered by Piotr Sikora of Google)

PR-URL: https://github.com/nodejs/node/pull/29133
2019-08-15 14:49:36 +02:00
Beth Griggs
f1478e1789
2019-08-06, Version 10.16.2 'Dubnium' (LTS)
Notable changes:

This release patches a regression in the OpenSSL upgrade to 1.1.1c that
 causes intermittent hangs in machines that have low entropy.

Refs: https://github.com/nodejs/node/issues/28932

PR-URL: https://github.com/nodejs/node/pull/29021
2019-08-06 23:29:55 +01:00
Ruben Bridgewater
a9e7441916
2019-08-06, Version 12.8.0 (Current)
Notable changes:

* assert:
  * Legacy mode deprecation (`DEP0089`) is revoked (Colin Ihrig)
    https://github.com/nodejs/node/pull/28892
* crypto:
  * The `outputLength` option is added to `crypto.createHash`
    (Tobias Nießen) https://github.com/nodejs/node/pull/28805
  * The `maxmem` range is increased from 32 to 53 bits (Tobias Nießen)
    https://github.com/nodejs/node/pull/28799
* n-api:
  * Added APIs for per-instance state management (Gabriel Schulhof)
    https://github.com/nodejs/node/pull/28682
* report:
  * Network interfaces get included in the report (cjihrig)
    https://github.com/nodejs/node/pull/28911
* src:
  * `v8.getHeapCodeStatistics()` is now exported
    (Yuriy Vasiyarov) https://github.com/nodejs/node/pull/27978

PR-URL: https://github.com/nodejs/node/pull/29017
2019-08-07 00:25:59 +02:00
Beth Griggs
9d37013ef0
2019-07-31, Version 10.16.1 'Dubnium' (LTS)
Notable changes:

- **deps**: upgrade openssl sources to 1.1.1c (Sam Roberts) [#28212](https://github.com/nodejs/node/pull/28212)
- **stream**: do not unconditionally call `\_read()` on `resume()` (Anna Henningsen) [#26965](https://github.com/nodejs/node/pull/26965)
- **worker**: fix nullptr deref after MessagePort deser failure (Anna Henningsen) [#25076](https://github.com/nodejs/node/pull/25076)

PR-URL: https://github.com/nodejs/node/pull/28731
2019-07-31 20:04:46 +01:00
Michaël Zasso
52c5287aca
2019-07-23, Version 12.7.0 (Current)
Notable changes:

* deps:
  * Updated nghttp2 to 1.39.1. https://github.com/nodejs/node/pull/28448
  * Updated npm to 6.10.0. https://github.com/nodejs/node/pull/28525
* esm:
  * Implemented experimental "pkg-exports" proposal. A new `"exports"`
    field can be added to a module's `package.json` file to provide
    custom subpath aliasing. See
    https://github.com/jkrems/proposal-pkg-exports/ for more
    information. https://github.com/nodejs/node/pull/28568
* http:
  * Added `response.writableFinished`.
    https://github.com/nodejs/node/pull/28681
  * Exposed `headers`, `rawHeaders` and other fields on an
    `http.ClientRequest` `"information"` event.
    https://github.com/nodejs/node/pull/28459
* inspector:
  * Added `inspector.waitForDebugger()`.
    https://github.com/nodejs/node/pull/28453
* policy:
  * Added `--policy-integrity=sri` CLI option to mitigate policy
    tampering. If a policy integrity is specified and the policy does
    not have that integrity, Node.js will error prior to running any
    code. https://github.com/nodejs/node/pull/28734
* readline,tty:
  * Exposed stream API from various methods which write characters.
    https://github.com/nodejs/node/pull/28674
    https://github.com/nodejs/node/pull/28721
* src:
  * Use cgroups to get memory limits. This improves the way we set
    the memory ceiling for a Node.js process. Previously we would use
    the physical memory size to estimate the necessary V8
    heap sizes. The physical memory size is not necessarily the correct
    limit, e.g. if the process is running inside a docker container or
    is otherwise constrained. This change adds the ability to get a
    memory limit set by linux cgroups, which is used by docker
    containers to set resource constraints.
    https://docs.docker.com/config/containers/resource_constraints/
    https://github.com/nodejs/node/pull/27508

PR-URL: https://github.com/nodejs/node/pull/28817
2019-07-23 22:54:24 +02:00
Michaël Zasso
fcf8fe9f1a
2019-07-03, Version 12.6.0 (Current)
Notable changes:

* build:
  * Experimental support for building Node.js on MIPS architecture
    is back. https://github.com/nodejs/node/pull/27992
* child_process:
  * The promisified versions of `child_process.exec` and
    `child_process.execFile` now both return a `Promise` which has the
	child instance attached to their `child` property.
	https://github.com/nodejs/node/pull/28325
* deps:
  * Updated libuv to 1.30.1. https://github.com/nodejs/node/pull/28449,
    https://github.com/nodejs/node/pull/28511
    * Support for the Haiku platform has been added.
    * The maximum `UV_THREADPOOL_SIZE` has been increased from 128 to
	  1024.
    * `uv_fs_copyfile()` now works properly when the source and
	  destination files are the same.
* process:
  * A new method, `process.resourceUsage()` was added. It returns
    resource usage for the current process, such as CPU time.
	https://github.com/nodejs/node/pull/28018
* src:
  * Fixed an issue related to stdio that could lead to a crash of the
    process in some circumstances.
	https://github.com/nodejs/node/pull/28490
* stream:
  * Added a `writableFinished` property to writable streams. It
    indicates that all the data has been flushed to the underlying
	system. https://github.com/nodejs/node/pull/28007
* worker:
  * Fixed an issue that prevented worker threads to listen for data on
    stdin. https://github.com/nodejs/node/pull/28153
* meta:
  * Added Jiawen Geng (https://github.com/gengjiawen) to collaborators.
    https://github.com/nodejs/node/pull/28322

PR-URL: https://github.com/nodejs/node/pull/28508
2019-07-03 15:53:31 +02:00
Ruben Bridgewater
af3cc714f9
2019-06-27, Version 12.5.0 (Current)
Notable changes:

* build:
  * The startup time is reduced by enabling V8 snapshots by default
    https://github.com/nodejs/node/pull/28181
* deps:
  * Updated `V8` to 7.5.288.22 https://github.com/nodejs/node/pull/27375
    * The numeric separator (v8.dev/features/numeric-separators) feature is now
      enabled by default
  * Updated `OpenSSL` to 1.1.1c https://github.com/nodejs/node/pull/28211
* inspector:
  * The `--inspect-publish-uid` flag was added to specify ways of the inspector
    web socket url exposure https://github.com/nodejs/node/pull/27741
* n-api:
  * Accessors on napi_define_* are now ECMAScript-compliant
    https://github.com/nodejs/node/pull/27851
* report:
  * The cpu info got added to the report output
    https://github.com/nodejs/node/pull/28188
* src:
  * Restore the original state of the stdio file descriptors on exit to prevent
    leaving stdio in raw or non-blocking mode
    https://github.com/nodejs/node/pull/24260
* tools,gyp:
  * Introduce MSVS 2019 https://github.com/nodejs/node/pull/27375
* util:
  * inspect:
    * Array grouping became more compact and uses more columns than before
      https://github.com/nodejs/node/pull/28059
      https://github.com/nodejs/node/pull/28070
    * Long strings will not be split at 80 characters anymore. Instead they will
      be split on new lines https://github.com/nodejs/node/pull/28055
* worker:
  * `worker.terminate()` now returns a promise and using the callback is
    deprecated https://github.com/nodejs/node/pull/28021

PR-URL: https://github.com/nodejs/node/pull/28268
2019-06-27 15:55:50 +02:00
Richard Lau
9611d75943 doc: mark Node.js 11 as EOL in changelog
Update the changelog to mark Node.js 11 as End-of-Life. Remove the
column for Node.js 11 changelog entries from the table.

PR-URL: https://github.com/nodejs/node/pull/28076
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
2019-06-07 21:11:35 -04:00
Michaël Zasso
cb68c04ce1
2019-06-04, Version 12.4.0 (Current)
Notable changes:

* doc:
  * The JSON variant of the API documentation is no longer experimental
    (Rich Trott) https://github.com/nodejs/node/pull/27842.
* esm:
  * JSON module support is always enabled under
    `--experimental-modules`. The `--experimental-json-modules` flag
    has been removed (Myles Borins)
    https://github.com/nodejs/node/pull/27752.
* http,http2:
  * A new flag has been added for overriding the default HTTP server
    socket timeout (which is two minutes). Pass
    `--http-server-default-timeout=milliseconds`
    or `--http-server-default-timeout=0` to respectively change or
    disable the timeout. Starting with Node.js 13.0.0, the timeout will
    be disabled by default
    (Ali Ijaz Sheikh) https://github.com/nodejs/node/pull/27704.
* inspector:
  * Added an experimental `--heap-prof` flag to start the V8 heap
    profiler on startup and write the heap profile to disk before exit
    (Joyee Cheung) https://github.com/nodejs/node/pull/27596.
* stream:
  * The `readable.unshift()` method now correctly converts strings to
    buffers. Additionally, a new optional argument is accepted to
    specify the string's encoding, such as `'utf8'` or `'ascii'`
    (Marcos Casagrande) https://github.com/nodejs/node/pull/27194.
* v8:
  * The object returned by `v8.getHeapStatistics()` has two new
    properties: `number_of_native_contexts` and
    `number_of_detached_contexts` (Yuriy Vasiyarov)
    https://github.com/nodejs/node/pull/27933.

PR-URL: https://github.com/nodejs/node/pull/28040
2019-06-04 16:01:53 +02:00
Beth Griggs
b323658b64
2019-05-28, Version 10.16.0 'Dubnium' (LTS)
Notable changes:

- **deps**:
  - update ICU to 64.2 (Ujjwal Sharma)
    [#27361](https://github.com/nodejs/node/pull/27361)
  - upgrade npm to 6.9.0 (Kat Marchán)
    [#26244](https://github.com/nodejs/node/pull/26244)
  - upgrade openssl sources to 1.1.1b (Sam Roberts)
    [#26327](https://github.com/nodejs/node/pull/26327)
  - upgrade to libuv 1.28.0 (cjihrig)
    [#27241](https://github.com/nodejs/node/pull/27241)
- **events**:
  - add once method to use promises with EventEmitter (Matteo Collina)
   [#26078](https://github.com/nodejs/node/pull/26078)
- **n-api**:
  - mark thread-safe function as stable (Gabriel Schulhof)
    [#25556](https://github.com/nodejs/node/pull/25556)
- **repl**:
  - support top-level for-await-of (Shelley Vohr)
    [#23841](https://github.com/nodejs/node/pull/23841)
- **zlib**:
  - add brotli support (Anna Henningsen)
    [#24938](https://github.com/nodejs/node/pull/24938)

PR-URL: https://github.com/nodejs/node/pull/27514
2019-05-28 23:45:42 +01:00
Ruben Bridgewater
8a282dc93a
2019-05-22, Version v12.3.1 (Current)
Notable changes

* deps:
  * Fix handling of +0/-0 when constant field tracking is enabled
    (Michaël Zasso) https://github.com/nodejs/node/pull/27792
  * Fix `os.freemem()` and `os.totalmem` correctness (cjihrig)
    https://github.com/nodejs/node/pull/27718
* src:
  * Fix v12.3.0 regression that prevents native addons from compiling
    https://github.com/nodejs/node/pull/27804

PR-URL: https://github.com/nodejs/node/pull/27814
2019-05-22 20:56:15 +02:00
Ruben Bridgewater
9fec70a703
2019-05-21, Version 12.3.0 (Current)
Notable changes:

* esm:
  * Added the `--experimental-wasm-modules` flag to support
    WebAssembly modules (Myles Borins & Guy Bedford)
    https://github.com/nodejs/node/pull/27659
* process:
  * Log errors using `util.inspect` in case of fatal exceptions
    (Ruben Bridgewater) https://github.com/nodejs/node/pull/27243
* repl:
  * Add `process.on('uncaughtException')` support (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/27151
* stream:
  * Implemented `Readable.from` async iterator utility (Guy Bedford)
    https://github.com/nodejs/node/pull/27660
* tls:
  * Expose built-in root certificates (Ben Noordhuis)
    https://github.com/nodejs/node/pull/26415
  * Support `net.Server` options (Luigi Pinca)
    https://github.com/nodejs/node/pull/27665
  * Expose `keylog` event on TLSSocket (Alba Mendez)
    https://github.com/nodejs/node/pull/27654
* worker:
  * Added the ability to unshift messages from the `MessagePort`
    (Anna Henningsen) https://github.com/nodejs/node/pull/27294

PR-URL: https://github.com/nodejs/node/pull/27799
2019-05-21 21:23:52 +02:00
Richard Lau
4a18b87a3f doc,tools: updates for 6.x End-of-Life
PR-URL: https://github.com/nodejs/node/pull/27658
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
2019-05-14 15:10:19 -07:00
Michaël Zasso
e006a8545e
2019-05-07, Version 12.2.0 (Current)
Notable changes:

* deps:
  * Updated llhttp to 1.1.3. This fixes a bug that made Node.js' HTTP
    parser refuse any request URL that contained the "|" (vertical bar)
    character. https://github.com/nodejs/node/pull/27595
* tls:
  * Added an `enableTrace()` method to `TLSSocket` and an `enableTrace`
    option to `tls.createServer()`. When enabled, TSL packet trace
    information is written to `stderr`. This can be used to debug TLS
    connection problems. https://github.com/nodejs/node/pull/27497
    https://github.com/nodejs/node/pull/27376
* cli:
  * Added a `--trace-tls` command-line flag that enables tracing of TLS
    connections without the need to modify existing application code.
    https://github.com/nodejs/node/pull/27497
  * Added a `--cpu-prof-interval` command-line flag. It can be used to
    specify the sampling interval for the CPU profiles generated by
    `--cpu-prof`. https://github.com/nodejs/node/pull/27535
* module:
  * Added the `createRequire()` method. It allows to create a require
    function from a file URL object, a file URL string or an absolute
    path string. The existing `createRequireFromPath()` method is now
    deprecated https://github.com/nodejs/node/pull/27405.
  * Throw on `require('./path.mjs')`. This is technically a breaking
    change that should have landed with Node.js 12.0.0. It is necessary
    to have this to keep the possibility for a future minor version to
    load ES Modules with the require function.
    https://github.com/nodejs/node/pull/27417
* repl:
  * The REPL now supports multi-line statements using `BigInt` literals
    as well as public and private class fields and methods.
    https://github.com/nodejs/node/pull/27400
  * The REPL now supports tab autocompletion of file paths with `fs`
    methods. https://github.com/nodejs/node/pull/26648
* meta:
  * Added Christian Clauss (https://github.com/cclauss) to
    collaborators. https://github.com/nodejs/node/pull/27554

PR-URL: https://github.com/nodejs/node/pull/27578
2019-05-07 20:38:46 +02:00
Shelley Vohr
ea46db6642
2019-04-30, Version 11.15.0 (Current)
Notable changes:

* deps: add s390 asm rules for OpenSSL-1.1.1 (Shigeki Ohtsu) [#19794](https://github.com/nodejs/node/pull/19794)
* src: add .code and SSL specific error properties (Sam Roberts) [#25093](https://github.com/nodejs/node/pull/25093)
* tls:
  * add --tls-min-v1.2 CLI switch (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
  * supported shared openssl 1.1.0 (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
  * revert default max toTLSv1.2 (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
  * revert change to invalid protocol error type (Sam Roberts) [#26951](https://github.com/nodejs/node/pull/26951)
  * support TLSv1.3 (Sam Roberts) [#26209](https://github.com/nodejs/node/pull/26209)
  * add code for ERR\_TLS\_INVALID\_PROTOCOL\_METHOD (Sam Roberts) [#24729](https://github.com/nodejs/node/pull/24729)

PR-URL: https://github.com/nodejs/node/pull/27314
2019-04-30 09:18:04 -07:00
Michaël Zasso
1d4a880700
2019-04-29, Version 12.1.0 (Current)
Notable changes:

* intl:
  * Update ICU to 64.2. This adds support for Japanese Era (Reiwa).
    https://github.com/nodejs/node/pull/27361
  * Fixes a bug in ICU that affected Node.js 12.0.0 in the case where
    `new Date().toLocaleString()` was called with a non-default locale.
    https://github.com/nodejs/node/pull/27415
* C++ API:
  * Added an overload of `EmitAsyncDestroy` that can be used during
    garbage collection.
    https://github.com/nodejs/node/pull/27255

PR-URL: https://github.com/nodejs/node/pull/27440
2019-04-29 16:38:53 +02:00
Rivaldo Junior
e029b927c2
Add Node 12 to the first list of versions
PR-URL: https://github.com/nodejs/node/pull/27414
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
2019-04-26 11:25:05 +02:00
Beth Griggs
d896f03578
2019-04-23, Version 12.0.0 (Current)
Notable changes:

* assert:
    * validate required arguments (Ruben Bridgewater)
      [#26641](https://github.com/nodejs/node/pull/26641)
    * adjust loose assertions (Ruben Bridgewater)
      [#25008](https://github.com/nodejs/node/pull/25008)
* async_hooks:
    * remove deprecated `emitBefore` and `emitAfter` (Matteo Collina)
      [#26530](https://github.com/nodejs/node/pull/26530)
    * remove promise object from resource (Andreas Madsen)
      [#23443](https://github.com/nodejs/node/pull/23443)
* bootstrap: make Buffer and process non-enumerable (Ruben Bridgewater)
      [#24874](https://github.com/nodejs/node/pull/24874)
* buffer:
    * use stricter range checks (Ruben Bridgewater)
      [#27045](https://github.com/nodejs/node/pull/27045)
    * harden `SlowBuffer` creation (ZYSzys)
      [#26272](https://github.com/nodejs/node/pull/26272)
    * harden validation of buffer allocation size (ZYSzys)
      [#26162](https://github.com/nodejs/node/pull/26162)
    * do proper error propagation in addon methods (Anna Henningsen)
      [#23939](https://github.com/nodejs/node/pull/23939)
* child_process:
    * remove `options.customFds` (cjihrig)
      [#25279](https://github.com/nodejs/node/pull/25279)
    * harden fork arguments validation (ZYSzys)
      [#27039](https://github.com/nodejs/node/pull/27039)
    * use non-infinite `maxBuffer` defaults (kohta ito)
      [#23027](https://github.com/nodejs/node/pull/23027)
* console:
    * don't use ANSI escape codes when `TERM=dumb` (Vladislav Kaminsky)
      [#26261](https://github.com/nodejs/node/pull/26261)
* crypto:
    * remove legacy native handles (Tobias Nießen)
      [#27011](https://github.com/nodejs/node/pull/27011)
    * decode missing passphrase errors (Tobias Nießen)
      [#25208](https://github.com/nodejs/node/pull/25208)
    * remove `Cipher.setAuthTag()` and `Decipher.getAuthTag()`
      (Tobias Nießen)
      [#26249](https://github.com/nodejs/node/pull/26249)
    * remove deprecated `crypto._toBuf()` (Tobias Nießen)
      [#25338](https://github.com/nodejs/node/pull/25338)
    * set `DEFAULT\_ENCODING` property to non-enumerable
      (Antoine du Hamel)
      [#23222](https://github.com/nodejs/node/pull/23222)
* deps:
    * update V8 to 7.4.288.13
    (Michaël Zasso, cjihrig, Refael Ackermann)
    (Anna Henningsen, Ujjwal Sharma)
      [#26685](https://github.com/nodejs/node/pull/26685)
    * bump minimum icu version to 63 (Ujjwal Sharma)
      [#25852](https://github.com/nodejs/node/pull/25852)
    * update OpenSSL to 1.1.1b (Sam Roberts, Shigeki Ohtsu)
      [#26327](https://github.com/nodejs/node/pull/26327)
* errors:
    * update error name (Ruben Bridgewater)
      [#26738](https://github.com/nodejs/node/pull/26738)
* fs:
    * use proper .destroy() implementation for SyncWriteStream
      (Matteo Collina)
      [#26690](https://github.com/nodejs/node/pull/26690)
    * improve mode validation (Ruben Bridgewater)
      [#26575](https://github.com/nodejs/node/pull/26575)
    * harden validation of start option in `createWriteStream()`
      (ZYSzys)
      [#25579](https://github.com/nodejs/node/pull/25579)
    * make writeFile consistent with readFile wrt fd
      (Sakthipriyan Vairamani (thefourtheye))
      [#23709](https://github.com/nodejs/node/pull/23709)
* http:
    * validate timeout in `ClientRequest()` (cjihrig)
      [#26214](https://github.com/nodejs/node/pull/26214)
    * return HTTP 431 on `HPE_HEADER_OVERFLOW` error (Albert Still)
      [#25605](https://github.com/nodejs/node/pull/25605)
    * switch default parser to llhttp (Anna Henningsen)
      [#24870](https://github.com/nodejs/node/pull/24870)
    * Runtime-deprecate `outgoingMessage._headers` and
      `outgoingMessage._headerNames` (Morgan Roderick)
      [#24167](https://github.com/nodejs/node/pull/24167)
* lib:
    * remove `Atomics.wake()` (Gus Caplan)
      [#27033](https://github.com/nodejs/node/pull/27033)
    * move DTRACE\_\* probes out of global scope (James M Snell)
      [#26541](https://github.com/nodejs/node/pull/26541)
    * deprecate `_stream_wrap` (Sam Roberts)
      [#26245](https://github.com/nodejs/node/pull/26245)
    * use ES6 class inheritance style (Ruben Bridgewater)
      [#24755](https://github.com/nodejs/node/pull/24755)
* module:
    * remove unintended access to deps/ (Anna Henningsen)
      [#25138](https://github.com/nodejs/node/pull/25138)
    * improve error message for MODULE\_NOT\_FOUND (Ali Ijaz Sheikh)
      [#25690](https://github.com/nodejs/node/pull/25690)
    * requireStack property for MODULE\_NOT\_FOUND (Ali Ijaz Sheikh)
      [#25690](https://github.com/nodejs/node/pull/25690)
    * remove dead code (Ruben Bridgewater)
      [#26983](https://github.com/nodejs/node/pull/26983)
    * make `require('.')` never resolve outside the current directory
      (Ruben Bridgewater)
      [#26973](https://github.com/nodejs/node/pull/26973)
    * throw an error for invalid package.json main entries
      (Ruben Bridgewater)
      [#26823](https://github.com/nodejs/node/pull/26823)
    * don't search in `require.resolve.paths` (cjihrig)
      [#23683](https://github.com/nodejs/node/pull/23683)
* net:
    * remove `Server.listenFD()` (cjihrig)
      [#27127](https://github.com/nodejs/node/pull/27127)
    * do not add `.host` and `.port` properties to DNS error
      (Ruben Bridgewater)
      [#26751](https://github.com/nodejs/node/pull/26751)
    * emit "write after end" errors in the next tick (Ouyang Yadong)
      [#24457](https://github.com/nodejs/node/pull/24457)
    * deprecate `_setSimultaneousAccepts()` undocumented function
      (James M Snell)
      [#23760](https://github.com/nodejs/node/pull/23760)
* os:
    * implement `os.type()` using `uv_os_uname()` (cjihrig)
      [#25659](https://github.com/nodejs/node/pull/25659)
    * remove `os.getNetworkInterfaces()` (cjihrig)
      [#25280](https://github.com/nodejs/node/pull/25280)
* process:
    * make global.process, global.Buffer getters (Guy Bedford)
      [#26882](https://github.com/nodejs/node/pull/26882)
    * move DEP0062 (node --debug) to end-of-life (Joyee Cheung)
      [#25828](https://github.com/nodejs/node/pull/25828)
    * exit on --debug and --debug-brk after option parsing
      (Joyee Cheung)
      [#25828](https://github.com/nodejs/node/pull/25828)
    * improve `--redirect-warnings` handling (Ruben Bridgewater)
      [#24965](https://github.com/nodejs/node/pull/24965)
* readline:
    * support TERM=dumb (Vladislav Kaminsky)
      [#26261](https://github.com/nodejs/node/pull/26261)
* repl:
    * add welcome message (gengjiawen)
      [#25947](https://github.com/nodejs/node/pull/25947)
    * fix terminal default setting (Ruben Bridgewater)
      [#26518](https://github.com/nodejs/node/pull/26518)
    * check colors with `.getColorDepth()` (Vladislav Kaminsky)
      [#26261](https://github.com/nodejs/node/pull/26261)
    * deprecate REPLServer.rli (Ruben Bridgewater)
      [#26260](https://github.com/nodejs/node/pull/26260)
* src:
    * remove unused `INT_MAX` constant (Sam Roberts)
      [#27078](https://github.com/nodejs/node/pull/27078)
    * update `NODE_MODULE_VERSION` to 72 (Ujjwal Sharma)
      [#26685](https://github.com/nodejs/node/pull/26685)
    * remove `AddPromiseHook()` (Anna Henningsen)
      [#26574](https://github.com/nodejs/node/pull/26574)
    * clean up `MultiIsolatePlatform` interface (Anna Henningsen)
      [#26384](https://github.com/nodejs/node/pull/26384)
    * properly configure default heap limits (Ali Ijaz Sheikh)
      [#25576](https://github.com/nodejs/node/pull/25576)
    * remove `icuDataDir` from node config (GauthamBanasandra)
      [#24780](https://github.com/nodejs/node/pull/24780)
* tls:
    * support TLSv1.3 (Sam Roberts)
      [#26209](https://github.com/nodejs/node/pull/26209)
    * return correct version from `getCipher()` (Sam Roberts)
      [#26625](https://github.com/nodejs/node/pull/26625)
    * check arg types of renegotiate() (Sam Roberts)
      [#25876](https://github.com/nodejs/node/pull/25876)
    * add code for `ERR_TLS_INVALID_PROTOCOL_METHOD` (Sam Roberts)
      [#24729](https://github.com/nodejs/node/pull/24729)
    * emit a warning when servername is an IP address (Rodger Combs)
      [#23329](https://github.com/nodejs/node/pull/23329)
    * disable TLS v1.0 and v1.1 by default (Ben Noordhuis)
      [#23814](https://github.com/nodejs/node/pull/23814)
    * remove unused arg to createSecureContext() (Sam Roberts)
      [#24241](https://github.com/nodejs/node/pull/24241)
    * deprecate `Server.prototype.setOptions()` (cjihrig)
      [#23820](https://github.com/nodejs/node/pull/23820)
    * load `NODE_EXTRA_CA_CERTS` at startup (Ouyang Yadong)
      [#23354](https://github.com/nodejs/node/pull/23354)
* util:
    * remove `util.print()`, `util.puts()`, `util.debug()`
      and `util.error()` (cjihrig)
      [#25377](https://github.com/nodejs/node/pull/25377)
    * change inspect compact and breakLength default
      (Ruben Bridgewater)
      [#27109](https://github.com/nodejs/node/pull/27109)
    * improve inspect edge cases (Ruben Bridgewater)
      [#27109](https://github.com/nodejs/node/pull/27109)
    * only the first line of the error message (Simon Zünd)
      [#26685](https://github.com/nodejs/node/pull/26685)
    * don't set the prototype of callbackified functions
      (Ruben Bridgewater)
      [#26893](https://github.com/nodejs/node/pull/26893)
    * rename callbackified function (Ruben Bridgewater)
      [#26893](https://github.com/nodejs/node/pull/26893)
    * increase function length when using `callbackify()`
      (Ruben Bridgewater)
      [#26893](https://github.com/nodejs/node/pull/26893)
    * prevent tampering with internals in `inspect()`
      (Ruben Bridgewater)
      [#26577](https://github.com/nodejs/node/pull/26577)
    * prevent Proxy traps being triggered by `.inspect()`
      (Ruben Bridgewater)
      [#26241](https://github.com/nodejs/node/pull/26241)
    * prevent leaking internal properties (Ruben Bridgewater)
      [#24971](https://github.com/nodejs/node/pull/24971)
    * protect against monkeypatched Object prototype for inspect()
      (Rich Trott)
      [#25953](https://github.com/nodejs/node/pull/25953)
    * treat format arguments equally (Roman Reiss)
      [#23162](https://github.com/nodejs/node/pull/23162)
* win, fs:
    * detect if symlink target is a directory (Bartosz Sosnowski)
      [#23724](https://github.com/nodejs/node/pull/23724)
* zlib:
    * throw TypeError if callback is missing (Anna Henningsen)
      [#24929](https://github.com/nodejs/node/pull/24929)
    * make “bare” constants un-enumerable (Anna Henningsen)
      [#24824](https://github.com/nodejs/node/pull/24824)

PR-URL: https://github.com/nodejs/node/pull/26930
2019-04-23 16:46:54 +01:00
Myles Borins
1c26169714
2019-04-16, Version 8.16.0 'Carbon' (LTS)
Notable Changes:

* n-api:
  - add API for asynchronous functions (Gabriel Schulhof)
    https://github.com/nodejs/node/pull/17887
  - mark thread-safe function as stable (Gabriel Schulhof)
    https://github.com/nodejs/node/pull/25556

PR-URL: https://github.com/nodejs/node/pull/26933
2019-04-16 16:04:56 -04:00
Beth Griggs
d42456020b
2019-04-11, Version 11.14.0 (Current)
Notable changes:

- child_process: doc deprecate ChildProcess.\_channel (cjihrig)
  [#26982](https://github.com/nodejs/node/pull/26982)
- deps: update nghttp2 to 1.37.0 (gengjiawen)
  [#26990](https://github.com/nodejs/node/pull/26990)
- dns:
  - make dns.promises enumerable (cjihrig)
    [#26592](https://github.com/nodejs/node/pull/26592)
  - remove dns.promises experimental warning (cjihrig)
    [#26592](https://github.com/nodejs/node/pull/26592)
- fs: remove experimental warning for fs.promises (Anna Henningsen)
  [#26581] (https://github.com/nodejs/node/pull/26581)
- stream: make Symbol.asyncIterator support stable (Matteo Collina)
  [#26989](https://github.com/nodejs/node/pull/26989)
- worker: use copy of process.env (Anna Henningsen)
  [#26544](https://github.com/nodejs/node/pull/26544)

PR-URL: https://github.com/nodejs/node/pull/27163
2019-04-11 17:56:55 +01:00
Beth Griggs
883a0d521f
2019-04-03, Version 6.17.1 'Boron' (LTS)
Notable changes:

- http:
  - fix error check in `Execute()` (Brian White)
    [#25939](https://github.com/nodejs/node/pull/25939)

PR-URL: https://github.com/nodejs/node/pull/26684
2019-04-03 20:35:39 +01:00
Beth Griggs
68b04274ca
doc: update changelog for v10.x LTS
PR-URL: https://github.com/nodejs/node/pull/26931
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
2019-03-30 13:07:19 +01:00
Michaël Zasso
2c73868b04
2019-03-28, Version 11.13.0 (Current)
Notable changes:

* crypto
  * Allow deriving public from private keys (Tobias Nießen)
    [#26278](https://github.com/nodejs/node/pull/26278).
* events
  * Added a `once` function to use `EventEmitter` with promises
    (Matteo Collina) [#26078](https://github.com/nodejs/node/pull/26078).
* tty
  * Added a `hasColors` method to `WriteStream` (Ruben Bridgewater)
    [#26247](https://github.com/nodejs/node/pull/26247).
  * Added NO_COLOR and FORCE_COLOR support (Ruben Bridgewater)
    [#26485](https://github.com/nodejs/node/pull/26485).
* v8
  * Added `v8.getHeapSnapshot` and `v8.writeHeapSnapshot` to generate snapshots
    in the format used by tools such as Chrome DevTools (James M Snell)
    [#26501](https://github.com/nodejs/node/pull/26501).
* worker
  * Added `worker.moveMessagePortToContext`. This enables using MessagePorts in
    different vm.Contexts, aiding with the isolation that the vm module seeks to
    provide (Anna Henningsen)
    [#26497](https://github.com/nodejs/node/pull/26497).
* C++ API
  * `AddPromiseHook` is now deprecated. This API was added to fill an use case
    that is served by `async_hooks`, since that has `Promise` support
    (Anna Henningsen) [#26529](https://github.com/nodejs/node/pull/26529).
  * Added a `Stop` API to shut down Node.js while it is running
    (Gireesh Punathil) [#21283](https://github.com/nodejs/node/pull/21283).
* meta
  * [Gireesh Punathil](https://github.com/gireeshpunathil) is now a member of
    the Technical Steering Committee
    [#26657](https://github.com/nodejs/node/pull/26657).
  * Added [Yongsheng Zhang](https://github.com/ZYSzys) to collaborators
    [#26730](https://github.com/nodejs/node/pull/26730).

PR-URL: https://github.com/nodejs/node/pull/26949
2019-03-28 20:23:29 +01:00
Ruben Bridgewater
969c63a0f1
2019-03-15, Version 11.12.0 (Current)
Notable Changes

* bootstrap:
  * Add experimental `--frozen-intrinsics` flag (Guy Bedford)
    https://github.com/nodejs/node/pull/25685
* build:
  * Enable v8's siphash for hash seed creation (Rod Vagg)
    https://github.com/nodejs/node/pull/26367
* deps:
  * Upgrade openssl to 1.1.1b (Sam Roberts)
    https://github.com/nodejs/node/pull/26327
* process:
  * Make `process[Symbol.toStringTag]` writable again
    (Ruben Bridgewater) https://github.com/nodejs/node/pull/26488
* repl:
  * Add `util.inspect.replDefaults` to customize the writer
    (Ruben Bridgewater) https://github.com/nodejs/node/pull/26375
* report:
  * Rename `triggerReport()` to `writeReport()` (Colin Ihrig)
    https://github.com/nodejs/node/pull/26527
2019-03-15 22:03:09 +01:00
Ruben Bridgewater
b22ee71ef6
2019-03-06, Version 11.11.0 (Current)
Notable Changes

* n-api:
  * Implement date object (Jarrod Connolly)
    https://github.com/nodejs/node/pull/25917
* util:
  * Add compact depth mode for `util.inspect()` (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/26269
* worker:
  * Improve integration with native addons (Anna Henningsen)
    https://github.com/nodejs/node/pull/26175
  * MessagePort.prototype.onmessage takes arguments closer to the Web
    specification now (Anna Henningsen)
    https://github.com/nodejs/node/pull/26082
2019-03-06 20:24:50 +01:00
Beth Griggs
a52c1ead02
2019-03-05, Version 10.15.3 'Dubnium' (LTS)
Notable Changes

* **doc**
  * add antsmartian to collaborators (Anto Aravinth)
    [#24655](https://github.com/nodejs/node/pull/24655)
* **http**
  * fix error check in Execute() (Brian White)
    [#25863](https://github.com/nodejs/node/pull/25863)
* **stream**
  * fix end-of-stream for HTTP/2 (Anna Henningsen)
    [#24926](https://github.com/nodejs/node/pull/24926)

PR-URL: https://github.com/nodejs/node/pull/26063
2019-03-05 17:08:25 +00:00
Rod Vagg
0d64a56012 2019-02-28, Version 6.17.0 'Boron' (LTS)
This is a security release. All Node.js users should consult the security
release summary at:

  https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * Node.js: Denial of Service with keep-alive HTTP connections
    (CVE-2019-5739)
  * Node.js: Slowloris HTTP Denial of Service with keep-alive
    (CVE-2019-5737)
  * OpenSSL: 0-byte record padding oracle (CVE-2019-1559)

Notable Changes:

* deps: OpenSSL has been upgraded to 1.0.2r which contains a fix for
  CVE-2019-1559 (https://www.openssl.org/news/secadv/20190226.txt). Under
  certain circumstances, a TLS server can be forced to respond differently to
  a client if a zero-byte record is received with an invalid padding
  compared to a zero-byte record with an invalid MAC. This can be used as the
  basis of a padding oracle attack to decrypt data.
* http:
  - Backport `server.keepAliveTimeout` to prevent keep-alive HTTP and HTTPS
    connections remaining open and inactive for an extended period of time,
    leading to a potential Denial of Service (DoS).
    (CVE-2019-5739 / Timur Shemsedinov, Matteo Collina)
  - Further prevention of "Slowloris" attacks on HTTP and HTTPS
    connections by consistently applying the receive timeout set by
    `server.headersTimeout` to connections in keep-alive mode. Reported by
    Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)

PR-URL: https://github.com/nodejs-private/node-private/pull/169
2019-02-28 22:36:11 +11:00
Rod Vagg
980cce6d29 2019-02-28, Version 8.15.1 'Carbon' (LTS)
This is a security release. All Node.js users should consult the security
release summary at:

  https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * Node.js: Slowloris HTTP Denial of Service with keep-alive
    (CVE-2019-5737)
  * OpenSSL: 0-byte record padding oracle (CVE-2019-1559)

Notable Changes:

* deps: OpenSSL has been upgraded to 1.0.2r which contains a fix for
  CVE-2019-1559 (https://www.openssl.org/news/secadv/20190226.txt). Under
  certain circumstances, a TLS server can be forced to respond differently to
  a client if a zero-byte record is received with an invalid padding
  compared to a zero-byte record with an invalid MAC. This can be used as the
  basis of a padding oracle attack to decrypt data.
* http: Further prevention of "Slowloris" attacks on HTTP and HTTPS
  connections by consistently applying the receive timeout set by
  `server.headersTimeout` to connections in keep-alive mode. Reported by
  Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)

PR-URL: https://github.com/nodejs-private/node-private/pull/165
2019-02-28 22:31:14 +11:00
Rod Vagg
b974d0dd64 2019-02-28, Version 10.15.2 'Dubnium' (LTS)
This is a security release. All Node.js users should consult the security
release summary at:

  https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

for details on patched vulnerabilities.

A fix for the following CVE is included in this release:

  * Node.js: Slowloris HTTP Denial of Service with keep-alive
    (CVE-2019-5737)

Notable Changes:

* http: Further prevention of "Slowloris" attacks on HTTP and HTTPS
  connections by consistently applying the receive timeout set by
  `server.headersTimeout` to connections in keep-alive mode. Reported by
  Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)

PR-URL: https://github.com/nodejs-private/node-private/pull/164
2019-02-28 22:29:17 +11:00
Rod Vagg
f1cefdca80 2019-02-28, Version 11.10.1 (Current)
This is a security release. All Node.js users should consult the security
release summary at:

  https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

for details on patched vulnerabilities.

A fix for the following CVE is included in this release:

  * Node.js: Slowloris HTTP Denial of Service with keep-alive
    (CVE-2019-5737)

Notable Changes:

* http: Further prevention of "Slowloris" attacks on HTTP and HTTPS
  connections by consistently applying the receive timeout set by
  `server.headersTimeout` to connections in keep-alive mode. Reported by
  Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)

PR-URL: https://github.com/nodejs-private/node-private/pull/163
2019-02-28 22:27:59 +11:00
Michaël Zasso
82ee0ff1b8
2018-02-14, Version 11.10.0 (Current)
Notable changes:

deps:
  * Updated libuv to 1.26.0.
  * Updated npm to 6.7.0.
http, http2:
  * `response.writeHead` now returns the response object.
perf_hooks:
  * Implemented a histogram based API.
process:
  * Exposed `process.features.inspector`.
repl:
  * Added `repl.setupHistory` for programmatic repl.
tls:
  * Introduced client "session" event.

PR-URL: https://github.com/nodejs/node/pull/26098
2019-02-14 23:55:48 +01:00
Michaël Zasso
9e08386e61
2019-01-30, Version 11.9.0 (Current)
Notable changes:

* deps:
  * OpenSSL has been updated to 1.1.1a, which is API/ABI compatible with
    the previous OpenSSL 1.1.0j. Note that while OpenSSL 1.1.1a supports
    TLS1.3, Node.js still does not.
    https://github.com/nodejs/node/pull/25582

PR-URL: https://github.com/nodejs/node/pull/25802
2019-01-30 23:06:17 +01:00
Shelley Vohr
d56212e6ef
2019-01-29, Version 10.15.1 'Dubnium' (LTS)
* doc:
  * add oyyd to collaborators (Ouyang Yadong) [#24300](https://github.com/nodejs/node/pull/24300)
* tls:
  * throw if protocol too long (Andre Jodat-Danbrani) [#23606](https://github.com/nodejs/node/pull/23606)

PR-URL: https://github.com/nodejs/node/pull/25346
2019-01-29 10:17:08 -08:00
Myles Borins
641de82404
2019-01-24, Version 11.8.0 (Current)
Notable Changes:

* events:
  * For unhandled `error` events with an argument that is not an
    `Error` object, the resulting exeption will have more information
    about the argument.
    https://github.com/nodejs/node/pull/25621
* child_process:
  * When the `maxBuffer` option is passed, `stdout` and `stderr` will
    be truncated rather than unavailable in case of an error.
    https://github.com/nodejs/node/pull/24951
* policy:
  * Experimental support for module integrity checks through a manifest
    file is implemented now.
    https://github.com/nodejs/node/pull/23834
* n-api:
  * The `napi_threadsafe_function` feature is now stable.
    https://github.com/nodejs/node/pull/25556
* report:
  * An experimental diagnostic API for capturing process state is
    available as `process.report` and through command line flags.
    https://github.com/nodejs/node/pull/22712
* tls:
  * `tls.connect()` takes a `timeout` option analogous to the
    `net.connect()` one.
    https://github.com/nodejs/node/pull/25517
* worker:
  * `process.umask()` is available as a read-only function inside Worker
    threads now.
    https://github.com/nodejs/node/pull/25526
  * An `execArgv` option that supports a subset of Node.js command line
    options is supported now.
    https://github.com/nodejs/node/pull/25467

PR-URL: https://github.com/nodejs/node/pull/25687
2019-01-24 20:51:40 -05:00
Ruben Bridgewater
d3f8f905b3
2019-01-17, Version 11.7.0 (Current), @BridgeAR
Notable Changes

* compression / zlib:
  * Added brotli support (Anna Henningsen and Zach Vacura)
    https://github.com/nodejs/node/pull/24938
* console:
  * Added `inspectOptions` option (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/24978
* crypto:
  * Always accept private keys as public keys (Tobias Nießen)
    https://github.com/nodejs/node/pull/25217
* deps:
  * Upgrade npm to v6.5.0 (Jordan Harband)
    https://github.com/nodejs/node/pull/25234
* fs:
  * Use internalBinding('fs') internally instead of
    process.binding('fs') (Masashi Hirano)
    https://github.com/nodejs/node/pull/22478
* http(s):
  * Support overriding http\\s.globalAgent (Roy Sommer)
    https://github.com/nodejs/node/pull/25170
* util:
  * Inspect ArrayBuffers contents closely (Ruben Bridgewater)
    https://github.com/nodejs/node/pull/25006
* worker:
  * Expose workers by default and remove `--experimental-worker` flag
    (Anna Henningsen) https://github.com/nodejs/node/pull/25361

PR-URL: https://github.com/nodejs/node/pull/25537
2019-01-18 14:03:19 +01:00
Myles Borins
e01999db14
2018-12-26, Version 11.6.0 (Current)
Notable Changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    https://github.com/nodejs/node/pull/24811
* crypto:
  - always accept certificates as public keys (Tobias Nießen)
    https://github.com/nodejs/node/pull/24234
  - add key object API (Tobias Nießen) [#24234](https://github.com/nodejs/node/pull/24234)
  - update root certificates (Sam Roberts)
    https://github.com/nodejs/node/pull/25113
* deps:
  - upgrade to libuv 1.24.1 (cjihrig)
    https://github.com/nodejs/node/pull/25078
  - upgrade npm to 6.5.0 (Audrey Eschright)
    https://github.com/nodejs/node/pull/24734
* http:
  - add maxHeaderSize property (cjihrig)
    https://github.com/nodejs/node/pull/24860

PR-URL: https://github.com/nodejs/node/pull/25175
2018-12-26 11:24:51 -05:00
Myles Borins
78f2e142c5
2018-12-26, Version 10.15.0 'Dubnium' (LTS)
The 10.14.0 security release introduced some unexpected breakages on
the 10.x release line. This is a special release to fix a regression
in the HTTP binary upgrade response body and add a missing CLI flag
to adjust the max header size of the http parser.

Notable Changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    https://github.com/nodejs/node/pull/24811
* http:
  - add maxHeaderSize property (cjihrig)
    https://github.com/nodejs/node/pull/24860

PR-URL: https://github.com/nodejs/node/pull/25176
2018-12-26 11:24:26 -05:00
Myles Borins
9542324d9e
2018-12-26, Version 8.15.0 'Carbon' (LTS)
The 8.14.0 security release introduced some unexpected breakages on
the 8.x release line. This is a special release to fix a regression
in the HTTP binary upgrade response body and add a missing CLI flag
to adjust the max header size of the http parser.

Notable changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    https://github.com/nodejs/node/pull/24811
* http:
  - add maxHeaderSize property (cjihrig)
    https://github.com/nodejs/node/pull/24860

PR-URL: https://github.com/nodejs/node/pull/25177
2018-12-26 11:23:32 -05:00
Myles Borins
7b9c9b3dcc
2018-12-26, Version 6.16.0 'Boron' (LTS)
The 6.15.0 security release introduced some unexpected breakages on
the 6.x release line. This is a special release to fix a regression
in the HTTP binary upgrade response body and add a missing CLI flag
to adjust the max header size of the http parser.

Notable changes:

* cli:
  - add --max-http-header-size flag (cjihrig)
    https://github.com/nodejs/node/pull/24811
* http:
  - add maxHeaderSize property (cjihrig)
    https://github.com/nodejs/node/pull/24860

PR-URL: https://github.com/nodejs/node/pull/25178
2018-12-26 11:22:24 -05:00
Beth Griggs
74a1dfb56e
2018-12-18, Version 11.5.0 (Current)
Notable changes:

* **tls**:
  * support "BEGIN TRUSTED CERTIFICATE" for ca: (Sam Roberts)
    [#24733](https://github.com/nodejs/node/pull/24733)
* **util**:
  * add inspection getter option (Ruben Bridgewater)
    [#24852](https://github.com/nodejs/node/pull/24852)

PR-URL: https://github.com/nodejs/node/pull/25102
2018-12-18 18:36:17 +00:00
Beth Griggs
1cbd377078
2018-12-18, Version 8.14.1 'Carbon' (LTS)
Notable changes:

* **assert**:
  - revert breaking change (Ruben Bridgewater)
    [#24786](https://github.com/nodejs/node/pull/24786)
* **http2**:
  - fix sequence of error/close events (Gerhard Stoebich)
    [#24789](https://github.com/nodejs/node/pull/24789)

PR-URL: https://github.com/nodejs/node/pull/24832
2018-12-18 11:29:17 -05:00
Shelley Vohr
6c6c5630a7
2018-12-11, Version 10.14.2 'Dubnium' (LTS)
Notable changes:

* deps:
  * upgrade to c-ares v1.15.0 (Ben Noordhuis)
    https://github.com/nodejs/node/pull/23854
* Windows:
  * A crashing process will now show the names of stack frames if the node.pdb
    file is available. (Refael Ackermann)
    https://github.com/nodejs/node/pull/23822
* Added new collaborators:
  * Peter Marshall. https://github.com/nodejs/node/pull/24170
  * Masashi Hirano. https://github.com/nodejs/node/pull/24136

PR-URL: https://github.com/nodejs/node/pull/24727
2018-12-11 15:38:17 -05:00
Ruben Bridgewater
bcef949c93
2018-12-07, Version 11.4.0 (Current)
Notable Changes:

* console,util:
  * `console` functions now handle symbols as defined in the spec.
    https://github.com/nodejs/node/pull/23708
  * The inspection `depth` default is now back at 2.
    https://github.com/nodejs/node/pull/24326
* dgram,net:
  * Added ipv6Only option for `net` and `dgram`.
    https://github.com/nodejs/node/pull/23798
* http:
  * Chosing between the http parser is now possible per runtime flag.
    https://github.com/nodejs/node/pull/24739
* readline:
  * The `readline` module now supports async iterators.
    https://github.com/nodejs/node/pull/23916
* repl:
  * The multiline history feature is removed.
    https://github.com/nodejs/node/pull/24804
* tls:
  * Added min/max protocol version options.
    https://github.com/nodejs/node/pull/24405
  * The X.509 public key info now includes the RSA bit size and the
    elliptic curve. https://github.com/nodejs/node/pull/24358
* url:
  * `pathToFileURL()` now supports LF, CR and TAB.
    https://github.com/nodejs/node/pull/23720
* Windows:
  * Tools are not installed using Boxstarter anymore.
    https://github.com/nodejs/node/pull/24677
  * The install-tools scripts or now included in the dist.
    https://github.com/nodejs/node/pull/24233
* Added new collaborator:
  * [antsmartian](https://github.com/antsmartian) - Anto Aravinth.
    https://github.com/nodejs/node/pull/24655

PR-URL: https://github.com/nodejs/node/pull/24854
2018-12-07 18:50:20 +01:00
Rod Vagg
dbdc9081fa 2018-12-03, Version 6.15.1 'Boron' (LTS)
Notable Changes:

This is a patch release to address a bad backport of the fix for "Slowloris
HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers
timeout to an entire keep-alive HTTP session, resulting in prematurely
disconnected sockets.

PR-URL: https://github.com/nodejs/node/pull/24803
Refs: https://github.com/nodejs/node/pull/24796
Refs: https://github.com/nodejs/node/issues/24760
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
2018-12-04 01:06:32 +11:00
Myles Borins
9efcfd313a
2018-11-29, Version 10.14.1 'Dubnium' (LTS)
Notable Changes:

* **win/msi**: Revert changes to installer causing issues on Windows systems.

PR-URL: https://github.com/nodejs/node/pull/24711
2018-11-29 11:43:35 -05:00
Rod Vagg
cc399cf5b2 2018-11-27, Version 11.3.0 (Current)
This is a security release. All Node.js users should consult the security
release summary at:

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
  * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
  * Node.js: Hostname spoofing in URL parser for javascript protocol
    (CVE-2018-12123)
  * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
  * OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)

Notable Changes:

* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* http:
  * Headers received by HTTP servers must not exceed 8192 bytes in total to
    prevent possible Denial of Service attacks. Reported by Trevor Norris.
    (CVE-2018-12121 / Matteo Collina)
  * A timeout of 40 seconds now applies to servers receiving HTTP headers. This
    value can be adjusted with `server.headersTimeout`. Where headers are not
    completely received within this period, the socket is destroyed on the next
    received chunk. In conjunction with `server.setTimeout()`, this aids in
    protecting against excessive resource retention and possible Denial of
    Service. Reported by Jan Maybach (liebdich.com).
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
  with `url.parse()` with the `'javascript:'` protocol. Reported by
  Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)

PR-URL: https://github.com/nodejs-private/node-private/pull/156/
2018-11-28 11:36:34 +11:00
Rod Vagg
9910cc29bc 2018-11-27, Version 10.14.0 'Dubnium' (LTS)
This is a security release. All Node.js users should consult the security
release summary at:

  https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
  * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
  * Node.js: Hostname spoofing in URL parser for javascript protocol
    (CVE-2018-12123)
  * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
  * OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)

Notable Changes:

* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* http:
  * Headers received by HTTP servers must not exceed 8192 bytes in total to
    prevent possible Denial of Service attacks. Reported by Trevor Norris.
    (CVE-2018-12121 / Matteo Collina)
  * A timeout of 40 seconds now applies to servers receiving HTTP headers. This
    value can be adjusted with `server.headersTimeout`. Where headers are not
    completely received within this period, the socket is destroyed on the next
    received chunk. In conjunction with `server.setTimeout()`, this aids in
    protecting against excessive resource retention and possible Denial of
    Service. Reported by Jan Maybach (liebdich.com).
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
  with `url.parse()` with the `'javascript:'` protocol. Reported by
  Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)

PR-URL: https://github.com/nodejs-private/node-private/pull/155/
2018-11-28 11:36:34 +11:00
Rod Vagg
59fdaede52 2018-11-27, Version 8.14.0 'Carbon' (LTS)
This is a security release. All Node.js users should consult the security
release summary at:

  https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
  * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
  * Node.js: Hostname spoofing in URL parser for javascript protocol
    (CVE-2018-12123)
  * Node.js: HTTP request splitting (CVE-2018-12116)
  * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
  * OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication
    (CVE-2018-5407)

Notable Changes:

* deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
* http:
  * Headers received by HTTP servers must not exceed 8192 bytes in total to
    prevent possible Denial of Service attacks. Reported by Trevor Norris.
    (CVE-2018-12121 / Matteo Collina)
  * A timeout of 40 seconds now applies to servers receiving HTTP headers. This
    value can be adjusted with `server.headersTimeout`. Where headers are not
    completely received within this period, the socket is destroyed on the next
    received chunk. In conjunction with `server.setTimeout()`, this aids in
    protecting against excessive resource retention and possible Denial of
    Service. Reported by Jan Maybach (liebdich.com).
  * Two-byte characters are now strictly disallowed for the `path` option in
    HTTP client requests. Paths containing characters outside of the range
    `\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior
    can be reverted if necessary by supplying the
    `--security-revert=CVE-2018-12116` command line argument (this is not
    recommended). Reported as security concern for Node.js 6 and 8 by
    Arkadiy Tetelman (lob.com), fixed by backporting a change by Benno
    Fünfstück applied to Node.js 10 and later.
    (CVE-2018-12116 / Matteo Collina)
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs
  with `url.parse()` with the `'javascript:'` protocol. Reported by
  Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)

PR-URL: https://github.com/nodejs-private/node-private/pull/154
2018-11-28 11:36:34 +11:00
Rod Vagg
957aeba352 2018-11-27, Version 6.15.0 'Boron' (LTS)
This is a security release. All Node.js users should consult the security
release summary at:

  https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * Node.js: Debugger port 5858 listens on any interface by default
    (CVE-2018-12120)
  * Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
  * Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
  * Node.js: Hostname spoofing in URL parser for javascript protocol
    (CVE-2018-12123)
  * Node.js: HTTP request splitting (CVE-2018-12116)
  * OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
  * OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication
    (CVE-2018-5407)

Notable Changes:

* debugger: Backport of https://github.com/nodejs/node/pull/8106 to
  prevent the debugger from listening on `0.0.0.0`. It now defaults to
  `127.0.0.1`. Reported by Ben Noordhuis. (CVE-2018-12120 / Ben Noordhuis).
* deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
* http:
  * Headers received by HTTP servers must not exceed 8192 bytes in total to
    prevent possible Denial of Service attacks. Reported by Trevor Norris.
    (CVE-2018-12121 / Matteo Collina)
  * A timeout of 40 seconds now applies to servers receiving HTTP headers. This
    value can be adjusted with `server.headersTimeout`. Where headers are not
    completely received within this period, the socket is destroyed on the next
    received chunk. In conjunction with `server.setTimeout()`, this aids in
    protecting against excessive resource retention and possible Denial of
    Service. Reported by Jan Maybach (liebdich.com).
    (CVE-2018-12122 / Matteo Collina)
  * Two-byte characters are now strictly disallowed for the `path` option in
    HTTP client requests. Paths containing characters outside of the range
    `\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior
    can be reverted if necessary by supplying the
    `--security-revert=CVE-2018-12116` command line argument (this is not
    recommended). Reported as security concern for Node.js 6 and 8 by
    Arkadiy Tetelman (lob.com), fixed by backporting a change by Benno
    Fünfstück applied to Node.js 10 and later.
    (CVE-2018-12116 / Matteo Collina)
* url: Fix a bug that would allow a hostname being spoofed when parsing
  URLs with `url.parse()` with the `'javascript:'` protocol. Reported by
  Martin Bajanik (kenticocloud.com). (CVE-2018-12123 / Matteo Collina)

PR-URL: https://github.com/nodejs-private/node-private/pull/153
2018-11-28 11:36:34 +11:00
Beth Griggs
2c2e6ec38d
2018-11-20, Version 8.13.0 'Carbon' (LTS)
Notable changes:

* **assert**:
  - backport some assert commits (Ruben Bridgewater)
    [#23223](https://github.com/nodejs/node/pull/23223)
* **deps**:
  - upgrade to libuv 1.23.2 (cjihrig)
    [#23336](https://github.com/nodejs/node/pull/23336)
  - V8: cherry-pick 64-bit hash seed commits (Yang Guo)
    [#23274](https://github.com/nodejs/node/pull/23274)
* **http**:
  - added aborted property to request (Robert Nagy)
    [#20094](https://github.com/nodejs/node/pull/20094)
* **http2**:
  - graduate from experimental (James M Snell)
    [#22466](https://github.com/nodejs/node/pull/22466)

PR-URL: https://github.com/nodejs/node/pull/23974
2018-11-20 13:13:11 -05:00
Ruben Bridgewater
406d9caab5
2018-11-15, Version 11.2.0 (Current)
Notable changes:

* deps:
  * A new experimental HTTP parser (`llhttp`) is now supported.
    https://github.com/nodejs/node/pull/24059
* timers:
  * Fixed an issue that could cause setTimeout to stop working as
    expected. https://github.com/nodejs/node/pull/24322
* Windows
  * A crashing process will now show the names of stack frames if the
    node.pdb file is available.
    https://github.com/nodejs/node/pull/23822
  * Continued effort to improve the installer's new stage that installs
    native build tools.
    https://github.com/nodejs/node/pull/23987,
    https://github.com/nodejs/node/pull/24348
  * child_process:
    * On Windows the `windowsHide` option default was restored to
      `false`. This means `detached` child processes and GUI apps will
      once again start in a new window.
      https://github.com/nodejs/node/pull/24034
* Added new collaborators:
  * [oyyd](https://github.com/oyyd) - Ouyang Yadong.
    https://github.com/nodejs/node/pull/24300
  * [psmarshall](https://github.com/psmarshall) - Peter Marshall.
    https://github.com/nodejs/node/pull/24170
  * [shisama](https://github.com/shisama) - Masashi Hirano.
    https://github.com/nodejs/node/pull/24136

PR-URL: https://github.com/nodejs/node/pull/24350
2018-11-15 22:16:09 +01:00
Rich Trott
c3809ffc24 tools: enable 80-char line length markdown linting
PR-URL: https://github.com/nodejs/node/pull/24094
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
2018-11-07 09:27:33 -08:00
Michaël Zasso
74ba48294b
2018-11-02, Version 11.1.0 (Current)
Notable changes:

* deps
  * Updated ICU to 63.1. https://github.com/nodejs/node/pull/23715
* repl
  * Top-level for-await-of is now supported in the REPL.
    https://github.com/nodejs/node/pull/23841
* timers
  * Fixed an issue that could cause timers to enter an infinite loop.
    https://github.com/nodejs/node/pull/23870

PR-URL: https://github.com/nodejs/node/pull/23922
2018-11-02 13:34:02 +01:00
Rich Trott
34f164f1c2 doc: revise CHANGELOG.md text
Make the text shorter and clearer.

PR-URL: https://github.com/nodejs/node/pull/23988
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
2018-11-01 23:27:40 -07:00
Myles Borins
cd1193d9ed
2018-10-30 Version 10.13.0 'Dubnium' (LTS)
This release marks the transition of Node.js 10.x into Long Term
Support (LTS) with the codename 'Dubnium'. The 10.x release line
now moves in to "Active LTS" and will remain so until April 2020.
After that time it will move in to "Maintenance" until end of
life in April 2021.

Notable Changes:

This release only includes minimal changes necessary to fix known
regressions prior to LTS.

PR-URL: https://github.com/nodejs/node/pull/23831
2018-10-30 04:45:24 -04:00
James M Snell
3516052bee
2018-10-23, Version 11.0.0 (Current)
Notable changes:

* Build
  * FreeBSD 10 is no longer supported.[#22617](https://github.com/nodejs/node/pull/22617)
* `child_process`
  * The default value of the `windowsHide` option has been changed
    to `true`. [#21316](https://github.com/nodejs/node/pull/21316)
* `console`
  * `console.countReset()` will emit a warning if the timer
    being reset does not exist. [#21649](https://github.com/nodejs/node/pull/21649)
  * `console.time()` will no longer reset a timer if it already
    exists. [#20442](https://github.com/nodejs/node/pull/20442)
* Dependencies
  * V8 has been updated to 7.0.
    [#22754](https://github.com/nodejs/node/pull/22754)
* `fs`
  * The `fs.read()` method now requires a callback.
    [#22146](https://github.com/nodejs/node/pull/22146)
  * The previously deprecated `fs.SyncWriteStream` utility has been
    removed.[#20735](https://github.com/nodejs/node/pull/20735)
* `http`
  * The `http`, `https`, and `tls` modules now use the WHATWG URL parser
    by default. [#20270](https://github.com/nodejs/node/pull/20270)
* General
  * Use of `process.binding()` has been deprecated. Userland code using
    `process.binding()` should re-evaluate that use and begin migrating. If
    there are no supported API alternatives, please open an issue in the
    Node.js GitHub repository so that a suitable alternative may be discussed.
  * An experimental implementation of `queueMicrotask()` has been added.
    [#22951](https://github.com/nodejs/node/pull/22951)
* Internal
  * Windows performance-counter support has been removed.
    [#22485](https://github.com/nodejs/node/pull/22485)
  * The `--expose-http2` command-line option has been removed.
    [#20887](https://github.com/nodejs/node/pull/20887)
* Timers
  * Interval timers will be rescheduled even if previous interval threw
    an error. [#20002](https://github.com/nodejs/node/pull/20002)
* `util`
  * The WHATWG `TextEncoder` and `TextDecoder` are now globals.
    [#22281](https://github.com/nodejs/node/pull/22281)
  * `util.inspect()` output size is limited to 128 MB by default.
    [#22756](https://github.com/nodejs/node/pull/22756)
  * A runtime warning will be emitted when `NODE_DEBUG` is set for
    either `http` or `http2`. [#21914](https://github.com/nodejs/node/pull/21914)
2018-10-23 11:03:02 -07:00
Michaël Zasso
cd8ee2d033
2018-10-10, Version 10.12.0 (Current)
Notable changes:

* assert
  * The diff output is now a tiny bit improved by sorting object
    properties when inspecting the values that are compared with each
    other. https://github.com/nodejs/node/pull/22788
* cli
  * The options parser now normalizes `_` to `-` in all multi-word
    command-line flags, e.g. `--no_warnings` has the same effect as
    `--no-warnings`. https://github.com/nodejs/node/pull/23020
  * Added bash completion for the `node` binary. To generate a bash
    completion script, run `node --completion-bash`. The output can be
    saved to a file which can be sourced to enable completion.
    https://github.com/nodejs/node/pull/20713
* crypto
  * Added support for PEM-level encryption.
    https://github.com/nodejs/node/pull/23151
  * Added an API asymmetric key pair generation. The new methods
    `crypto.generateKeyPair` and `crypto.generateKeyPairSync` can be
    used to generate public and private key pairs. The API supports
    RSA, DSA and EC and a variety of key encodings (both PEM and DER).
    https://github.com/nodejs/node/pull/22660
* fs
  * Added a `recursive` option to `fs.mkdir` and `fs.mkdirSync`. If
    this option is set to true, non-existing parent folders will be
    automatically created. https://github.com/nodejs/node/pull/21875
* http2
  * Added a `'ping'` event to `Http2Session` that is emitted whenever a
    non-ack `PING` is received.
    https://github.com/nodejs/node/pull/23009
  * Added support for the `ORIGIN` frame.
    https://github.com/nodejs/node/pull/22956
  * Updated nghttp2 to 1.34.0. This adds RFC 8441 extended connect
    protocol support to allow use of WebSockets over HTTP/2.
    https://github.com/nodejs/node/pull/23284
* module
  * Added `module.createRequireFromPath(filename)`. This new method can
    be used to create a custom require function that will resolve
    modules relative to the filename path.
    https://github.com/nodejs/node/pull/19360
* process
  * Added a `'multipleResolves'` process event that is emitted whenever
    a `Promise` is attempted to be resolved multiple times, e.g. if the
    `resolve` and `reject` functions are both called in a `Promise`
    executor. https://github.com/nodejs/node/pull/22218
* url
  * Added `url.fileURLToPath(url)` and `url.pathToFileURL(path)`. These
    methods can be used to correctly convert between file: URLs and
    absolute paths. https://github.com/nodejs/node/pull/22506
* util
  * Added the `sorted` option to `util.inspect()`. If set to `true`,
    all properties of an object and Set and Map entries will be sorted
    in the returned string. If set to a function, it is used as a
    compare function. https://github.com/nodejs/node/pull/22788
  * The `util.instpect.custom` symbol is now defined in the global
    symbol registry as `Symbol.for('nodejs.util.inspect.custom')`.
    https://github.com/nodejs/node/pull/20857
  * Added support for `BigInt` numbers in `util.format()`.
    https://github.com/nodejs/node/pull/22097
* V8 API
  * A number of V8 C++ APIs have been marked as deprecated since they
    have been removed in the upstream repository. Replacement APIs
    are added where necessary. https://github.com/nodejs/node/pull/23159
* Windows
  * The Windows msi installer now provides an option to automatically
    install the tools required to build native modules.
    https://github.com/nodejs/node/pull/22645
* Workers
  * Debugging support for Workers using the DevTools protocol has been
    implemented. https://github.com/nodejs/node/pull/21364
  * The public `inspector` module is now enabled in Workers.
    https://github.com/nodejs/node/pull/22769
* Added new collaborators:
  * digitalinfinity - Hitesh Kanwathirtha

PR-URL: https://github.com/nodejs/node/pull/23313
2018-10-10 23:18:55 +02:00
Michaël Zasso
df9abb638d
2018-09-20, Version 10.11.0 (Current)
Notable changes:

* fs
  * Fixed fsPromises.readdir `withFileTypes`.
    https://github.com/nodejs/node/pull/22832
* http2
  * Added `http2stream.endAfterHeaders` property.
    https://github.com/nodejs/node/pull/22843
* util
  * Added `util.types.isBoxedPrimitive(value)`.
    https://github.com/nodejs/node/pull/22620
* Added new collaborators:
  * boneskull (https://github.com/boneskull) - Christopher Hiller
* The Technical Steering Committee has new members:
  * apapirovski (https://github.com/apapirovski) - Anatoli Papirovski
  * gabrielschulhof (https://github.com/gabrielschulhof) - Gabriel Schulhof

PR-URL: https://github.com/nodejs/node/pull/22932
2018-09-20 13:32:38 +02:00
Myles Borins
121439a8ff
2018-09-11, Version 8.12.0 'Carbon' (LTS)
Notable Changes:

* async_hooks:
  - rename PromiseWrap.parentId (Ali Ijaz Sheikh)
    https://github.com/nodejs/node/pull/18633
  - remove runtime deprecation (Ali Ijaz Sheikh)
    https://github.com/nodejs/node/pull/19517
  - deprecate unsafe emit{Before,After} (Ali Ijaz Sheikh)
    https://github.com/nodejs/node/pull/18513
* cluster:
  - add cwd to cluster.settings (cjihrig)
    https://github.com/nodejs/node/pull/18399
  - support windowsHide option for workers (Todd Wong)
    https://github.com/nodejs/node/pull/17412
* crypto:
  - allow passing null as IV unless required (Tobias Nießen)
    https://github.com/nodejs/node/pull/18644
* deps:
  - upgrade npm to 6.2.0 (Kat Marchán)
    https://github.com/nodejs/node/pull/21592
  - upgrade libuv to 1.19.2 (cjihrig)
    https://github.com/nodejs/node/pull/18918
  - Upgrade node-inspect to 1.11.5 (Jan Krems)
    https://github.com/nodejs/node/pull/21055
* fs,net:
  - support as and as+ flags in stringToFlags() (Sarat Addepalli)
    https://github.com/nodejs/node/pull/18801
  - emit 'ready' for fs streams and sockets (Sameer Srivastava)
    https://github.com/nodejs/node/pull/19408
* http, http2:
  - add options to http.createServer() (Peter Marton)
    https://github.com/nodejs/node/pull/15752
  - add 103 Early Hints status code (Yosuke Furukawa)
    https://github.com/nodejs/node/pull/16644
  - add http fallback options to .createServer (Peter Marton)
    https://github.com/nodejs/node/pull/15752
* n-api:
  - take n-api out of experimental (Michael Dawson)
    https://github.com/nodejs/node/pull/19262
* perf_hooks:
  - add warning when too many entries in the timeline (James M Snell)
    https://github.com/nodejs/node/pull/18087
* src:
  - add public API for managing NodePlatform (Cheng Zhao)
    https://github.com/nodejs/node/pull/16981
  - allow --perf-(basic-)?prof in NODE\_OPTIONS (Leko)
    https://github.com/nodejs/node/pull/17600
  - node internals' postmortem metadata (Matheus Marchini)
    https://github.com/nodejs/node/pull/14901
* tls:
  - expose Finished messages in TLSSocket (Anton Salikhmetov)
    https://github.com/nodejs/node/pull/19102
* **trace_events**:
  - add file pattern cli option (Andreas Madsen)
    https://github.com/nodejs/node/pull/18480
* util:
  - implement util.getSystemErrorName() (Joyee Cheung)
    https://github.com/nodejs/node/pull/18186

PR-URL: https://github.com/nodejs/node/pull/21593
2018-09-11 01:33:27 -04:00
Michaël Zasso
ed976d76b0
2018-09-06, Version 10.10.0 (Current)
Notable changes:

* child_process:
  * `TypedArray` and `DataView` values are now accepted as input by
    `execFileSync` and `spawnSync`. https://github.com/nodejs/node/pull/22409
* coverage:
  * Native V8 code coverage information can now be output to disk by setting the
    environment variable `NODE_V8_COVERAGE` to a directory. https://github.com/nodejs/node/pull/22527
* deps:
  * The bundled npm was upgraded to version 6.4.1. https://github.com/nodejs/node/pull/22591
    * Changelogs:
      [6.3.0-next.0](https://github.com/npm/cli/releases/tag/v6.3.0-next.0)
      [6.3.0](https://github.com/npm/cli/releases/tag/v6.3.0)
      [6.4.0](https://github.com/npm/cli/releases/tag/v6.4.0)
      [6.4.1](https://github.com/npm/cli/releases/tag/v6.4.1)
* fs:
  * The methods `fs.read`, `fs.readSync`, `fs.write`, `fs.writeSync`,
    `fs.writeFile` and `fs.writeFileSync` now all accept `TypedArray` and
    `DataView` objects. https://github.com/nodejs/node/pull/22150
  * A new boolean option, `withFileTypes`, can be passed to to `fs.readdir` and
    `fs.readdirSync`. If set to true, the methods return an array of directory
    entries. These are objects that can be used to determine the type of each
    entry and filter them based on that without calling `fs.stat`. https://github.com/nodejs/node/pull/22020
* http2:
  * The `http2` module is no longer experimental. https://github.com/nodejs/node/pull/22466
* os:
  * Added two new methods: `os.getPriority` and `os.setPriority`, allowing to
    manipulate the scheduling priority of processes. https://github.com/nodejs/node/pull/22407
* process:
  * Added `process.allowedNodeEnvironmentFlags`. This object can be used to
    programmatically validate and list flags that are allowed in the
    `NODE_OPTIONS` environment variable. https://github.com/nodejs/node/pull/19335
* src:
  * Deprecated option variables in public C++ API. https://github.com/nodejs/node/pull/22515
  * Refactored options parsing. https://github.com/nodejs/node/pull/22392
* vm:
  * Added `vm.compileFunction`, a method to create new JavaScript functions from
    a source body, with options similar to those of the other `vm` methods. https://github.com/nodejs/node/pull/21571
* Added new collaborators:
  * [lundibundi](https://github.com/lundibundi) - Denys Otrishko

PR-URL: https://github.com/nodejs/node/pull/22716
2018-09-06 23:57:43 +02:00
Rod Vagg
97c1fa3d3b 2018-08-15, Version 10.9.0 (Current)
Notable changes:

* buffer:
  * Fix out-of-bounds (OOB) write in `Buffer.write()` for UCS-2 encoding
    (CVE-2018-12115)
  * Fix unintentional exposure of uninitialized memory in `Buffer.alloc()`
    (CVE-2018-7166)
* deps:
  * Upgrade to OpenSSL 1.1.0i, fixing:
    - Client DoS due to large DH parameter (CVE-2018-0732)
    - ECDSA key extraction via local side-channel (CVE not assigned)
  * Upgrade V8 from 6.7 to 6.8 (Michaël Zasso) #21079
    - Memory reduction and performance improvements, details at:
      https://v8project.blogspot.com/2018/06/v8-release-68.html
* http: `http.get()` and `http.request()` (and `https` variants) can now accept
  three arguments to allow for a `URL` _and_ an `options` object
  (Sam Ruby) #21616
* Added new collaborators
  * Sam Ruby (https://github.com/rubys)
  * George Adams (https://github.com/gdams)
2018-08-16 11:52:38 +10:00
Rod Vagg
1efdc5876d 2018-08-15, Version 8.11.4 'Carbon' (LTS)
This is a security release. All Node.js users should consult the
security release summary at:

  https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * CVE-2018-0732 (OpenSSL)
  * CVE-2018-12115 (Node.js)

Notable changes:

* buffer: Fix out-of-bounds (OOB) write in `Buffer.write()` for UCS-2 encoding
  (CVE-2018-12115)
* deps: Upgrade to OpenSSL 1.0.2p, fixing:
  * Client DoS due to large DH parameter (CVE-2018-0732)
  * ECDSA key extraction via local side-channel (CVE not assigned)
2018-08-16 11:52:38 +10:00
Rod Vagg
82ab9b336d 2018-08-15, Version 6.14.4 'Boron' (LTS)
This is a security release. All Node.js users should consult the
security release summary at:

  https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  * CVE-2018-0732 (OpenSSL)
  * CVE-2018-12115 (Node.js)

Notable changes:

* buffer: Fix out-of-bounds (OOB) write in `Buffer.write()` for UCS-2 encoding
  (CVE-2018-12115)
* deps: Upgrade to OpenSSL 1.0.2p, fixing:
  * Client DoS due to large DH parameter (CVE-2018-0732)
  * ECDSA key extraction via local side-channel (CVE not assigned)
2018-08-16 11:52:38 +10:00
Michaël Zasso
27a5338c8a
2018-08-01, Version 10.8.0 (Current)
Notable changes:

* deps:
  * Upgrade npm to 6.2.0. (https://github.com/nodejs/node/pull/21592)
    * npm has moved. This release updates various URLs to point to the right
      places for bugs, support, and PRs.
    * Fix the regular expression matching in `xcode_emulation` in `node-gyp` to
      also handle version numbers with multiple-digit major versions which would
      otherwise break under use of XCode 10.
    * The npm tree has been *significantly* flattened. Tarball size for the npm
      package has gone from 8MB to 4.8MB.
    * Changelogs:
      https://github.com/npm/npm/releases/tag/v6.2.0-next.0
      https://github.com/npm/npm/releases/tag/v6.2.0-next.1
      https://github.com/npm/cli/releases/tag/v6.2.0)

PR-URL: https://github.com/nodejs/node/pull/22040
2018-08-01 20:54:26 +02:00
Michaël Zasso
bb87e41696
2018-07-18, Version 10.7.0 (Current)
Notable changes:

* console:
  * The `console.timeLog()` method has been implemented.
    (https://github.com/nodejs/node/pull/21312)
* deps:
  * Upgrade to libuv 1.22.0. (https://github.com/nodejs/node/pull/21731)
  * Upgrade to ICU 62.1 (Unicode 11, CLDR 33.1).
    (https://github.com/nodejs/node/pull/21728)
* http:
  * Added support for passing both `timeout` and `agent` options to
    `http.request`. (https://github.com/nodejs/node/pull/21204)
* inspector:
  * Expose the original console API in `require('inspector').console`.
    (https://github.com/nodejs/node/pull/21659)
* napi:
  * Added experimental support for functions dealing with bigint numbers.
    (https://github.com/nodejs/node/pull/21226)
* process:
  * The `process.hrtime.bigint()` method has been implemented.
    (https://github.com/nodejs/node/pull/21256)
  * Added the `--title` command line argument to set the process title on
    startup. (https://github.com/nodejs/node/pull/21477)
* trace_events:
  * Added process_name metadata.
    (https://github.com/nodejs/node/pull/21477)
* Added new collaborators
  * codebytere - Shelley Vohr

PR-URL: https://github.com/nodejs/node/pull/21851
2018-07-18 20:17:23 +02:00
Сковорода Никита Андреевич
195480a8bc doc: update changelog with 9.x EOL
This removes unsupported versions from the table, as those might confuse
people, execially given the
  > Release versions displayed in **bold** text represent the most
  > recent actively supported release.
remark below.

It was inconsistent to keep some of the EOL entries in the table while
removing others (v5.x, v7.x) -- this commit takes care of that.

Instead, release status is hinted in the branch list above, highlighting
two main branches -- Current and Active LTS.

Also update the link to the Release repo.

Refs: https://github.com/nodejs/Release/pull/351
PR-URL: https://github.com/nodejs/node/pull/21612
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Jon Moss <me@jonathanmoss.me>
2018-07-10 17:52:43 +03:00
Michaël Zasso
7951e6d26b
2018-07-04, Version 10.6.0 (Current)
Notable changes:

* dns:
  * An experimental promisified version of the dns module is now available. Give
    it a try with `require('dns').promises`. [#21264](https://github.com/nodejs/node/pull/21264)
* fs:
  * `fs.lchown` has been undeprecated now that libuv supports it. [#21498](https://github.com/nodejs/node/pull/21498)
* lib:
  * `Atomics.wake` is being renamed to `Atomics.notify` in the ECMAScript
    specification ([reference](https://github.com/tc39/ecma262/pull/1220)).
    Since Node.js now has experimental support for worker threads, we are being
    proactive and added a `notify` alias, while emitting a warning if
    `wake` is used. [#21413](https://github.com/nodejs/node/pull/21413) [#21518](https://github.com/nodejs/node/pull/21518)
* n-api:
  * Add API for asynchronous functions. [#17887](https://github.com/nodejs/node/pull/17887)
* util:
  * `util.inspect` is now able to return a result instead of throwing when the
    maximum call stack size is exceeded during inspection. [#20725](https://github.com/nodejs/node/pull/20725)
* vm:
  * Add `script.createCachedData()`. This API replaces the `produceCachedData`
    option of the `Script` constructor that is now deprecated. [#20300](https://github.com/nodejs/node/pull/20300)
* worker:
  * Support for relative paths has been added to the `Worker` constructor. Paths
    are interpreted relative to the current working directory. [#21407](https://github.com/nodejs/node/pull/21407)

PR-URL: https://github.com/nodejs/node/pull/21629
2018-07-04 20:06:26 +02:00
Michaël Zasso
680aeb3467
2018-16-20, Version 10.5.0 (Current)
Notable changes:

* **crypto**:
  * Support for `crypto.scrypt()` has been added.
    [#20816](https://github.com/nodejs/node/pull/20816)
* **fs**:
  * BigInt support has been added to `fs.stat` and `fs.watchFile`.
    [#20220](https://github.com/nodejs/node/pull/20220)
  * APIs that take `mode` as arguments no longer throw on values larger
    than `0o777`. [#20636](https://github.com/nodejs/node/pull/20636)
    [#20975](https://github.com/nodejs/node/pull/20975)
    (Fixes: [#20498](https://github.com/nodejs/node/issues/20498))
  * Fix crashes in closed event watchers.
    [#20985](https://github.com/nodejs/node/pull/20985)
    (Fixes: [#20297](https://github.com/nodejs/node/issues/20297))
* **Worker Threads**:
  * Support for multi-threading has been added behind the
    `--experimental-worker` flag in the `worker_threads` module.
    This feature is *experimental* and may receive breaking changes at
    any time. [#20876](https://github.com/nodejs/node/pull/20876)

PR-URL: https://github.com/nodejs/node/pull/21400
2018-06-20 20:39:16 +02:00
Evan Lucas
06cab45b2c 2018-06-12, Version 10.4.1 (Current)
Notable changes:

* **Fixes memory exhaustion DoS** (CVE-2018-7164): Fixes a bug introduced
    in 9.7.0 that increases the memory consumed when reading from the network
    into JavaScript using the net.Socket object directly as a stream.
* **http2**
  * (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the
    http2 implementation to not crash under certain circumstances during cleanup
  * (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading
    nghttp2 to 1.32.0
* **tls** (CVE-2018-7162): Fixes Denial of Service vulnerability by updating
    the TLS implementation to not crash upon receiving
* **n-api**: Prevent use-after-free in napi_delete_async_work

PR-URL: https://github.com/nodejs-private/node-private/pull/136
2018-06-12 18:54:17 -05:00
Evan Lucas
0fb290a347 2018-06-12, Version 9.11.2 (Maintenance)
Notable changes:

* **Fixes memory exhaustion DoS** (CVE-2018-7164): Fixes a bug introduced
    in 9.7.0 that increases the memory consumed when reading from the network
    into JavaScript using the net.Socket object directly as a stream.
* **buffer** (CVE-2018-7167): Fixes Denial of Service vulnerability where
    calling Buffer.fill() could hang
* **http2**
  * (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the
    http2 implementation to not crash under certain circumstances during cleanup
  * (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading
    nghttp2 to 1.32.0
* **tls** (CVE-2018-7162): Fixes Denial of Service vulnerability by updating
    the TLS implementation to not crash upon receiving

PR-URL: https://github.com/nodejs-private/node-private/pull/135
2018-06-12 18:54:17 -05:00
Evan Lucas
4913bd41f1 2018-06-12, Version 8.11.3 (LTS)
Notable changes:

* **buffer** (CVE-2018-7167): Fixes Denial of Service vulnerability
    where calling Buffer.fill() could hang
* **http2**
  * (CVE-2018-7161): Fixes Denial of Service vulnerability by
      updating the http2 implementation to not crash under
      certain circumstances during cleanup
  * (CVE-2018-1000168): Fixes Denial of Service vulnerability
      by upgrading nghttp2 to 1.32.0

PR-URL: https://github.com/nodejs-private/node-private/pull/126
2018-06-12 18:54:17 -05:00
Evan Lucas
fbc68a5cea 2018-06-12, Version 6.14.3 (LTS)
Notable changes:

* **buffer** (CVE-2018-7167): Fixes Denial of Service
    vulnerability where calling Buffer.fill() could hang

PR-URL: https://github.com/nodejs-private/node-private/pull/134
2018-06-12 18:31:11 -05:00