| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
Notable changes:
* Upgrade npm to 6.14.16
* Updated ICU time zone data
PR-URL: https://github.com/nodejs/node/pull/41710
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notable changes:
Corepack:
Node.js now includes Corepack, a script that acts as a bridge between
Node.js projects and the package managers they are intended to be used
with during development.
In practical terms, Corepack will let you use Yarn and pnpm without
having to install them - just like what currently happens with npm,
which is shipped in Node.js by default.
Contributed by Maël Nison - https://github.com/nodejs/node/pull/39608
ICU updated:
ICU has been updated to 70.1. This updates timezone database to 2021a3,
including bringing forward the start for DST for Jordan from March to
February.
Contributed by Michaël Zasso - https://github.com/nodejs/node/pull/40658
New option to disable loading of native addons:
A new command line option `--no-addons` has been added to disallow
loading of native addons.
Contributed by Dominic Elm - https://github.com/nodejs/node/pull/39977
Updated Root Certificates:
Root certificates have been updated to those from Mozilla's Network
Security Services 3.71.
Contributed by Richard Lau - https://github.com/nodejs/node/pull/40280
Other Notable Changes:
crypto:
* (SEMVER-MINOR) make FIPS related options always available (Vít Ondruch) https://github.com/nodejs/node/pull/36341
lib:
* (SEMVER-MINOR) add unsubscribe method to non-active DC channels (simon-id) https://github.com/nodejs/node/pull/40433
* (SEMVER-MINOR) add return value for DC channel.unsubscribe (simon-id) https://github.com/nodejs/node/pull/40433
module:
* (SEMVER-MINOR) support pattern trailers (Guy Bedford) https://github.com/nodejs/node/pull/39635
src:
* (SEMVER-MINOR) make napi_create_reference accept symbol (JckXia) https://github.com/nodejs/node/pull/39926
PR-URL: https://github.com/nodejs/node/pull/41696
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notable changes:
child_process:
* (SEMVER-MINOR) add support for URL to `cp.fork` (Antoine du Hamel) https://github.com/nodejs/node/pull/41225
crypto:
* (SEMVER-MINOR) alias webcrypto.subtle and webcrypto.getRandomValues on crypto (James M Snell) https://github.com/nodejs/node/pull/41266
doc:
* add Mesteery to collaborators (Mestery) https://github.com/nodejs/node/pull/41543
events:
* (SEMVER-MINOR) graduate capturerejections to supported (James M Snell) https://github.com/nodejs/node/pull/41267
* (SEMVER-MINOR) add EventEmitterAsyncResource to core (James M Snell) https://github.com/nodejs/node/pull/41246
loader:
* (SEMVER-MINOR) return package format from defaultResolve if known (Gabriel Bota) https://github.com/nodejs/node/pull/40980
perf_hooks:
* (SEMVER-MINOR) multiple fixes for Histogram (James M Snell) https://github.com/nodejs/node/pull/41153
stream:
* (SEMVER-MINOR) add filter method to readable (Benjamin Gruenbaum, Robert Nagy) https://github.com/nodejs/node/pull/41354
* (SEMVER-MINOR) add isReadable helper (Robert Nagy) https://github.com/nodejs/node/pull/41199
* (SEMVER-MINOR) add map method to Readable (Benjamin Gruenbaum, Robert Nagy) https://github.com/nodejs/node/pull/40815
PR-URL: https://github.com/nodejs/node/pull/41557
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a security release.
Notable changes:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
is specifically defined to use a particular SAN type, can result in
bypassing name-constrained intermediates. Node.js was accepting URI SAN
types, which PKIs are often not defined to use. Additionally, when a
protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when
checking a certificate against a hostname. This behavior can be
reverted through the `--security-revert` command-line option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
- Node.js converts SANs (Subject Alternative Names) to a string format.
It uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate
chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the
problematic characters in order to prevent the injection. This
behavior can be reverted through the `--security-revert` command-line
option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
- Node.js did not handle multi-value Relative Distinguished Names
correctly. Attackers could craft certificate subjects containing a
single-value Relative Distinguished Name that would be interpreted as a
multi-value Relative Distinguished Name, for example, in order to inject
a Common Name that would allow bypassing the certificate subject
verification.
- Affected versions of Node.js do not accept multi-value Relative
Distinguished Names and are thus not vulnerable to such attacks
themselves. However, third-party code that uses node's ambiguous
presentation of certificate subjects may be vulnerable.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
- Due to the formatting logic of the `console.table()` function it was
not safe to allow user controlled input to be passed to the `properties`
parameter while simultaneously passing a plain object with at least one
property as the first parameter, which could be `__proto__`. The
prototype pollution has very limited control, in that it only allows an
empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the
object these properties are being assigned to.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
PR-URL: https://github.com/nodejs-private/node-private/pull/311
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a security release.
Notable changes:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
is specifically defined to use a particular SAN type, can result in
bypassing name-constrained intermediates. Node.js was accepting URI SAN
types, which PKIs are often not defined to use. Additionally, when a
protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when
checking a certificate against a hostname. This behavior can be
reverted through the `--security-revert` command-line option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
- Node.js converts SANs (Subject Alternative Names) to a string format.
It uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate
chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the
problematic characters in order to prevent the injection. This
behavior can be reverted through the `--security-revert` command-line
option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
- Node.js did not handle multi-value Relative Distinguished Names
correctly. Attackers could craft certificate subjects containing a
single-value Relative Distinguished Name that would be interpreted as a
multi-value Relative Distinguished Name, for example, in order to inject
a Common Name that would allow bypassing the certificate subject
verification.
- Affected versions of Node.js do not accept multi-value Relative
Distinguished Names and are thus not vulnerable to such attacks
themselves. However, third-party code that uses node's ambiguous
presentation of certificate subjects may be vulnerable.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
- Due to the formatting logic of the `console.table()` function it was
not safe to allow user controlled input to be passed to the `properties`
parameter while simultaneously passing a plain object with at least one
property as the first parameter, which could be `__proto__`. The
prototype pollution has very limited control, in that it only allows an
empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the
object these properties are being assigned to.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
PR-URL: https://github.com/nodejs-private/node-private/pull/312
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a security release.
Notable changes:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
is specifically defined to use a particular SAN type, can result in
bypassing name-constrained intermediates. Node.js was accepting URI SAN
types, which PKIs are often not defined to use. Additionally, when a
protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when
checking a certificate against a hostname. This behavior can be
reverted through the `--security-revert` command-line option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
- Node.js converts SANs (Subject Alternative Names) to a string format.
It uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate
chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the
problematic characters in order to prevent the injection. This
behavior can be reverted through the `--security-revert` command-line
option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
- Node.js did not handle multi-value Relative Distinguished Names
correctly. Attackers could craft certificate subjects containing a
single-value Relative Distinguished Name that would be interpreted as a
multi-value Relative Distinguished Name, for example, in order to inject
a Common Name that would allow bypassing the certificate subject
verification.
- Affected versions of Node.js do not accept multi-value Relative
Distinguished Names and are thus not vulnerable to such attacks
themselves. However, third-party code that uses node's ambiguous
presentation of certificate subjects may be vulnerable.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
- Due to the formatting logic of the `console.table()` function it was
not safe to allow user controlled input to be passed to the `properties`
parameter while simultaneously passing a plain object with at least one
property as the first parameter, which could be `__proto__`. The
prototype pollution has very limited control, in that it only allows an
empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the
object these properties are being assigned to.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
PR-URL: https://github.com/nodejs-private/node-private/pull/310
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a security release.
Notable changes:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
is specifically defined to use a particular SAN type, can result in
bypassing name-constrained intermediates. Node.js was accepting URI SAN
types, which PKIs are often not defined to use. Additionally, when a
protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when
checking a certificate against a hostname. This behavior can be
reverted through the `--security-revert` command-line option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
- Node.js converts SANs (Subject Alternative Names) to a string format.
It uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate
chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the
problematic characters in order to prevent the injection. This
behavior can be reverted through the `--security-revert` command-line
option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
- Node.js did not handle multi-value Relative Distinguished Names
correctly. Attackers could craft certificate subjects containing a
single-value Relative Distinguished Name that would be interpreted as a
multi-value Relative Distinguished Name, for example, in order to inject
a Common Name that would allow bypassing the certificate subject
verification.
- Affected versions of Node.js do not accept multi-value Relative
Distinguished Names and are thus not vulnerable to such attacks
themselves. However, third-party code that uses node's ambiguous
presentation of certificate subjects may be vulnerable.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
- Due to the formatting logic of the `console.table()` function it was
not safe to allow user controlled input to be passed to the `properties`
parameter while simultaneously passing a plain object with at least one
property as the first parameter, which could be `__proto__`. The
prototype pollution has very limited control, in that it only allows an
empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the
object these properties are being assigned to.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
PR-URL: https://github.com/nodejs-private/node-private/pull/309
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL-3.0.1:
OpenSSL-3.0.1 contains a fix for CVE-2021-4044: Invalid handling of X509_verify_cert() internal errors
in libssl (Moderate). This is a vulnerability in OpenSSL that may be exploited through Node.js.
More information can be read here: https://www.openssl.org/news/secadv/20211214.txt.
Contributed by Richard Lau https://github.com/nodejs/node/pull/41177
Other Notable Changes:
* lib:
* make AbortSignal cloneable/transferable (James M Snell) https://github.com/nodejs/node/pull/41050
* deps:
* upgrade npm to 8.3.0 (npm team) https://github.com/nodejs/node/pull/41127
* doc:
* add @bnb as a collaborator (Tierney Cyren) https://github.com/nodejs/node/pull/41100
* process:
* add `getActiveResourcesInfo()` (Darshan Sen) https://github.com/nodejs/node/pull/40813
* timers:
* add experimental scheduler api (James M Snell) https://github.com/nodejs/node/pull/40909
PR-URL: https://github.com/nodejs/node/pull/41167
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Notable changes:
This release contains a c-ares update to fix a regression introduced in
Node.js 12.22.5 resolving CNAME records containing underscores
(https://github.com/nodejs/node/issues/39780).
Root certificates have been updated to those from Mozilla's Network
Security Services 3.71 (https://github.com/nodejs/node/pull/40280).
PR-URL: https://github.com/nodejs/node/pull/41161
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notable changes:
- **deps**: upgrade npm to 8.1.2 (npm team)
[#40643](https://github.com/nodejs/node/pull/40643)
- **deps**: update c-ares to 1.18.1 (Richard Lau)
[#40660](https://github.com/nodejs/node/pull/40660)
- **doc**: add VoltrexMaster to collaborators (voltrexmaster)
[#40566](https://github.com/nodejs/node/pull/40566)
- **lib**: fix regular expression to detect \`/\` and \`\\\`
(Francesco Trotta) [#40325](https://github.com/nodejs/node/pull/40325)
PR-URL: https://github.com/nodejs/node/pull/40974
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notable changes:
async_hooks:
* (SEMVER-MINOR) expose async_wrap providers (Rafael Gonzaga) https://github.com/nodejs/node/pull/40760
deps:
* (SEMVER-MINOR) update V8 to 9.6.180.14 (Michaël Zasso) https://github.com/nodejs/node/pull/40488
lib:
* (SEMVER-MINOR) add reason to AbortSignal (James M Snell) https://github.com/nodejs/node/pull/40807
src:
* (SEMVER-MINOR) add x509.fingerprint512 to crypto module (3nprob) https://github.com/nodejs/node/pull/39809
stream:
* deprecate thenable support (Antoine du Hamel) https://github.com/nodejs/node/pull/40860
* fix finished regression when working with legacy Stream (Matteo Collina) https://github.com/nodejs/node/pull/40858
PR-URL: https://github.com/nodejs/node/pull/40983
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notable changes
This release contains a c-ares update to fix a regression introduced in
Node.js 14.17.5 resolving CNAME records containing underscores
(https://github.com/nodejs/node/issues/39780).
Also included are commits to allow Node.js 14 to continue to build and
pass tests on our Jenkins CI, including adding Python 3.10 to the list
of allowable Python versions for building.
PR-URL: https://github.com/nodejs/node/pull/40969
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notable changes:
doc:
* add VoltrexMaster to collaborators (voltrexmaster) https://github.com/nodejs/node/pull/40566
esm:
* (SEMVER-MINOR) add support for JSON import assertion (Antoine du Hamel) https://github.com/nodejs/node/pull/40250
lib:
* (SEMVER-MINOR) add unsubscribe method to non-active DC channels (simon-id) https://github.com/nodejs/node/pull/40433
* (SEMVER-MINOR) add return value for DC channel.unsubscribe (simon-id) https://github.com/nodejs/node/pull/40433
v8:
* (SEMVER-MINOR) multi-tenant promise hook api (Stephen Belanger) https://github.com/nodejs/node/pull/39283
PR-URL: https://github.com/nodejs/node/pull/40758
|
| |
|
|
|
|
|
|
|
| |
Update mdast-util-to-markdown to 1.2.4 which reduces unnecessary
escaping of `_` and some other characters. Re-run markdown formatter.
PR-URL: https://github.com/nodejs/node/pull/40645
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Remove unnecessary `<sup>` usage and lint-disabling comment.
PR-URL: https://github.com/nodejs/node/pull/40475
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Update missed changes for the main CHANGELOG.md for Node.js 16.13.0.
PR-URL: https://github.com/nodejs/node/pull/40617
Refs: https://github.com/nodejs/node/pull/40536
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Notable changes:
This release marks the transition of Node.js 16.x into Long Term Support (LTS)
with the codename 'Gallium'. The 16.x release line now moves into "Active LTS"
and will remain so until October 2022. After that time, it will move into
"Maintenance" until end of life in April 2024.
PR-URL: https://github.com/nodejs/node/pull/40536
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notable changes:
Fixed distribution for native addon builds
This release fixes an issue introduced in Node.js v17.0.0, where some V8
headers were missing from the distributed tarball, making it impossible
to build native addons. These headers are now included.
https://github.com/nodejs/node/pull/40526
Fixed stream issues
* Fixed a regression in `stream.promises.pipeline`, which was introduced
in version 16.10.0, is fixed. It is now possible again to pass an
array of streams to the function.
https://github.com/nodejs/node/pull/40193
* Fixed a bug in `stream.Duplex.from`, which didn't work properly when
an async generator function was passed to it.
https://github.com/nodejs/node/pull/40499
PR-URL: https://github.com/nodejs/node/pull/40535
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notable Changes:
Experimental ESM Loader Hooks API:
Node.js ESM Loader hooks have been consolidated to represent the steps involved needed to facilitate future loader chaining:
1. `resolve`: `resolve` [+ `getFormat`]
2. `load`: `getFormat` + `getSource` + `transformSource`
For consistency, `getGlobalPreloadCode` has been renamed to `globalPreload`.
A loader exporting obsolete hook(s) will trigger a single deprecation warning (per loader) listing the errant hooks.
Contributed by Jacob Smith, Geoffrey Booth, and Bradley Farias - https://github.com/nodejs/node/pull/37468
Other Notable Changes:
deps:
* upgrade npm to 8.1.0 (npm team) https://github.com/nodejs/node/pull/40463
doc:
* deprecate (doc-only) http abort related (dr-js) https://github.com/nodejs/node/pull/36670
vm:
* (SEMVER-MINOR) add support for import assertions in dynamic imports (Antoine du Hamel) https://github.com/nodejs/node/pull/40249
PR-URL: https://github.com/nodejs/node/pull/40504
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notable Changes:
Deprecations and Removals:
- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup`
options
(Antoine du Hamel) [https://github.com/nodejs/node/pull/39793]
- doc: deprecate (doc-only) http abort related
(dr-js) [https://github.com/nodejs/node/pull/36670]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
(Guy Bedford) [https://github.com/nodejs/node/pull/40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
(Guy Bedford) [https://github.com/nodejs/node/pull/40117]
OpenSSL 3.0:
Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl
which provides QUIC support.
While OpenSSL 3.0 APIs should be mostly compatible with those provided
by OpenSSL 1.1.1, we do anticipate some ecosystem impact due to
tightened restrictions on the allowed algorithms and key sizes.
If you hit an `ERR_OSSL_EVP_UNSUPPORTED` error in your application with
Node.js 17, it’s likely that your application or a module you’re using
is attempting to use an algorithm or key size which is no longer allowed
by default with OpenSSL 3.0. A command-line option,
`--openssl-legacy-provider`, has been added to revert to the legacy
provider as a temporary workaround for these tightened restrictions.
For details about all the features in
OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final.
(Daniel Bevenius) [https://github.com/nodejs/node/pull/38512]
Contributed in https://github.com/nodejs/node/pull/38512, https://github.com/nodejs/node/pull/40478
V8 9.5:
The V8 JavaScript engine is updated to V8 9.5. This release comes with
additional supported types for the `Intl.DisplayNames` API and Extended
`timeZoneName` options in the `Intl.DateTimeFormat` API. You can read
more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95.
(Michaël Zasso) [https://github.com/nodejs/node/pull/40178]
Readline Promise API:
The `readline` module provides an interface for reading data from a
Readable stream (such as `process.stdin`) one line at a time.
(Antoine du Hamel) [https://github.com/nodejs/node/pull/37947]
Other Notable Changes:
- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
(treysis) [https://github.com/nodejs/node/pull/39987]
- (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that
cause exit
(Divlo) [https://github.com/nodejs/node/pull/38332]
- deps: upgrade npm to 8.1.0
(npm team) [https://github.com/nodejs/node/pull/40463]
- (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream()
(James M Snell) [https://github.com/nodejs/node/pull/39331]
- (SEMVER-MAJOR) lib: add structuredClone() global
(Ethan Arrowood) [https://github.com/nodejs/node/pull/39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
(Khaidi Chu) [https://github.com/nodejs/node/pull/39176]
- (SEMVER-MAJOR) stream: finished should error on errored stream
(Robert Nagy) [https://github.com/nodejs/node/pull/39235]
Semver-Major Commits:
- (SEMVER-MAJOR) build: compile with C++17 (MSVC)
(Richard Lau) [https://github.com/nodejs/node/pull/38807]
- (SEMVER-MAJOR) build: compile with --gnu++17
(Richard Lau) [https://github.com/nodejs/node/pull/38807]
- (SEMVER-MAJOR) deps: update V8 to 9.5.172.19
(Michaël Zasso) [https://github.com/nodejs/node/pull/40178]
- (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0
(Daniel Bevenius) [https://github.com/nodejs/node/pull/38512]
- (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send`
(Voltrex) [https://github.com/nodejs/node/pull/39190]
- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options
(Antoine du Hamel) [https://github.com/nodejs/node/pull/39793]
- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
(treysis) [https://github.com/nodejs/node/pull/39987]
- (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2
(Michaël Zasso) [https://github.com/nodejs/node/pull/40179]
- (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit
(Divlo) [https://github.com/nodejs/node/pull/38332]
- (SEMVER-MAJOR) fs: fix rmsync error swallowing
(Nitzan Uziely) [https://github.com/nodejs/node/pull/38684]
- (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing
(Nitzan Uziely) [https://github.com/nodejs/node/pull/38259]
- (SEMVER-MAJOR) lib: add structuredClone() global
(Ethan Arrowood) [https://github.com/nodejs/node/pull/39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
(Khaidi Chu) [https://github.com/nodejs/node/pull/39176]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
(Guy Bedford) [https://github.com/nodejs/node/pull/40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
(Guy Bedford) [https://github.com/nodejs/node/pull/40117]
- (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners
(Antoine du Hamel) [https://github.com/nodejs/node/pull/37947]
- (SEMVER-MAJOR) readline: introduce promise-based API
(Antoine du Hamel) [https://github.com/nodejs/node/pull/37947]
- (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class
(Antoine du Hamel) [https://github.com/nodejs/node/pull/37947]
- (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv
(Daniel Bevenius) [https://github.com/nodejs/node/pull/37727]
- (SEMVER-MAJOR) src: return Maybe from a couple of functions
(Darshan Sen) [https://github.com/nodejs/node/pull/39603]
- (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform
(Shelley Vohr) [https://github.com/nodejs/node/pull/38362]
- (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error
(Rongjian Zhang) [https://github.com/nodejs/node/pull/38700]
- (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close'
(Robert Nagy) [https://github.com/nodejs/node/pull/39639]
- (SEMVER-MAJOR) stream: do not emit `end` on readable error
(Szymon Marczak) [https://github.com/nodejs/node/pull/39607]
- (SEMVER-MAJOR) stream: forward errored to callback
(Robert Nagy) [https://github.com/nodejs/node/pull/39364]
- (SEMVER-MAJOR) stream: destroy readable on read error
(Robert Nagy) [https://github.com/nodejs/node/pull/39342]
- (SEMVER-MAJOR) stream: validate abort signal
(Robert Nagy) [https://github.com/nodejs/node/pull/39346]
- (SEMVER-MAJOR) stream: unify stream utils
(Robert Nagy) [https://github.com/nodejs/node/pull/39294]
- (SEMVER-MAJOR) stream: throw on premature close in Readable\
(Darshan Sen) [https://github.com/nodejs/node/pull/39117]
- (SEMVER-MAJOR) stream: finished should error on errored stream
(Robert Nagy) [https://github.com/nodejs/node/pull/39235]
- (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable
(Robert Nagy) [https://github.com/nodejs/node/pull/34385]
- (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration
(Robert Nagy) [https://github.com/nodejs/node/pull/38505]
- (SEMVER-MAJOR) url: throw invalid this on detached accessors
(James M Snell) [https://github.com/nodejs/node/pull/39752]
- (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII
(Timothy Gu) [https://github.com/nodejs/node/pull/38631]
PR-URL: https://github.com/nodejs/node/pull/40119
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a security release.
Notable Changes:
* CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
* The http parser accepts requests with a space (SP) right after the
header name before the colon. This can lead to HTTP Request Smuggling
(HRS). More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22959
* CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
* The parse ignores chunk extensions when parsing the body of chunked
requests. This leads to HTTP Request Smuggling (HRS) under certain
conditions. More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22960
PR-URL: https://github.com/nodejs-private/node-private/pull/293
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a security release.
Notable Changes:
* CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
* The http parser accepts requests with a space (SP) right after the
header name before the colon. This can lead to HTTP Request Smuggling
(HRS). More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22959
* CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
* The parse ignores chunk extensions when parsing the body of chunked requests.
requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.
More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22960
PR-URL: https://github.com/nodejs-private/node-private/pull/294
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a security release.
Notable changes:
* CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
* The http parser accepts requests with a space (SP) right after the
header name before the colon. This can lead to HTTP Request Smuggling
(HRS). More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22959
* CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
* The parse ignores chunk extensions when parsing the body of chunked
requests. This leads to HTTP Request Smuggling (HRS) under certain
conditions. More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22960
PR-URL: https://github.com/nodejs-private/node-private/pull/295
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notable changes:
* crypto:
* update root certificates (Richard Lau) https://github.com/nodejs/node/pull/40280
* deps:
* upgrade npm to 8.0.0 (npm team) https://github.com/nodejs/node/pull/40369
* update `nghttp2` to v1.45.1 (thunder-coding) https://github.com/nodejs/node/pull/40206
* update V8 to 9.4.146.19 (Michaël Zasso) https://github.com/nodejs/node/pull/40285
* tools:
* update certdata.txt (Richard Lau) https://github.com/nodejs/node/pull/40280
PR-URL: https://github.com/nodejs/node/pull/40319
|
| |
|
|
|
|
|
|
|
| |
Use `make format-md` to format general markdown files.
PR-URL: https://github.com/nodejs/node/pull/40322
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Zijian Liu <lxxyxzj@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notable changes:
assert:
* change status of legacy asserts (James M Snell) https://github.com/nodejs/node/pull/38113
buffer:
* (SEMVER-MINOR) introduce Blob (James M Snell) https://github.com/nodejs/node/pull/36811
* (SEMVER-MINOR) add base64url encoding option (Filip Skokan) https://github.com/nodejs/node/pull/36952
child_process:
* (SEMVER-MINOR) allow `options.cwd` receive a URL (Khaidi Chu) https://github.com/nodejs/node/pull/38862
* (SEMVER-MINOR) add timeout to spawn and fork (Nitzan Uziely) https://github.com/nodejs/node/pull/37256
* (SEMVER-MINOR) allow promisified exec to be cancel (Carlos Fuentes) https://github.com/nodejs/node/pull/34249
* (SEMVER-MINOR) add 'overlapped' stdio flag (Thiago Padilha) https://github.com/nodejs/node/pull/29412
cli:
* (SEMVER-MINOR) add -C alias for --conditions flag (Guy Bedford) https://github.com/nodejs/node/pull/38755
* (SEMVER-MINOR) add --node-memory-debug option (Anna Henningsen) https://github.com/nodejs/node/pull/35537
dns:
* (SEMVER-MINOR) add "tries" option to Resolve options (Luan Devecchi) https://github.com/nodejs/node/pull/39610
* (SEMVER-MINOR) allow `--dns-result-order` to change default dns verbatim (Ouyang Yadong) https://github.com/nodejs/node/pull/38099
doc:
* (SEMVER-MINOR) add missing change to resolver ctor (Luan Devecchi) https://github.com/nodejs/node/pull/39610
* refactor fs docs structure (James M Snell) https://github.com/nodejs/node/pull/37170
errors:
* (SEMVER-MINOR) remove experimental from --enable-source-maps (Benjamin Coe) https://github.com/nodejs/node/pull/37362
esm:
* deprecate legacy main lookup for modules (Guy Bedford) https://github.com/nodejs/node/pull/36918
fs:
* (SEMVER-MINOR) allow empty string for temp directory prefix (Voltrex) https://github.com/nodejs/node/pull/39028
* (SEMVER-MINOR) allow no-params fsPromises fileHandle read (Nitzan Uziely) https://github.com/nodejs/node/pull/38287
* (SEMVER-MINOR) add support for async iterators to `fsPromises.writeFile` (HiroyukiYagihashi) https://github.com/nodejs/node/pull/37490
* improve fsPromises readFile performance (Nitzan Uziely) https://github.com/nodejs/node/pull/37608
* (SEMVER-MINOR) add fsPromises.watch() (James M Snell) https://github.com/nodejs/node/pull/37179
* (SEMVER-MINOR) allow `position` parameter to be a `BigInt` in read and readSync (Darshan Sen) https://github.com/nodejs/node/pull/36190
http2:
* (SEMVER-MINOR) add support for sensitive headers (Anna Henningsen) https://github.com/nodejs/node/pull/34145
* (SEMVER-MINOR) allow setting the local window size of a session (Yongsheng Zhang) https://github.com/nodejs/node/pull/35978
inspector:
* mark as stable (Gireesh Punathil) https://github.com/nodejs/node/pull/37748
module:
* (SEMVER-MINOR) add support for `URL` to `import.meta.resolve` (Antoine du Hamel) https://github.com/nodejs/node/pull/38587
* (SEMVER-MINOR) add support for `node:`‑prefixed `require(…)` calls (ExE Boss) https://github.com/nodejs/node/pull/37246
net:
* (SEMVER-MINOR) introduce net.BlockList (James M Snell) https://github.com/nodejs/node/pull/34625
node-api:
* (SEMVER-MINOR) allow retrieval of add-on file name (Gabriel Schulhof) https://github.com/nodejs/node/pull/37195
os:
* (SEMVER-MINOR) add os.devNull (Luigi Pinca) https://github.com/nodejs/node/pull/38569
perf_hooks:
* (SEMVER-MINOR) introduce createHistogram (James M Snell) https://github.com/nodejs/node/pull/37155
process:
* (SEMVER-MINOR) add api to enable source-maps programmatically (legendecas) https://github.com/nodejs/node/pull/39085
* (SEMVER-MINOR) add `'worker'` event (James M Snell) https://github.com/nodejs/node/pull/38659
* (SEMVER-MINOR) add direct access to rss without iterating pages (Adrien Maret) https://github.com/nodejs/node/pull/34291
readline:
* (SEMVER-MINOR) add AbortSignal support to interface (Nitzan Uziely) https://github.com/nodejs/node/pull/37932
* (SEMVER-MINOR) add support for the AbortController to the question method (Mattias Runge-Broberg) https://github.com/nodejs/node/pull/33676
* (SEMVER-MINOR) add history event and option to set initial history (Mattias Runge-Broberg) https://github.com/nodejs/node/pull/33662
repl:
* (SEMVER-MINOR) add auto‑completion for `node:`‑prefixed `require(…)` calls (ExE Boss) https://github.com/nodejs/node/pull/37246
src:
* (SEMVER-MINOR) call overload ctor from the original ctor (Darshan Sen) https://github.com/nodejs/node/pull/39768
* (SEMVER-MINOR) add a constructor overload for CallbackScope (Darshan Sen) https://github.com/nodejs/node/pull/39768
* (SEMVER-MINOR) allow to negate boolean CLI flags (Michaël Zasso) https://github.com/nodejs/node/pull/39023
* (SEMVER-MINOR) add --heapsnapshot-near-heap-limit option (Joyee Cheung) https://github.com/nodejs/node/pull/33010
* (SEMVER-MINOR) add way to get IsolateData and allocator from Environment (Anna Henningsen) https://github.com/nodejs/node/pull/36441
* (SEMVER-MINOR) allow preventing SetPrepareStackTraceCallback (Shelley Vohr) https://github.com/nodejs/node/pull/36447
* (SEMVER-MINOR) add maybe versions of EmitExit and EmitBeforeExit (Anna Henningsen) https://github.com/nodejs/node/pull/35486
stream:
* (SEMVER-MINOR) add readableDidRead if has been read from (Robert Nagy) https://github.com/nodejs/node/pull/39589
* (SEMVER-MINOR) pipeline accept Buffer as a valid first argument (Nitzan Uziely) https://github.com/nodejs/node/pull/37739
tls:
* (SEMVER-MINOR) allow reading data into a static buffer (Andrey Pechkurov) https://github.com/nodejs/node/pull/35753
tools:
* (SEMVER-MINOR) add `Worker` to type-parser (James M Snell) https://github.com/nodejs/node/pull/38659
url:
* (SEMVER-MINOR) expose urlToHttpOptions utility (Yongsheng Zhang) https://github.com/nodejs/node/pull/35960
util:
* (SEMVER-MINOR) expose toUSVString (Robert Nagy) https://github.com/nodejs/node/pull/39814
v8:
* (SEMVER-MINOR) implement v8.stopCoverage() (Joyee Cheung) https://github.com/nodejs/node/pull/33807
* (SEMVER-MINOR) implement v8.takeCoverage() (Joyee Cheung) https://github.com/nodejs/node/pull/33807
worker:
* (SEMVER-MINOR) add setEnvironmentData/getEnvironmentData (James M Snell) https://github.com/nodejs/node/pull/37486
PR-URL: https://github.com/nodejs/node/pull/39990
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notable changes:
crypto:
* (SEMVER-MINOR) add rsa-pss keygen parameters (Filip Skokan) https://github.com/nodejs/node/pull/39927
doc:
* add Ayase-252 to collaborators (Qingyu Deng) https://github.com/nodejs/node/pull/40078
fs:
* (SEMVER-MINOR) make `open` and `close` stream override optional when unused (Antoine du Hamel) https://github.com/nodejs/node/pull/40013
http:
* (SEMVER-MINOR) limit requests per connection (Artur K) https://github.com/nodejs/node/pull/40082
src:
* (SEMVER-MINOR) add --no-global-search-paths cli option (Cheng Zhao) https://github.com/nodejs/node/pull/39754
* (SEMVER-MINOR) add option to disable global search paths (Cheng Zhao) https://github.com/nodejs/node/pull/39754
* (SEMVER-MINOR) make napi_create_reference accept symbol (JckXia) https://github.com/nodejs/node/pull/39926
stream:
* (SEMVER-MINOR) add signal support to pipeline generators (Robert Nagy) https://github.com/nodejs/node/pull/39067
PR-URL: https://github.com/nodejs/node/pull/40175
|
| |
|
|
|
|
|
|
|
|
|
| |
Fix formatting that will change when run through upcoming remark preset.
PR-URL: https://github.com/nodejs/node/pull/40154
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
|
| |
|
|
|
|
|
|
| |
Notable changes:
This release fixes a regression introduced by the V8 9.3 update in Node.js 16.9.0.
PR-URL: https://github.com/nodejs/node/issues/40069
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notable changes:
crypto:
* (SEMVER-MINOR) add RSA-PSS params to asymmetricKeyDetails (Tobias Nießen) https://github.com/nodejs/node/pull/39851
deps:
* (SEMVER-MINOR) add corepack (Maël Nison) https://github.com/nodejs/node/pull/39608
* (SEMVER-MINOR) update V8 to 9.3.345.16 (Michaël Zasso) https://github.com/nodejs/node/pull/39947
module:
* (SEMVER-MINOR) support pattern trailers (Guy Bedford) https://github.com/nodejs/node/pull/39635
stream:
* (SEMVER-MINOR) add stream.compose (Robert Nagy) https://github.com/nodejs/node/pull/39029
PR-URL: https://github.com/nodejs/node/pull/40011
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a security release.
Notable changes:
These are vulnerabilities in the node-tar, arborist, and npm cli modules which
are related to the initial reports and subsequent remediation of node-tar
vulnerabilities CVE-2021-32803 (https://github.com/advisories/GHSA-r628-mhmh-qjhw)
and CVE-2021-32804 (https://github.com/advisories/GHSA-3jfq-g458-7qm9).
Subsequent internal security review of node-tar and additional external bounty
reports have resulted in another 5 CVE being remediated in core npm CLI
dependencies including node-tar, and npm arborist.
You can read more about it in:
* CVE-2021-37701: https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc
* CVE-2021-37712: https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p
* CVE-2021-37713: https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh
* CVE-2021-39134: https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc
* CVE-2021-39135: https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2
PR-URL: https://github.com/nodejs-private/node-private/pull/287
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a security release.
Notable changes:
These are vulnerabilities in the node-tar, arborist, and npm cli modules which
are related to the initial reports and subsequent remediation of node-tar
vulnerabilities CVE-2021-32803 (https://github.com/advisories/GHSA-r628-mhmh-qjhw)
and CVE-2021-32804 (https://github.com/advisories/GHSA-3jfq-g458-7qm9).
Subsequent internal security review of node-tar and additional external bounty
reports have resulted in another 5 CVE being remediated in core npm CLI
dependencies including node-tar, and npm arborist.
You can read more about it in:
* CVE-2021-37701: https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc
* CVE-2021-37712: https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p
* CVE-2021-37713: https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh
* CVE-2021-39134: https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc
* CVE-2021-39135: https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2
PR-URL: https://github.com/nodejs-private/node-private/pull/288
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notable changes:
doc:
* deprecate type coercion for `dns.lookup` options (Antoine du Hamel) https://github.com/nodejs/node/pull/38906
stream:
* (SEMVER-MINOR) add `stream.Duplex.from` utility (Robert Nagy) https://github.com/nodejs/node/pull/39519
* (SEMVER-MINOR) add `isDisturbed` helper (Robert Nagy) https://github.com/nodejs/node/pull/39628
util:
* (SEMVER-MINOR) expose `toUSVString` (Robert Nagy) https://github.com/nodejs/node/pull/39814
PR-URL: https://github.com/nodejs/node/pull/39875
|
| |
|
|
|
|
|
|
|
| |
Notable changes:
* fs:
* experimental: add recursive cp method (Benjamin Coe) https://github.com/nodejs/node/pull/39372
PR-URL: https://github.com/nodejs/node/pull/39782
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a security release.
Notable Changes:
- CVE-2021-3672/CVE-2021-22931:
Improper handling of untypical characters in domain names (High)
- CVE-2021-22930:
Use after free on close http2 on stream canceling (High)
- CVE-2021-22939:
Incomplete validation of rejectUnauthorized parameter (Low)
PR-URL: https://github.com/nodejs-private/node-private/pull/280
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a security release.
Notable Changes:
- CVE-2021-3672/CVE-2021-22931:
Improper handling of untypical characters in domain names (High)
- CVE-2021-22930:
Use after free on close http2 on stream canceling (High)
- CVE-2021-22939:
Incomplete validation of rejectUnauthorized parameter (Low)
PR-URL: https://github.com/nodejs-private/node-private/pull/279
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a security release.
Notable Changes:
- CVE-2021-3672/CVE-2021-22931:
Improper handling of untypical characters in domain names (High)
- CVE-2021-22930:
Use after free on close http2 on stream canceling (High)
- CVE-2021-22939:
Incomplete validation of rejectUnauthorized parameter (Low)
PR-URL: https://github.com/nodejs-private/node-private/pull/278
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notable changes:
* Updated npm to 7.20.3 (npm team)
https://github.com/nodejs/node/pull/39579
* Reverted an ABI-breaking change from V8 9.2 that could impact some
native modules (Michaël Zasso)
https://github.com/nodejs/node/pull/39624
* Fixed a bug in error handling known to affect at least Webpack and
Jest (Guy Bedford) https://github.com/nodejs/node/pull/39593
PR-URL: https://github.com/nodejs/node/pull/39631
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a security release.
Notable Changes:
- CVE-2021-22930: Use after free on close http2 on stream canceling
(High) [#39423](https://github.com/nodejs/node/pull/39423)
- (SEMVER-MINOR) deps: update V8 to 9.2.230.21 (Michaël Zasso)
[#39470](https://github.com/nodejs/node/pull/39470)
- inspector: mark as stable (Gireesh Punathil)
[#37748](https://github.com/nodejs/node/pull/37748)
- punycode: add pending deprecation (Antoine du Hamel)
[#38444](https://github.com/nodejs/node/pull/38444)
- (SEMVER-MINOR) repl: enable --experimental-repl-await /w opt-out
(hemanth.hm) [#34733](https://github.com/nodejs/node/pull/34733)
PR-URL: https://github.com/nodejs/node/pull/39534
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is a security release.
Notable Changes:
- CVE-2021-22930: Use after free on close http2 on stream canceling (High)
This releases fixes some regressions with internationalization
introduced by the ICU updates in Node.js 14.17.0 and 14.17.1.
PR-URL: https://github.com/nodejs/node/pull/39466
|
| |
|
|
|
|
|
|
|
|
| |
This is a security release.
Notable changes:
- CVE-2021-22930: Use after free on close http2 on stream canceling (High)
PR-URL: https://github.com/nodejs/node/pull/39500
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Notable changes:
deps:
* upgrade npm to 7.19.1 (npm team) https://github.com/nodejs/node/pull/39225
fs:
* (SEMVER-MINOR) allow empty string for temp directory prefix (Voltrex) https://github.com/nodejs/node/pull/39028
stream:
* (SEMVER-MINOR) implement Web Streams API (James M Snell) https://github.com/nodejs/node/pull/39062
PR-URL: https://github.com/nodejs/node/pull/39373
|
| |
|
|
|
|
|
|
|
|
|
| |
Notable changes:
Node.js 16.4.1 introduced a regression in the Windows installer on
non-English locales that is being fixed in this release. There is no
need to download this release if you are not using the Windows
installer.
PR-URL: https://github.com/nodejs/node/pull/39270
|
| |
|
|
|
|
|
|
|
|
|
| |
Notable changes:
Node.js 14.17.2 introduced a regression in the Windows installer on
non-English locales that is being fixed in this release. There is no
need to download this release if you are not using the Windows
installer.
PR-URL: https://github.com/nodejs/node/pull/39269
|
| |
|
|
|
|
|
|
|
|
|
| |
Notable changes:
Node.js 12.22.2 introduced a regression in the Windows installer on
non-English locales that is being fixed in this release. There is no
need to download this release if you are not using the Windows
installer.
PR-URL: https://github.com/nodejs/node/pull/39268
|
| |
|
|
|
|
|
|
|
| |
Fix typo for line break tag.
PR-URL: https://github.com/nodejs/node/pull/39223
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Beth Griggs <bgriggs@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is a security release.
Notable changes:
Vulnerabilities fixed:
- **CVE-2021-22918**: libuv upgrade - Out of bounds read (Medium)
- **CVE-2021-22921**: Windows installer - Node Installer Local Privilege Escalation (Medium)
PR-URL: https://github.com/nodejs-private/node-private/pull/271
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This is a security release.
Notable changes:
Vulnerabilities fixed:
- **CVE-2021-22918**: libuv upgrade - Out of bounds read (Medium)
- **CVE-2021-22921**: Windows installer - Node Installer Local Privilege Escalation (Medium)
PR-URL: https://github.com/nodejs-private/node-private/pull/272
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a security release.
Notable changes:
Vulnerabilities fixed:
- **CVE-2021-22918**: libuv upgrade - Out of bounds read (Medium)
- **CVE-2021-22921**: Windows installer - Node Installer Local Privilege Escalation (Medium)
- **CVE-2021-27290**: npm upgrade - ssri Regular Expression Denial of Service (ReDoS) (High)
- **CVE-2021-23362**: npm upgrade - hosted-git-info Regular Expression Denial of Service (ReDoS) (Medium)
PR-URL: https://github.com/nodejs-private/node-private/pull/270
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notable changes:
* async_hooks:
* stabilize part of AsyncLocalStorage (Vladimir de Turckheim) https://github.com/nodejs/node/pull/37675
* deps:
* upgrade npm to 7.18.1 (npm-robot) https://github.com/nodejs/node/pull/39065
* update V8 to 9.1.269.36 (Michaël Zasso) https://github.com/nodejs/node/pull/38273
* dns:
* allow `--dns-result-order` to change default dns verbatim (Ouyang Yadong) https://github.com/nodejs/node/pull/38099
PR-URL: https://github.com/nodejs/node/pull/39031
|
