Releases: nodejs/node
2018-04-30, Version 6.14.2 'Boron' (LTS), @MylesBorins
Notable Changes
- n-api:
- n-api has been backported to v6.x. It is being landed as an experimental interface,
and as such is landing in a Semver-Patch release. (Gabriel Schulhof) #19447
- n-api has been backported to v6.x. It is being landed as an experimental interface,
Commits
- [
6ba38e8c2b
] - N-API: Reuse ObjectTemplate instances (Gabriel Schulhof) #13999 - [
49d8c2e8ae
] - build: refine static and shared lib build (Yihong Wang) #17604 - [
cc7469eec8
] - build: allow x86_64 as a dest_cpu alias for x64 (Rod Vagg) #18052 - [
969398d08e
] - crypto: reuse variable instead of reevaluation (Tobias Nießen) #17735 - [
71acb5205a
] - doc: Add a missing comma (jiangq) #19555 - [
b9b752ef07
] - doc: fix typos on n-api (Kyle Robinson Young) #19385 - [
10fe65a0d5
] - doc: fix n-api asynchronous threading docs (Eric Bickle) #19073 - [
8826f185b0
] - doc: mark NAPI_AUTO_LENGTH as code (Tobias Nießen) #18697 - [
e9e5d56121
] - doc: fix exporting a function example (Aonghus O Nia) #18661 - [
9719b831a3
] - doc: fix typo in n-api.md (Vse Mozhet Byt) #18590 - [
fdd50fb35f
] - doc: small typo in n-api.md (iskore) #18555 - [
24a2791173
] - doc: remove usage of you in n-api doc (Michael Dawson) #18528 - [
74086e19f2
] - doc: remove uannecessary Require (Michael Dawson) #18184 - [
fed2136857
] - doc: napi: make header style consistent (Ali Ijaz Sheikh) #18122 - [
e04386a363
] - doc: napi: fix unbalanced emphasis (Ali Ijaz Sheikh) #18122 - [
3d8e1aaf48
] - doc: updates examples to use NULL (Michael Dawson) #18008 - [
173f29763e
] - doc: update example in module registration (Franziska Hinkelmann) #17424 - [
c6852126fd
] - doc: use "JavaScript" instead of "Javascript" (Rich Trott) #17163 - [
35dc8bab9e
] - doc: document common pattern for instanceof checks (Michael Dawson) #16699 - [
22490dcb91
] - doc: fix typos in N-API (Swathi Kalahastri) #16911 - [
55fabd7337
] - doc: fix a typo in n-api documentation (Vipin Menon) #16879 - [
0c67f21bcf
] - doc: update to use NAPI_AUTO_LENGTH (Michael Dawson) #16187 - [
5c2bba0931
] - doc: fix some links (Vse Mozhet Byt) #16202 - [
e9a6dffc65
] - doc: fix outdated code sample in n-api.md (rebornix) #15581 - [
ca69f1dfe7
] - doc: fix new nits in links (Vse Mozhet Byt) #15449 - [
a766802bee
] - doc: fix doc for napi_get_value_string_utf8 (Daniel Taveras) #14529 - [
b0f09a2ee6
] - doc: added napi_get_value_string_latin1 (Kyle Farnung) #14678 - [
fbcc962727
] - doc: delint (Refael Ackermann) #14707 - [
831de617b0
] - doc: document napi_finalize() signature (cjihrig) #14230 - [
4b9773effa
] - doc: fix some links (Vse Mozhet Byt) #14400 - [
36185b343b
] - doc: doc lifetime of n-api last error info (Michael Dawson) #13939 - [
cc3a4af7c8
] - doc: fix a few n-api doc issues (Michael Dawson) #13650 - [
1e91d5804d
] - doc: fix out of date napi_callback doc (XadillaX) #13570 - [
c5ae39e401
] - doc: fix napi_create_*_error signatures in n-api (Jamen Marzonie) #13544 - [
35a3cbb5dd
] - doc: fix out of date sections in n-api doc (Michael Dawson) #13508 - [
a06cc4684f
] - doc: fix typo "ndapi" in n-api.md (Jamen Marz) #13484 - [
82f31ff4af
] - doc: add ref to option to enable n-api (Michael Dawson) #13406 - [
17fe21e83d
] - doc: fix typo in n-api.md (JongChan Choi) #13323 - [
2e2905266e
] - doc: fix title/function name mismatch (Michael Dawson) #13123 - [
75e91fe5c8
] - doc: add reference to node_api.h in docs (Michael Dawson) #13084 - [
0f74ee5cbf
] - doc: clarify operation of napi_cancel_async_work (Michael Dawson) #12974 - [
5b045374ed
] - doc: clarify node.js addons are c++ (Beth Griggs) #12898 - [
6bcd6d49d5
] - doc: fix broken links in n-api doc (Michael Dawson) #12889 - [
3e388cf819
] - doc: Add initial documentation for N-API (Michael Dawson) #12549 - [
4d67369c1b
] - doc: fix various nits (Vse Mozhet Byt) #19743 - [
057c80b088
] - doc: move Fedor to TSC Emeritus (Myles Borins) #18752 - [
bf72ee667e
] - doc: add mmarchini to collaborators (Matheus Marchini) #18740 - [
280af052d8
] - doc: add history for url.parse (Steven) #18685 - [
29b0d3b104
] - doc: add devsnek to collaborators (Gus Caplan) #18679 - [
dc6dc8232f
] - doc: add section for strategic initiatives (Michael Dawson) #17104 - [
6b348d4483
] - doc: modify the return value of request.write() (陈刚) #18526 - [
dd4d075e51
] - doc: be more explicit in the sypnosis (Tim O. Peters) #17977 - [
0067bccf6f
] - doc: fix description of createDecipheriv (Tobias Nießen) #18651 - [
bc2f0a5120
] - doc: linkify missing types (Vse Mozhet Byt) [#18444](https://github.com/nodejs/node/pull/...
2018-04-24, Version 10.0.0 (Current), @jasnell
Notable Changes
- Assert
- Calling
assert.fail()
with more than one argument is deprecated. [70dcacd710
] - Calling
assert.ok()
with no arguments will now throw. [3cd7977a42
] - Calling
assert.ifError()
will now throw with any argument other thanundefined
ornull
. Previously the method would throw with any truthy value. [e65a6e81ef
] - The
assert.rejects()
andassert.doesNotReject()
methods have been added for working with async functions. [599337f43e
]
- Calling
- Async_hooks
- Older experimental async_hooks APIs have been removed. [
1cc6b993b9
]
- Older experimental async_hooks APIs have been removed. [
- Buffer
- Uses of
new Buffer()
andBuffer()
outside of thenode_modules
directory will now emit a runtime deprecation warning. [9d4ab90117
] Buffer.isEncoding()
now returnsundefined
for falsy values, including an empty string. [452eed956e
]Buffer.fill()
will throw if an attempt is made to fill with an emptyBuffer
. [1e802539b2
]
- Uses of
- Child Process
- Undefined properties of env are ignored. [
38ee25e2e2
], [85739b6c5b
]
- Undefined properties of env are ignored. [
- Console
- The
console.table()
method has been added. [97ace04492
]
- The
- Crypto
- The
crypto.createCipher()
andcrypto.createDecipher()
methods have been deprecated. Please usecrypto.createCipheriv()
andcrypto.createDecipheriv()
instead. [81f88e30dd
] - The
decipher.finaltol()
method has been deprecated. [19f3927d92
] - The
crypto.DEFAULT_ENCODING
property has been deprecated. [6035beea93
] - The
ECDH.convertKey()
method has been added. [f2e02883e7
] - The
crypto.fips
property has been deprecated. [6e7992e8b8
]
- The
- Dependencies
- V8 has been updated to 6.6. [
9daebb48d6
] - OpenSSL has been updated to 1.1.0h. [
66cb29e646
]
- V8 has been updated to 6.6. [
- EventEmitter
- The
EventEmitter.prototype.off()
method has been added as an alias forEventEmitter.prototype.removeListener()
. [3bb6f07d52
]
- The
- File System
- The
fs/promises
API provides experimental promisified versions of thefs
functions. [329fc78e49
] - Invalid path errors are now thrown synchronously. [
d8f73385e2
] - The
fs.readFile()
method now partitions reads to avoid thread pool exhaustion. [67a4ce1c6e
]
- The
- HTTP
- Processing of HTTP Status codes
100
,102-199
has been improved. [baf8495078
] - Multi-byte characters in URL paths are now forbidden. [
b961d9fd83
]
- Processing of HTTP Status codes
- N-API
- The n-api is no longer experimental. [
cd7d7b15c1
]
- The n-api is no longer experimental. [
- Net
- The
'close'
event will be emitted after'end'
. [9b7a6914a7
]
- The
- Perf_hooks
- The
PerformanceObserver
class is now anAsyncResource
and can be monitored usingasync_hooks
. [009e41826f
] - Trace events are now emitted for performance events. [
9e509b622b
] - The
performance
API has been simplified. [2ec6995555
] - Performance milestone marks will be emitted as trace events. [
96cb4fb795
]
- The
- Process
- Using non-string values for
process.env
is deprecated. [5826fe4e79
] - The
process.assert()
method is deprecated. [703e37cf3f
]
- Using non-string values for
- REPL
- REPL now experimentally supports top-level await when using the
--experimental-repl-await
flag. [eeab7bc068
] - The previously deprecated "magic mode" has been removed. [
4893f70d12
] - The previously deprecated
NODE_REPL_HISTORY_FILE
environment variable has been removed. [60c9ad7979
] - Proxy objects are shown as Proxy objects when inspected. [
90a43906ab
]
- REPL now experimentally supports top-level await when using the
- Streams
- The
'readable'
event is now always deferred with nextTick. [1e0f3315c7
] - A new
pipeline()
method has been provided for building end-to-data stream pipelines. [a5cf3feaf1
] - Experimental support for async for-await has been added to
stream.Readable
. [61b4d60c5d
]
- The
- Timers
- The
enroll()
andunenroll()
methods have been deprecated. [68783ae0b8
]
- The
- TLS
- The
tls.convertNPNProtocols()
method has been deprecated. [9204a0db6e
] - Support for NPN (next protocol negotiation) has been dropped. [
5bfbe5ceae
] - The
ecdhCurve
default is now'auto'
. [af78840b19
]
- The
- Trace Events
- A new
trace_events
top-level module allows trace event categories to be enabled/disabled at runtime. [da5d818a54
]
- A new
- URL
- The WHATWG URL API is now a global. [
312414662b
]
- The WHATWG URL API is now a global. [
- Util
util.types.is[…]
type checks have been added. [b20af8088a
]- Support for bigint formatting has been added to
util.inspect()
. [39dc947409
]
Deprecations:
The following APIs have been deprecated in Node.js 10.0.0
- Passing more than one argument to
assert.fail()
will emit a runtime deprecation warning. [70dcacd710
] - Previously deprecated legacy async_hooks APIs have reached end-of-life and have been removed. [
1cc6b993b9
] - Using
require()
to access several of Node.js' own internal dependencies will emit a runtime deprecation. [0e10717e43
] - The
crypto.createCipher()
andcrypto.createDecipher()
methods have been deprecated in documentation.[81f88e30dd
] - Using the
Decipher.finaltol()
method will emit a runtime deprecation warning. [19f3927d92
] - Using the
crypto.DEFAULT_ENCODING
property will emit a runtime deprecation warning. [6035beea93
] - Use by native addons of the
MakeCallback()
variant that passes aDomain
will emit a runtime deprecation warning. [14bc3e22f3
], [efb32592e1
] - Previously deprecated internal getters/setters on
net.Server
has reached end-of-life and have been removed. [3701b02309
] - Use of non-string values for
process.env
has been deprecated in documentation. [5826fe4e79
] - Use of
process.assert()
will emit a runtime deprecation warning. [703e37cf3f
] - Previously deprecated
NODE_REPL_HISTORY_FILE
environment variable has reached end-of-life and has been removed. [60c9ad7979
] - Use of the
timers.enroll()
andtimers.unenroll()
methods will emit a runtime deprecation warning. [68783ae0b8
] - Use of the
tls.convertNPNProtocols()
method will emit a runtime deprecation warning. Support for NPN has been removed from Node.js. [9204a0db6e
] - The
crypto.fips
property has been deprecated in documentation. [6e7992e8b8
]
Commits
Semver-major
- [
c9bb91af33
] - (SEMVER-MAJOR) assert: removeerrorDiff
property (Ruben Bridgewater) #19467 - [
eb427caadd
] - (SEMVER-MAJOR) assert: improve default error messages (Ruben Bridgewater) #19467 - [
1964978fb8
] - (SEMVER-MAJOR) assert: detect faulty throws usage (Ruben Bridgewater) #19867 - [[
9743e756e2
](https://github.com/nodejs/node/commit...
2018-04-05, Version 9.11.1 (Current), @MylesBorins
Notable Changes
No additional commits.
An infrastructure issue caused a non-functioning msi installer for x64 to be promoted.
The patch release is to ensure that all binaries and installers work as expected.
2018-04-04, Version 9.11.0 (Current), @MylesBorins prepared by @targos
Notable Changes
- deps:
- Updated ICU to 61.1 (Steven R. Loomis) #19621
Includes CLDR 33 (many new languages and data improvements).
- Updated ICU to 61.1 (Steven R. Loomis) #19621
- fs:
- Emit 'ready' event for
ReadStream
andWriteStream
(Sameer Srivastava) #19408
- Emit 'ready' event for
- n-api:
- Bump version of n-api supported (Michael Dawson) #19497
- net:
- Emit 'ready' event for
Socket
(Sameer Srivastava) #19408
- Emit 'ready' event for
- Added new collaborators
- mafintosh Mathias Buus
Commits
- [
0bd78dc391
] - buffer: use v8::TypedArray::kMaxLength as buffer::kMaxLength (Joyee Cheung) #19738 - [
54b84f3c26
] - buffer: remove "new" from deprecation message (Rich Trott) #19687 - [
0127712cf5
] - build: introduce make jstest (Joyee Cheung) #19324 - [
58f61dbf8e
] - deps: ICU 61.1 bump (Steven R. Loomis) #19621 - [
97a92c4973
] - deps: turn in std::string for ICU (Steven R. Loomis) #19624 - [
ae86adc086
] - doc: fix various nits (Vse Mozhet Byt) #19743 - [
041f6cd9c9
] - doc: improve Buffer.allocUnsafeSlow() and related (Rich Trott) #19742 - [
42671f24ba
] - doc: add mafintosh to collaborators (Mathias Buus) #19773 - [
c1b83fcbc2
] - doc: update to adding listens on SIGUSR1 (willhayslett) #19709 - [
1aaad92101
] - doc: fix lint nits in COLLABORATOR_GUIDE.md (Vse Mozhet Byt) #19762 - [
5149e18719
] - doc: deprecation clarifications (James M Snell) #19522 - [
c5469bb7a8
] - doc: remove "if provided" for optional arguments (Rich Trott) #19690 - [
3a3ae0134d
] - doc: do not identify string as "JavaScript string" (Rich Trott) #19689 - [
d111037624
] - doc: favor utf16le over ucs2 in buffer.md (Rich Trott) #19688 - [
bb32bc8686
] - doc: fix links in vm.md (Vse Mozhet Byt) #19721 - [
44361bd1c8
] - doc: fix quotes mistypes in inline code blocks (Сковорода Никита Андреевич) #19713 - [
c8fa8f1f9d
] - doc: remove ES6/ECMAScript 2015 from buffer.md (Rich Trott) #19685 - [
9f20534889
] - doc: shorten character encoding introduction (Rich Trott) #19648 - [
078616109c
] - doc: guard against md list parsing edge case (Vse Mozhet Byt) #19647 - [
2ea7f90728
] - doc: fix grammar error in process.md (Kenji Okamoto) #19641 - [
7555deeb8c
] - doc: improve zero-fill-buffers text (Rich Trott) #19623 - [
5e90fc6a85
] - fs: use fs.access in fs.exists (Bartosz Sosnowski) #18618 - [
8a8b43e1b1
] - (SEMVER-MINOR) fs,net: emit 'ready' for fs streams and sockets (Sameer Srivastava) #19408 - [
e1f44a6366
] - http: fixrequest
whensetHost
istrue
(XadillaX) #19502 - [
dac5f67e64
] - http: support server options on createServer (Wes Todd) #19461 - [
2bdf3ca235
] - http2: callback valid check before closing request (Trivikram) #19061 - [
7b850a7565
] - http2: destroy() stream, upon errnoException (Sarat Addepalli) #19389 - [
441175c29a
] - http2: refer to stream errors by name (Anna Henningsen) #18966 - [
0bcad33c7a
] - inspector: report client-visible host and port (Eugene Ostroukhov) #19664 - [
8e440115ec
] - lib: add back lib/module.js redirection (Joyee Cheung) #19177 - [
45c477c2e6
] - lib: restructure cjs and esm loaders (Joyee Cheung) #19177 - [
152a86c6aa
] - lib: make isStackOverflowError() engine-agnostic (Mike Kaufman) #19705 - [
889a3b44b3
] - lib: fix a typo in lib/timers "read through" (wangzengdi) #19666 - [
a45f3f8fd2
] - lib: document nextTick queue internals (Anna Henningsen) #19469 - [
d3d1ee7279
] - lib: add internal check macros (Gus Caplan) #18852 - [
e0c7d783e0
] - lint: change require-buffer rule message (Gus Caplan) #19701 - [
859b719927
] - module: skip preserveSymlinks for main (Guy Bedford) #19388 - [
a0a58730e0
] - n-api: back up env before finalize (Gabriel Schulhof) #19718 - [
b0a3a44ff6
] - n-api: ensure in-module exceptions are propagated (Gabriel Schulhof) #19537 - [
94a10bad3a
] - (SEMVER-MINOR) n-api: bump version of n-api supported (Michael Dawson) #19497 - [
ee4390a167
] - repl: fix tab completion of inspector module (Michaël Zasso) #19505 - [
ebdcf91dcc
] - src: put bootstrappers in lib/internal/bootstrap/ (Joyee Cheung) #19177 - [
ff7a116ba3
] - src: move internal loaders out of bootstrap_node.js (Joyee Cheung) #19112 - [
75d23ab2a0
] - src: fix warnings in aliased_buffer (Kyle Farnung) #19665 - [
01e31906e8
] - src: general C++ cleanup in node_url.cc (Anna Henningsen) #19598 - [
6c466811d3
] - src: name all builtin init functions Initialize (Daniel Bevenius) #19550 - [
1a38b9bd0f
] - src: remove unused 'ares.h' include from env.h (Anna Henningsen) #19557 - [
cae9ff256b
] - src: fix upcoming V8 deprecation warnings (Sarat Addepalli) #19490 - [
83ebaf08d9
] - test: remove NODE_DEBUG in global module loading test (Joyee Cheung) #19177 - [
92e9ed09e9
] - test: test process.setuid for bad argument types (Divyanshu Singh) [#19703](https://github....
2018-03-29, Version 9.10.1 (Current), @MylesBorins
Notable Changes
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the latest releases for PPC little
endian were built using GCC 4.9.X instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are doing this release to ensure that
the hosted binaries are adhering to our platform support contract.
Note that Node.js versions 10.X and later will be built with version 4.9.X or later of the GCC compiler,
and it is possible that Node.js version 9.X may be built on the 4.9.X compiler at a later
time as the stated minimum compiler requirement
for Node.js version 9.X is 4.9.4.
2018-03-29, Version 8.11.1 'Carbon' (LTS), @MylesBorins
Notable Changes
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the latest releases for PPC little
endian were built using GCC 4.9.X instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are doing this release to ensure that
the hosted binaries are adhering to our platform support contract.
Note that Node.js versions 10.X and later will be built with version 4.9.X or later of the GCC compiler,
and it is possible that Node.js version 8.X may be built on the 4.9.X compiler at a later
time as the stated minimum compiler requirement
for Node.js version 8.X is 4.9.4.
2018-03-29, Version 6.14.1 'Boron' (LTS), @MylesBorins
Notable Changes
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the latest releases for PPC little
endian were built using GCC 4.9.X instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are doing this release to ensure that
the hosted binaries are adhering to our platform support contract.
2018-03-29, Version 4.9.1 'Argon' (Maintenance), @MylesBorins
Notable Changes
No additional commits.
Due to incorrect staging of the upgrade to the GCC 4.9.X compiler, the latest releases for PPC little
endian were built using GCC 4.9.X instead of GCC 4.8.X. This caused an ABI breakage on PPCLE based
environments. This has been fixed in our infrastructure and we are doing this release to ensure that
the hosted binaries are adhering to our platform support contract.
2018-03-28, Version 9.10.0 (Current), @MylesBorins prepared by @targos
This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/ for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
Notable Changes
-
Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are known to impact Node.js.
-
Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious website could use a DNS rebinding attack to trick a web browser to bypass same-origin-policy checks and allow HTTP connections to localhost or to hosts on the local network, potentially to an open inspector port as a debugger, therefore gaining full code execution access. The inspector now only allows connections that have a browser
Host
value oflocalhost
orlocalhost6
. -
Fix for
'path'
module regular expression denial of service (CVE-2018-7158): A regular expression used for parsing POSIX paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted'path'
module functions. -
Reject spaces in HTTP
Content-Length
header values (CVE-2018-7159): The Node.js HTTP parser allowed for spaces insideContent-Length
header values. Such values now lead to rejected connections in the same way as non-numeric values. -
Update root certificates: 5 additional root certificates have been added to the Node.js binary and 30 have been removed.
-
cluster:
- Add support for
NODE_OPTIONS="--inspect"
(Sameer Srivastava) #19165
- Add support for
-
crypto:
- Expose the public key of a certificate (Hannes Magnusson) #17690
-
n-api:
- Add
napi_fatal_exception
to trigger anuncaughtException
in JavaScript (Mathias Buus) #19337
- Add
-
path:
- Fix regression in
posix.normalize
(Michaël Zasso) #19520
- Fix regression in
-
stream:
- Improve stream creation performance (Brian White) #19401
-
Added new collaborators
- BethGriggs Beth Griggs
Commits
- [
926214aefe
] - cluster: add support for NODE_OPTIONS="--inspect" (Sameer Srivastava) #19165 - [
6ead99aa73
] - console: don't swallow call stack exceeded errors (Dan Kaplun) #19423 - [
02671dc12b
] - crypto: update root certificates (Ben Noordhuis) #19322 - [
fd8c79ddfc
] - (SEMVER-MINOR) crypto: add docs & tests for cert.pubkey & cert.fingerprint256 (Hannes Magnusson) #17690 - [
23312675cb
] - (SEMVER-MINOR) crypto: provide full cert details to checkServerIdentity (Hannes Magnusson) #17690 - [
26e2938a50
] - (SEMVER-MINOR) crypto: add cert.pubkey containing the raw pubkey of certificate (Hannes Magnusson) #17690 - [
f5d9324315
] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#1836 - [
f5eb182b50
] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#1389 - [
ddcb3fc886
] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#1389 - [
d908169bad
] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) #19638 - [
0cd883fe09
] - deps: upgrade openssl sources to 1.0.2o (Shigeki Ohtsu) #19638 - [
c39167dc26
] - deps: reject interior blanks in Content-Length (Ben Noordhuis) nodejs-private/http-parser-private#1 - [
3bc15a69ae
] - deps: upgrade http-parser to v2.8.0 (Ben Noordhuis) nodejs-private/http-parser-private#1 - [
6591d9f761
] - deps: cherry-pick 0c35b72 from upstream V8 (Gus Caplan) #18038 - [
e533911696
] - doc: remove use of "random port" re dgram send (Thomas Hunter II) #19620 - [
3894981af2
] - doc: improve assert legacy text (Rich Trott) #19622 - [
8191ada9ae
] - doc: improve Buffer() text (Rich Trott) #19567 - [
2fadc9ef68
] - doc: fix run-on sentence in buffer.md (Rich Trott) #19567 - [
962c5816a2
] - doc: change v-notation for version in buffer.md (Rich Trott) #19567 - [
5a2f336994
] - doc: add missing fs.Stats.size section (Vse Mozhet Byt) #19583 - [
8653c42a41
] - doc: rename HTTP2 to HTTP/2 (Timothy Gu) #19603 - [
b70ac0ab2e
] - doc: remove confusing note about child process stdio (Anna Henningsen) #19552 - [
5e3d971f79
] - doc: add BethGriggs to collaborators (Beth Griggs) #19610 - [
5e9f9297b3
] - doc: documentmake docopen
(Ayush Gupta) #19321 - [
4db7848e09
] - doc: remove example labels from buffer.md (Rich Trott) #19582 - [
f07e820e6d
] - doc: add 'v' prefix to all versions in metadata (Tobias Nießen) #19590 - [
7e9b7a5683
] - doc: add missing metadata for fs.open (Tobias Nießen) #19585 - [
d47e5d022f
] - doc: add link & simplify data event (net.Socket) (Christopher Hiller) #19487 - [
43f24c0406
] - doc: add directory structure in writing-tests.md (juggernaut451) #18802 - [
157fc28710
] - doc: add added in versions to fs.Stats properties (jvelezpo) #19266 - [
fa17002215
] - doc: add missing metadata for settings.windowsHide (Tobias Nießen) #19578 - [
4532a8913d
] - doc: addrequire.main
torequire
properties (Vse Mozhet Byt) #19573 - [
1e8ece149a
] - doc: add missing metadata for cluster.settings.cwd (Tobias Nießen) #19569 - [
933c58cd76
] - doc: add types for someprocess
properties (Vse Mozhet Byt) #19571 - [
ae0e243028
] - doc: fix n-api example string (Steven R. Loomis) #19205 - [
7c9ba3db40
] - doc: correct introduced_in metadata for buffer doc (Rich Trott) #19545 - [
1073f09cad
] - doc: minor improvements to buffer.md (Rich Trott) #19547 - [
9845fc3e4a
] - doc: Add a missing comma (jiangq) #19555 - [
d1c45e258c
] - doc: update child_process.md (Ari Leo Frankel) #19075 - [
8e3f59fbb5
] - doc: clarify child_process promise rejections (TomCoded) [#19541]...
2018-03-28, Version 8.11.0 'Carbon' (LTS), @MylesBorins
This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/march-2018-security-releases/ for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
Notable Changes
- Upgrade to OpenSSL 1.0.2o: Does not contain any security fixes that are known to impact Node.js.
- Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious website could use a DNS rebinding attack to trick a web browser to bypass same-origin-policy checks and allow HTTP connections to localhost or to hosts on the local network, potentially to an open inspector port as a debugger, therefore gaining full code execution access. The inspector now only allows connections that have a browser
Host
value oflocalhost
orlocalhost6
. - Fix for
'path'
module regular expression denial of service (CVE-2018-7158): A regular expression used for parsing POSIX paths could be used to cause a denial of service if an attacker were able to have a specially crafted path string passed through one of the impacted'path'
module functions. - Reject spaces in HTTP
Content-Length
header values (CVE-2018-7159): The Node.js HTTP parser allowed for spaces insideContent-Length
header values. Such values now lead to rejected connections in the same way as non-numeric values. - Update root certificates: 5 additional root certificates have been added to the Node.js binary and 30 have been removed.
Commits
- [
dc290562e9
] - crypto: update root certificates (Ben Noordhuis) #19322 - [
df92da3f3c
] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#1836 - [
259156ea40
] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#1389 - [
d559d0eb25
] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#1389 - [
cf8e8bcad2
] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) #19638 - [
987138e488
] - deps: upgrade openssl sources to 1.0.2o (Shigeki Ohtsu) #19638 - [
1b7f6d9072
] - deps: reject interior blanks in Content-Length (Ben Noordhuis) nodejs-private/http-parser-private#1 - [
86c9ec6c5c
] - deps: upgrade http-parser to v2.8.0 (Ben Noordhuis) nodejs-private/http-parser-private#1 - [
de0c84889b
] - inspector: minor adjustments (Eugene Ostroukhov) - [
b7690655ef
] - inspector: check Host header (Ali Ijaz Sheikh) - [
0641f2dbf9
] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) iojs/io.js#1389 - [
6ee4228c1d
] - src: drop CNNIC+StartCom certificate whitelisting (Ben Noordhuis) #19322 - [
633e23a618
] - tools: update certdata.txt (Ben Noordhuis) #19322