Skip to content

Releases: nodejs/node

2018-04-30, Version 6.14.2 'Boron' (LTS), @MylesBorins

24 May 15:28
Compare
Choose a tag to compare

Notable Changes

  • n-api:
    • n-api has been backported to v6.x. It is being landed as an experimental interface,
      and as such is landing in a Semver-Patch release. (Gabriel Schulhof) #19447

Commits

Read more

2018-04-24, Version 10.0.0 (Current), @jasnell

24 May 15:27
v10.0.0
Compare
Choose a tag to compare

Notable Changes

  • Assert
    • Calling assert.fail() with more than one argument is deprecated. [70dcacd710]
    • Calling assert.ok() with no arguments will now throw. [3cd7977a42]
    • Calling assert.ifError() will now throw with any argument other than undefined or null. Previously the method would throw with any truthy value. [e65a6e81ef]
    • The assert.rejects() and assert.doesNotReject() methods have been added for working with async functions. [599337f43e]
  • Async_hooks
    • Older experimental async_hooks APIs have been removed. [1cc6b993b9]
  • Buffer
    • Uses of new Buffer() and Buffer() outside of the node_modules directory will now emit a runtime deprecation warning. [9d4ab90117]
    • Buffer.isEncoding() now returns undefined for falsy values, including an empty string. [452eed956e]
    • Buffer.fill() will throw if an attempt is made to fill with an empty Buffer. [1e802539b2]
  • Child Process
  • Console
    • The console.table() method has been added. [97ace04492]
  • Crypto
    • The crypto.createCipher() and crypto.createDecipher() methods have been deprecated. Please use crypto.createCipheriv() and crypto.createDecipheriv() instead. [81f88e30dd]
    • The decipher.finaltol() method has been deprecated. [19f3927d92]
    • The crypto.DEFAULT_ENCODING property has been deprecated. [6035beea93]
    • The ECDH.convertKey() method has been added. [f2e02883e7]
    • The crypto.fips property has been deprecated. [6e7992e8b8]
  • Dependencies
  • EventEmitter
    • The EventEmitter.prototype.off() method has been added as an alias for EventEmitter.prototype.removeListener(). [3bb6f07d52]
  • File System
    • The fs/promises API provides experimental promisified versions of the fs functions. [329fc78e49]
    • Invalid path errors are now thrown synchronously. [d8f73385e2]
    • The fs.readFile() method now partitions reads to avoid thread pool exhaustion. [67a4ce1c6e]
  • HTTP
    • Processing of HTTP Status codes 100, 102-199 has been improved. [baf8495078]
    • Multi-byte characters in URL paths are now forbidden. [b961d9fd83]
  • N-API
    • The n-api is no longer experimental. [cd7d7b15c1]
  • Net
    • The 'close' event will be emitted after 'end'. [9b7a6914a7]
  • Perf_hooks
    • The PerformanceObserver class is now an AsyncResource and can be monitored using async_hooks. [009e41826f]
    • Trace events are now emitted for performance events. [9e509b622b]
    • The performance API has been simplified. [2ec6995555]
    • Performance milestone marks will be emitted as trace events. [96cb4fb795]
  • Process
    • Using non-string values for process.env is deprecated. [5826fe4e79]
    • The process.assert() method is deprecated. [703e37cf3f]
  • REPL
    • REPL now experimentally supports top-level await when using the --experimental-repl-await flag. [eeab7bc068]
    • The previously deprecated "magic mode" has been removed. [4893f70d12]
    • The previously deprecated NODE_REPL_HISTORY_FILE environment variable has been removed. [60c9ad7979]
    • Proxy objects are shown as Proxy objects when inspected. [90a43906ab]
  • Streams
    • The 'readable' event is now always deferred with nextTick. [1e0f3315c7]
    • A new pipeline() method has been provided for building end-to-data stream pipelines. [a5cf3feaf1]
    • Experimental support for async for-await has been added to stream.Readable. [61b4d60c5d]
  • Timers
    • The enroll() and unenroll() methods have been deprecated. [68783ae0b8]
  • TLS
    • The tls.convertNPNProtocols() method has been deprecated. [9204a0db6e]
    • Support for NPN (next protocol negotiation) has been dropped. [5bfbe5ceae]
    • The ecdhCurve default is now 'auto'. [af78840b19]
  • Trace Events
    • A new trace_events top-level module allows trace event categories to be enabled/disabled at runtime. [da5d818a54]
  • URL
    • The WHATWG URL API is now a global. [312414662b]
  • Util
    • util.types.is[…] type checks have been added. [b20af8088a]
    • Support for bigint formatting has been added to util.inspect(). [39dc947409]

Deprecations:

The following APIs have been deprecated in Node.js 10.0.0

  • Passing more than one argument to assert.fail() will emit a runtime deprecation warning. [70dcacd710]
  • Previously deprecated legacy async_hooks APIs have reached end-of-life and have been removed. [1cc6b993b9]
  • Using require() to access several of Node.js' own internal dependencies will emit a runtime deprecation. [0e10717e43]
  • The crypto.createCipher() and crypto.createDecipher() methods have been deprecated in documentation.[81f88e30dd]
  • Using the Decipher.finaltol() method will emit a runtime deprecation warning. [19f3927d92]
  • Using the crypto.DEFAULT_ENCODING property will emit a runtime deprecation warning. [6035beea93]
  • Use by native addons of the MakeCallback() variant that passes a Domain will emit a runtime deprecation warning. [14bc3e22f3], [efb32592e1]
  • Previously deprecated internal getters/setters on net.Server has reached end-of-life and have been removed. [3701b02309]
  • Use of non-string values for process.env has been deprecated in documentation. [5826fe4e79]
  • Use of process.assert() will emit a runtime deprecation warning. [703e37cf3f]
  • Previously deprecated NODE_REPL_HISTORY_FILE environment variable has reached end-of-life and has been removed. [60c9ad7979]
  • Use of the timers.enroll() and timers.unenroll() methods will emit a runtime deprecation warning. [68783ae0b8]
  • Use of the tls.convertNPNProtocols() method will emit a runtime deprecation warning. Support for NPN has been removed from Node.js. [9204a0db6e]
  • The crypto.fips property has been deprecated in documentation. [6e7992e8b8]

Commits

Semver-major

  • [c9bb91af33] - (SEMVER-MAJOR) assert: remove errorDiff property (Ruben Bridgewater) #19467
  • [eb427caadd] - (SEMVER-MAJOR) assert: improve default error messages (Ruben Bridgewater) #19467
  • [1964978fb8] - (SEMVER-MAJOR) assert: detect faulty throws usage (Ruben Bridgewater) #19867
  • [[9743e756e2](https://github.com/nodejs/node/commit...
Read more

2018-04-05, Version 9.11.1 (Current), @MylesBorins

05 Apr 07:17
Compare
Choose a tag to compare

Notable Changes

No additional commits.

An infrastructure issue caused a non-functioning msi installer for x64 to be promoted.
The patch release is to ensure that all binaries and installers work as expected.

2018-04-04, Version 9.11.0 (Current), @MylesBorins prepared by @targos

05 Apr 07:17
11c8db4
Compare
Choose a tag to compare

Notable Changes

  • deps:
    • Updated ICU to 61.1 (Steven R. Loomis) #19621
      Includes CLDR 33 (many new languages and data improvements).
  • fs:
    • Emit 'ready' event for ReadStream and WriteStream (Sameer Srivastava) #19408
  • n-api:
    • Bump version of n-api supported (Michael Dawson) #19497
  • net:
    • Emit 'ready' event for Socket (Sameer Srivastava) #19408
  • Added new collaborators

Commits

Read more

2018-03-29, Version 9.10.1 (Current), @MylesBorins

30 Mar 03:45
Compare
Choose a tag to compare

Notable Changes

No additional commits.

Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the latest releases for PPC little
endian were built using GCC 4.9.X instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are doing this release to ensure that
the hosted binaries are adhering to our platform support contract.

Note that Node.js versions 10.X and later will be built with version 4.9.X or later of the GCC compiler,
and it is possible that Node.js version 9.X may be built on the 4.9.X compiler at a later
time as the stated minimum compiler requirement
for Node.js version 9.X is 4.9.4.

2018-03-29, Version 8.11.1 'Carbon' (LTS), @MylesBorins

30 Mar 03:44
Compare
Choose a tag to compare

Notable Changes

No additional commits.

Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the latest releases for PPC little
endian were built using GCC 4.9.X instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are doing this release to ensure that
the hosted binaries are adhering to our platform support contract.

Note that Node.js versions 10.X and later will be built with version 4.9.X or later of the GCC compiler,
and it is possible that Node.js version 8.X may be built on the 4.9.X compiler at a later
time as the stated minimum compiler requirement
for Node.js version 8.X is 4.9.4.

2018-03-29, Version 6.14.1 'Boron' (LTS), @MylesBorins

30 Mar 03:44
Compare
Choose a tag to compare

Notable Changes

No additional commits.

Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the latest releases for PPC little
endian were built using GCC 4.9.X instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are doing this release to ensure that
the hosted binaries are adhering to our platform support contract.

2018-03-29, Version 4.9.1 'Argon' (Maintenance), @MylesBorins

30 Mar 03:44
Compare
Choose a tag to compare

Notable Changes

No additional commits.

Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the latest releases for PPC little
endian were built using GCC 4.9.X instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are doing this release to ensure that
the hosted binaries are adhering to our platform support contract.

2018-03-28, Version 9.10.0 (Current), @MylesBorins prepared by @targos

28 Mar 16:38
Compare
Choose a tag to compare

This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/ for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

Notable Changes

  • Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are known to impact Node.js.

  • Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious website could use a DNS rebinding attack to trick a web browser to bypass same-origin-policy checks and allow HTTP connections to localhost or to hosts on the local network, potentially to an open inspector port as a debugger, therefore gaining full code execution access. The inspector now only allows connections that have a browser Host value of localhost or localhost6.

  • Fix for 'path' module regular expression denial of service (CVE-2018-7158): A regular expression used for parsing POSIX paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted 'path' module functions.

  • Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The Node.js HTTP parser allowed for spaces inside Content-Length header values. Such values now lead to rejected connections in the same way as non-numeric values.

  • Update root certificates: 5 additional root certificates have been added to the Node.js binary and 30 have been removed.

  • cluster:

    • Add support for NODE_OPTIONS="--inspect" (Sameer Srivastava) #19165
  • crypto:

    • Expose the public key of a certificate (Hannes Magnusson) #17690
  • n-api:

    • Add napi_fatal_exception to trigger an uncaughtException in JavaScript (Mathias Buus) #19337
  • path:

    • Fix regression in posix.normalize (Michaël Zasso) #19520
  • stream:

    • Improve stream creation performance (Brian White) #19401
  • Added new collaborators

Commits

Read more

2018-03-28, Version 8.11.0 'Carbon' (LTS), @MylesBorins

28 Mar 16:37
Compare
Choose a tag to compare

This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/ for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

Notable Changes

  • Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are known to impact Node.js.
  • Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious website could use a DNS rebinding attack to trick a web browser to bypass same-origin-policy checks and allow HTTP connections to localhost or to hosts on the local network, potentially to an open inspector port as a debugger, therefore gaining full code execution access. The inspector now only allows connections that have a browser Host value of localhost or localhost6.
  • Fix for 'path' module regular expression denial of service (CVE-2018-7158): A regular expression used for parsing POSIX paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted 'path' module functions.
  • Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The Node.js HTTP parser allowed for spaces inside Content-Length header values. Such values now lead to rejected connections in the same way as non-numeric values.
  • Update root certificates: 5 additional root certificates have been added to the Node.js binary and 30 have been removed.

Commits