| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
- Fix NetBSD/i386 support (hopefully also works for other ILP32 archs)
- Add NetBSD/aarch64 support
- Bump revision
|
|
ok leot
|
|
10.15.1:
Notable Changes
doc:
- add oyyd to collaborators (Ouyang Yadong)
tls:
- throw if protocol too long
Bug fixes
|
|
|
|
|
|
|
|
|
|
Version 10.15.0 'Dubnium' (LTS):
The 10.14.0 security release introduced some unexpected breakages on the 10.x release line. This is a special release to fix a regression in the HTTP binary upgrade response body and add a missing CLI flag to adjust the max header size of the http parser.
Notable Changes
cli:
add --max-http-header-size flag
http:
add maxHeaderSize property
|
|
|
|
from Mike Pumford.
|
|
Version 10.14.2 'Dubnium' (LTS)
This LTS release comes with 374 commits. This includes 165 which are test or benchmark related, 77 which are doc related, 29 which are build / tool related and 15 commits which update dependencies.
Notable Changes
* deps:
- upgrade to c-ares v1.15.0
* Windows:
- A crashing process will now show the names of stack frames if the node.pdb file is available.
|
|
Version 10.14.1 'Dubnium' (LTS):
Notable Changes
win/msi: Revert changes to installer causing issues on Windows systems.
|
|
Version 10.14.0 'Dubnium' (LTS):
This is a security release. All Node.js users should consult the security release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)
Notable Changes
* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* http:
- Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina)
- A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with server.headersTimeout. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with server.setTimeout(), this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach (liebdich.com). (CVE-2018-12122 / Matteo Collina)
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs with url.parse() with the 'javascript:' protocol.
|
|
Version 10.13.0 'Dubnium' (LTS)
This release marks the transition of Node.js 10.x into Long Term Support (LTS) with the codename 'Dubnium'. The 10.x release line now moves in to "Active LTS" and will remain so until April 2020. After that time it will move in to "Maintenance" until end of life in April 2021.
Notable Changes
This release only includes minimal changes necessary to fix known regressions prior to LTS.
Version 10.12.0 (Current)
Notable changes
assert
* The diff output is now a tiny bit improved by sorting object properties when inspecting the values that are compared with each other.
cli
* The options parser now normalizes _ to - in all multi-word command-line flags, e.g. --no_warnings has the same effect as --no-warnings.
* Added bash completion for the node binary. To generate a bash completion script, run node --completion-bash. The output can be saved to a file which can be sourced to enable completion.
crypto
* Added support for PEM-level encryption.
* Added an API asymmetric key pair generation. The new methods crypto.generateKeyPair and crypto.generateKeyPairSync can be used to generate public and private key pairs. The API supports RSA, DSA and EC and a variety of key encodings (both PEM and DER).
fs
* Added a recursive option to fs.mkdir and fs.mkdirSync. If this option is set to true, non-existing parent folders will be automatically created.
http2
* Added a 'ping' event to Http2Session that is emitted whenever a non-ack PING is received.
* Added support for the ORIGIN frame.
* Updated nghttp2 to 1.34.0. This adds RFC 8441 extended connect protocol support to allow use of WebSockets over HTTP/2.
module
* Added module.createRequireFromPath(filename). This new method can be used to create a custom require function that will resolve modules relative to the filename path.
process
* Added a 'multipleResolves' process event that is emitted whenever a Promise is attempted to be resolved multiple times, e.g. if the resolve and reject functions are both called in a Promise executor.
url
* Added url.fileURLToPath(url) and url.pathToFileURL(path). These methods can be used to correctly convert between file: URLs and absolute paths.
util
* Added the sorted option to util.inspect(). If set to true, all properties of an object and Set and Map entries will be sorted in the returned string. If set to a function, it is used as a compare function.
The util.instpect.custom symbol is now defined in the global symbol registry as Symbol.for('nodejs.util.inspect.custom').
* Added support for BigInt numbers in util.format().
V8 API
* A number of V8 C++ APIs have been marked as deprecated since they have been removed in the upstream repository. Replacement APIs are added where necessary.
Windows
* The Windows msi installer now provides an option to automatically install the tools required to build native modules.
Workers
* Debugging support for Workers using the DevTools protocol has been implemented.
* The public inspector module is now enabled in Workers.
|
|
|
|
|
|
- fs
- Fixed fsPromises.readdir `withFileTypes`.
- http2
- Added `http2stream.endAfterHeaders` property.
- util
- Added `util.types.isBoxedPrimitive(value)`.
|
|
|
|
- child_process:
- `TypedArray` and `DataView` values are now accepted as input by
`execFileSync` and `spawnSync`.
- coverage:
- Native V8 code coverage information can now be output to disk by
setting the environment variable `NODE_V8_COVERAGE` to a directory.
- fs:
- The methods `fs.read`, `fs.readSync`, `fs.write`, `fs.writeSync`,
`fs.writeFile` and `fs.writeFileSync` now all accept `TypedArray`
and `DataView` objects.
- A new boolean option, `withFileTypes`, can be passed to to
`fs.readdir` and `fs.readdirSync`. If set to true, the methods
return an array of directory entries. These are objects that can
be used to determine the type of each entry and filter them based
on that without calling `fs.stat`.
- http2:
- The `http2` module is no longer experimental.
- os:
- Added two new methods: `os.getPriority` and `os.setPriority`,
allowing to manipulate the scheduling priority of processes.
- process:
- Added `process.allowedNodeEnvironmentFlags`. This object can be
used to programmatically validate and list flags that are allowed
in the `NODE_OPTIONS` environment variable.
- src:
- Deprecated option variables in public C++ API.
- Refactored options parsing.
- vm:
- Added `vm.compileFunction`, a method to create new JavaScript
functions from a source body, with options similar to those of
the other `vm` methods.
|
|
- buffer:
- Fix out-of-bounds (OOB) write in `Buffer.write()` for UCS-2
encoding (CVE-2018-12115)
- Fix unintentional exposure of uninitialized memory in
`Buffer.alloc()` (CVE-2018-7166)
- deps:
- Upgrade to OpenSSL 1.1.0i, fixing:
- Client DoS due to large DH parameter (CVE-2018-0732)
- ECDSA key extraction via local side-channel (CVE not assigned)
- Upgrade V8 from 6.7 to 6.8
- Memory reduction and performance improvements
- http: `http.get()` and `http.request()` (and `https` variants) can
now accept three arguments to allow for a `URL` _and_ an `options`
object
|
|
Bump revision.
This fixes a build failure on my machine with an older libuv version
installed.
|
|
No notable changes besides update to npm 6.2.0, which we do not
bundle.
|
|
- console:
- The `console.timeLog()` method has been implemented.
- deps:
- Upgrade to libuv 1.22.0.
- Upgrade to ICU 62.1 (Unicode 11, CLDR 33.1).
- http:
- Added support for passing both `timeout` and `agent` options to
`http.request`.
- inspector:
- Expose the original console API in `require('inspector').console`.
- napi:
- Added experimental support for functions dealing with bigint
numbers.
- process:
- The `process.hrtime.bigint()` method has been implemented.
- Added the `--title` command line argument to set the process title
on startup.
- trace_events:
- Added process\_name metadata.
|
|
|
|
- dns: An experimental promisified version of the dns module is now
available. Give it a try with `require('dns').promises`.
- fs: `fs.lchown` has been undeprecated now that libuv supports it.
- lib: `Atomics.wake` is being renamed to `Atomics.notify` in the
ECMAScript specification. Since Node.js now has experimental support
for worker threads, we are being proactive and added a `notify` alias,
while emitting a warning if `wake` is used.
- n-api: Add API for asynchronous functions.
- util: `util.inspect` is now able to return a result instead of
throwing when the maximum call stack size is exceeded during
inspection.
- vm: Add `script.createCachedData()`. This API replaces the
`produceCachedData` option of the `Script` constructor that is now
deprecated.
- worker: Support for relative paths has been added to the `Worker`
constructor. Paths are interpreted relative to the current working
directory.
|
|
|
|
crypto:
- Support for crypto.scrypt() has been added.
fs:
- BigInt support has been added to fs.stat and fs.watchFile.
- APIs that take mode as arguments no longer throw on values larger
than 0o777.
- Fix crashes in closed event watchers.
Worker Threads:
- Support for multi-threading has been added behind the
--experimental-worker flag in the worker_threads module. This
feature is experimental and may receive breaking changes at any time.
|
|
- Fixes memory exhaustion DoS (CVE-2018-7164): Fixes a bug introduced
in 9.7.0 that increases the memory consumed when reading from the
network into JavaScript using the net.Socket object directly as a
stream.
- http2
- (CVE-2018-7161): Fixes Denial of Service vulnerability by updating
the http2 implementation to not crash under certain circumstances
during cleanup
- (CVE-2018-1000168): Fixes Denial of Service vulnerability by
upgrading nghttp2 to 1.32.0
- tls (CVE-2018-7162): Fixes Denial of Service vulnerability by
updating the TLS implementation to not crash upon receiving
- n-api: Prevent use-after-free in napi_delete_async_work
|
|
- deps: update V8 to 6.7.288.43
- stream: ensure Stream.pipeline re-throws errors without callback
|
|
- fs: fix reads with pos > 4GB
- net: new option to allow IPC servers to be readable and writable
by all users
- stream: fix removeAllListeners() for Stream.Readable to work as
expected when no arguments are passed
|
|
- http: fix res emit close before user finish
- src: re-integrate headers into node.h
- test: mark test-zlib.zlib-binding.deflate as flaky
|
|
- addons:
- Fixed a memory leak for users of `AsyncResource` and N-API.
- assert:
- The `error` parameter of `assert.throws()` can be an object
containing regular expressions now.
- crypto:
- The `authTagLength` option has been made more flexible.
- esm:
- Builtin modules (e.g. `fs`) now provide named exports in ES6
modules.
- http:
- Handling of `close` and `aborted` events has been made more
consistent.
- module:
- add --preserve-symlinks-main
- timers:
- `timeout.refresh()` has been added to the public API.
- Embedder support:
- Functions for creating V8 `Isolate` and `Context` objects with
Node.js-specific behaviour have been added to the API.
- Node.js `Environment`s clean up resources before exiting now.
- Support for multi-threaded embedding has been improved.
|
|
- console: make console.table() use colored inspect
- fs: move fs/promises to fs.promises
- http: added aborted property to request
- n-api: initialize a module via a special symbol
- src: add public API to expose the main V8 Platform
|
|
versions.
Switch back to bundled nghttp2 on lang/nodejs to reconcile a conflict
of OpenSSL versions.
|
|
|
|
|
|
Use bundled OpenSSL until pkgsrc provides the required 1.1.x.
### Notable Changes
- Assert
- Calling `assert.fail()` with more than one argument is deprecated.
- Calling `assert.ok()` with no arguments will now throw.
- Calling `assert.ifError()` will now throw with any argument other
than `undefined` or `null`. Previously the method would throw with
any truthy value.
- The `assert.rejects()` and `assert.doesNotReject()` methods have
been added for working with async functions.
- Async_hooks
- Older experimental async_hooks APIs have been removed.
- Buffer
- Uses of `new Buffer()` and `Buffer()` outside of the
`node_modules` directory will now emit a runtime deprecation
warning.
- `Buffer.isEncoding()` now returns `undefined` for falsy values,
including an empty string.
- `Buffer.fill()` will throw if an attempt is made to fill with an
empty `Buffer`.
- Child Process
- Undefined properties of env are ignored.
- Console
- The `console.table()` method has been added.
- Crypto
- The `crypto.createCipher()` and `crypto.createDecipher()` methods
have been deprecated. Please use `crypto.createCipheriv()` and
`crypto.createDecipheriv()` instead.
- The `decipher.finaltol()` method has been deprecated.
- The `crypto.DEFAULT_ENCODING` property has been deprecated.
- The `ECDH.convertKey()` method has been added.
- The `crypto.fips` property has been deprecated.
- Dependencies
- V8 has been updated to 6.6.
- OpenSSL has been updated to 1.1.0h.
- EventEmitter
- The `EventEmitter.prototype.off()` method has been added as an
alias for `EventEmitter.prototype.removeListener()`.
- File System
- The `fs/promises` API provides experimental promisified versions
of the `fs` functions.
- Invalid path errors are now thrown synchronously.
- The `fs.readFile()` method now partitions reads to avoid thread
pool exhaustion.
- HTTP
- Processing of HTTP Status codes `100`, `102-199` has been
improved.
- Multi-byte characters in URL paths are now forbidden.
- N-API
- The n-api is no longer experimental.
- Net
- The `'close'` event will be emitted after `'end'`.
- Perf_hooks
- The `PerformanceObserver` class is now an `AsyncResource` and can
be monitored using `async_hooks`.
- Trace events are now emitted for performance events.
- The `performance` API has been simplified.
- Performance milestone marks will be emitted as trace events.
- Process
- Using non-string values for `process.env` is deprecated.
- The `process.assert()` method is deprecated.
- REPL
- REPL now experimentally supports top-level await when using the
`--experimental-repl-await` flag.
- The previously deprecated "magic mode" has been removed.
- The previously deprecated `NODE_REPL_HISTORY_FILE` environment
variable has been removed.
- Proxy objects are shown as Proxy objects when inspected.
- Streams
- The `'readable'` event is now always deferred with nextTick.
- A new `pipeline()` method has been provided for building
end-to-data stream pipelines.
- Experimental support for async for-await has been added to
`stream.Readable`.
- Timers
- The `enroll()` and `unenroll()` methods have been deprecated.
- TLS
- The `tls.convertNPNProtocols()` method has been deprecated.
- Support for NPN (next protocol negotiation) has been dropped.
- The `ecdhCurve` default is now `'auto'`.
- Trace Events
- A new `trace_events` top-level module allows trace event
categories to be enabled/disabled at runtime.
- URL
- The WHATWG URL API is now a global.
- Util
- `util.types.is[…]` type checks have been added.
- Support for bigint formatting has been added to `util.inspect()`.
#### Deprecations:
The following APIs have been deprecated in Node.js 10.0.0
- Passing more than one argument to `assert.fail()` will emit a
runtime deprecation warning.
- Previously deprecated legacy async_hooks APIs have reached
end-of-life and have been removed.
- Using `require()` to access several of Node.js' own internal
dependencies will emit a runtime deprecation.
- The `crypto.createCipher()` and `crypto.createDecipher()` methods
have been deprecated in documentation.
- Using the `Decipher.finaltol()` method will emit a runtime
deprecation warning.
- Using the `crypto.DEFAULT_ENCODING` property will emit a runtime
deprecation warning.
- Use by native addons of the `MakeCallback()` variant that passes a
`Domain` will emit a runtime deprecation warning.
- Previously deprecated internal getters/setters on `net.Server` has
reached end-of-life and have been removed.
- Use of non-string values for `process.env` has been deprecated in
documentation.
- Use of `process.assert()` will emit a runtime deprecation warning.
- Previously deprecated `NODE_REPL_HISTORY_FILE` environment variable
has reached end-of-life and has been removed.
- Use of the `timers.enroll()` and `timers.unenroll()` methods will
emit a runtime deprecation warning.
- Use of the `tls.convertNPNProtocols()` method will emit a runtime
deprecation warning. Support for NPN has been removed from Node.js.
- The `crypto.fips` property has been deprecated in documentation.
|
|
nodeversion.mk framework to pick and depend on one of the supported nodejs version packages. Bump respective PKGREVISIONs.
|
|
|
|
|
|
- deps: Updated ICU to 61.1
- fs: Emit 'ready' event for ReadStream and WriteStream
- n-api: Bump version of n-api supported
- net: Emit 'ready' event for Socket
|
|
- No code changes
nodejs 9.10.0
Fixes for the following CVEs are included in this release:
- CVE-2018-7158
- CVE-2018-7159
- CVE-2018-7160
Notable Changes
- Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A
malicious website could use a DNS rebinding attack to trick a web
browser to bypass same-origin-policy checks and allow HTTP connections
to localhost or to hosts on the local network, potentially to an open
inspector port as a debugger, therefore gaining full code execution
access. The inspector now only allows connections that have a browser
Host value of localhost or localhost6.
- Fix for 'path' module regular expression denial of service
(CVE-2018-7158): A regular expression used for parsing POSIX paths
could be used to cause a denial of service if an attacker were able to
have a specially crafted path string passed through one of the
impacted 'path' module functions.
- Reject spaces in HTTP Content-Length header values (CVE-2018-7159):
The Node.js HTTP parser allowed for spaces inside Content-Length
header values. Such values now lead to rejected connections in the
same way as non-numeric values.
- Update root certificates: 5 additional root certificates have been
added to the Node.js binary and 30 have been removed.
- cluster: Add support for NODE_OPTIONS="--inspect"
- crypto: Expose the public key of a certificate
- n-api: Add napi_fatal_exception to trigger an uncaughtException in
JavaScript
- path: Fix regression in posix.normalize
- stream: Improve stream creation performance
nodejs 9.9.0
assert:
- From now on all error messages produced by assert in strict mode will
produce a error diff.
- From now on it is possible to use a validation object in throws instead
of the other possibilities.
crypto:
- allow passing null as IV unless required
fs:
- support as and as+ flags in stringToFlags()
tls:
- expose Finished messages in TLSSocket
tty:
- Add getColorDepth function to determine if terminal supports colors.
util:
- add util.inspect compact option
|
|
|
|
crypto:
- add cert.fingerprint256 as SHA256 fingerprint (Hannes Magnusson) #17690
http2:
- Fixed issues with aborted connections in the HTTP/2 implementation (Anna Henningsen) #18987 #19002
loader:
- --inspect-brk now works properly for esmodules (Gus Caplan) #18949
src:
- make process.dlopen() load well-known symbol (Ben Noordhuis) #18934
trace_events:
- add file pattern cli option (Andreas Madsen) #18480
|
|
- libuv: Updated to libuv 1.19.2
- src: Add initial support for Node.js-specific post-mortem
metadata
- timers: The return value of setImmediate() now has ref() and
unref() methods
- util: It is now possible to get the name for a numerical
platform-specific error code as a string
|
|
nodejs 9.6.1
events:
- events.usingDomains being set to false by default was removed in
9.6.0 which was a change in behavior compares to 9.5.0. This
behavior change has been reverted and the events object now has
usingDomains preset to false, which is the behavior in 9.x prior
to 9.6.0
nodejs 9.6.0
async_hooks:
- deprecate unsafe emit{Before,After}
- rename PromiseWrap.parentId to PromiseWrap.isChainedPromise
deps:
- update node-inspect to 1.11.3
- ICU 60.2 bump
- Introduce ScriptOrModule and HostDefinedOptions to V8
http:
- add options to http.createServer() for IncomingMessage and
ServerReponse
http2:
- add http fallback options to .createServer
https:
- Adds the remaining options from tls.createSecureContext() to the
string generated by Agent#getName(). This allows https.request() to
accept the options and generate unique sockets appropriately.
inspector:
- --inspect-brk for es modules
lib:
- allow process kill by signal number
module:
- enable dynamic import
- dynamic import is now supported
n-api:
- add methods to open/close callback scope
src:
- allow --perf-(basic-)?prof in NODE_OPTIONS
vm:
- add support for es modules
|
|
cluster
- add cwd to cluster.settings
deps
- upgrade libuv to 1.19.1
n-api
- expose n-api version in process.versions
perf_hooks
- add performance.clear()
stream
- avoid writeAfterEnd() while ending
|
|
async_hooks:
- deprecate AsyncHooks Sensitive API and runInAsyncIdScope. Neither
API were documented.
deps:
- update nghttp2 to 1.29.0
- upgrade npm to 5.6.0
- cherry-pick 50f7455 from upstream V8
events:
- remove reaches into _events internals
http:
- add rawPacket in err of clientError event
http2:
- implement maxSessionMemory
- add initial support for originSet
- add altsvc support
- perf_hooks integration
- Refactoring and cleanup of Http2Session and Http2Stream destroy
net:
- remove Socket.prototype.write
- remove Socket.prototype.listen
repl:
- show lexically scoped vars in tab completion
stream:
- rm {writeable/readable}State.length
- add flow and buffer properties to streams
util:
- allow wildcards in NODE_DEBUG variable
zlib:
- add ArrayBuffer support
|
|
async_hooks:
- add trace events to async_hooks
- add provider types for net server
console:
- console.debug can now be used outside of the inspector
deps:
- upgrade libuv to 1.18.0
- patch V8 to 6.2.414.46
module:
- module.builtinModules will return a list of built in modules
n-api:
- add helper for addons to get the event loop
process:
- process.setUncaughtExceptionCaptureCallback can now be used to
customize behavior for --abort-on-uncaught-exception
- A signal handler is now able to receive the signal code that
triggered the handler.
src:
- embedders can now use Node::CreatePlatform to create an instance of
NodePlatform
stream:
- writable.writableHighWaterMark and readable.readableHighWaterMark
will return the values the stream object was instantiated with
|
|
- buffer: buffer allocated with an invalid content will now be zero
filled (CVE-2017-15897)
- deps: openssl updated to 1.0.2n
|
