diff --git a/BUILDING.md b/BUILDING.md index c56be2ad54e9cb..064da2473dee23 100644 --- a/BUILDING.md +++ b/BUILDING.md @@ -243,8 +243,8 @@ transition before the year-end deadline. * `gcc` and `g++` >= 6.3 or newer, or * GNU Make 3.81 or newer * Python (see note above) - * Python 2.7 - * Python 3.5, 3.6, and 3.7 are experimental. + * Python 2.7 + * Python 3.5, 3.6, and 3.7 are experimental. Installation via Linux package manager can be achieved with: @@ -259,8 +259,8 @@ FreeBSD and OpenBSD users may also need to install `libexecinfo`. * Xcode Command Line Tools >= 8 for macOS * Python (see note above) - * Python 2.7 - * Python 3.5, 3.6, and 3.7 are experimental. + * Python 2.7 + * Python 3.5, 3.6, and 3.7 are experimental. macOS users can install the `Xcode Command Line Tools` by running `xcode-select --install`. Alternatively, if you already have the full Xcode diff --git a/doc/api/http2.md b/doc/api/http2.md index 995e6bbd3c529f..a765aa506d5300 100644 --- a/doc/api/http2.md +++ b/doc/api/http2.md @@ -1970,23 +1970,23 @@ changes: exceed this limit will result in a `'frameError'` event being emitted and the stream being closed and destroyed. * `paddingStrategy` {number} Identifies the strategy used for determining the - amount of padding to use for `HEADERS` and `DATA` frames. **Default:** - `http2.constants.PADDING_STRATEGY_NONE`. Value may be one of: - * `http2.constants.PADDING_STRATEGY_NONE` - Specifies that no padding is - to be applied. - * `http2.constants.PADDING_STRATEGY_MAX` - Specifies that the maximum - amount of padding, as determined by the internal implementation, is to - be applied. - * `http2.constants.PADDING_STRATEGY_CALLBACK` - Specifies that the user - provided `options.selectPadding()` callback is to be used to determine - the amount of padding. - * `http2.constants.PADDING_STRATEGY_ALIGNED` - Will *attempt* to apply - enough padding to ensure that the total frame length, including the - 9-byte header, is a multiple of 8. For each frame, however, there is a - maximum allowed number of padding bytes that is determined by current - flow control state and settings. If this maximum is less than the - calculated amount needed to ensure alignment, the maximum will be used - and the total frame length will *not* necessarily be aligned at 8 bytes. + amount of padding to use for `HEADERS` and `DATA` frames. **Default:** + `http2.constants.PADDING_STRATEGY_NONE`. Value may be one of: + * `http2.constants.PADDING_STRATEGY_NONE` - Specifies that no padding is + to be applied. + * `http2.constants.PADDING_STRATEGY_MAX` - Specifies that the maximum + amount of padding, as determined by the internal implementation, is to + be applied. + * `http2.constants.PADDING_STRATEGY_CALLBACK` - Specifies that the user + provided `options.selectPadding()` callback is to be used to determine + the amount of padding. + * `http2.constants.PADDING_STRATEGY_ALIGNED` - Will *attempt* to apply + enough padding to ensure that the total frame length, including the + 9-byte header, is a multiple of 8. For each frame, however, there is a + maximum allowed number of padding bytes that is determined by current + flow control state and settings. If this maximum is less than the + calculated amount needed to ensure alignment, the maximum will be used + and the total frame length will *not* necessarily be aligned at 8 bytes. * `peerMaxConcurrentStreams` {number} Sets the maximum number of concurrent streams for the remote peer as if a `SETTINGS` frame had been received. Will be overridden if the remote peer sets its own value for @@ -2085,23 +2085,23 @@ changes: exceed this limit will result in a `'frameError'` event being emitted and the stream being closed and destroyed. * `paddingStrategy` {number} Identifies the strategy used for determining the - amount of padding to use for `HEADERS` and `DATA` frames. **Default:** - `http2.constants.PADDING_STRATEGY_NONE`. Value may be one of: - * `http2.constants.PADDING_STRATEGY_NONE` - Specifies that no padding is - to be applied. - * `http2.constants.PADDING_STRATEGY_MAX` - Specifies that the maximum - amount of padding, as determined by the internal implementation, is to - be applied. - * `http2.constants.PADDING_STRATEGY_CALLBACK` - Specifies that the user - provided `options.selectPadding()` callback is to be used to determine - the amount of padding. - * `http2.constants.PADDING_STRATEGY_ALIGNED` - Will *attempt* to apply - enough padding to ensure that the total frame length, including the - 9-byte header, is a multiple of 8. For each frame, however, there is a - maximum allowed number of padding bytes that is determined by current - flow control state and settings. If this maximum is less than the - calculated amount needed to ensure alignment, the maximum will be used - and the total frame length will *not* necessarily be aligned at 8 bytes. + amount of padding to use for `HEADERS` and `DATA` frames. **Default:** + `http2.constants.PADDING_STRATEGY_NONE`. Value may be one of: + * `http2.constants.PADDING_STRATEGY_NONE` - Specifies that no padding is + to be applied. + * `http2.constants.PADDING_STRATEGY_MAX` - Specifies that the maximum + amount of padding, as determined by the internal implementation, is to + be applied. + * `http2.constants.PADDING_STRATEGY_CALLBACK` - Specifies that the user + provided `options.selectPadding()` callback is to be used to determine + the amount of padding. + * `http2.constants.PADDING_STRATEGY_ALIGNED` - Will *attempt* to apply + enough padding to ensure that the total frame length, including the + 9-byte header, is a multiple of 8. For each frame, however, there is a + maximum allowed number of padding bytes that is determined by current + flow control state and settings. If this maximum is less than the + calculated amount needed to ensure alignment, the maximum will be used + and the total frame length will *not* necessarily be aligned at 8 bytes. * `peerMaxConcurrentStreams` {number} Sets the maximum number of concurrent streams for the remote peer as if a `SETTINGS` frame had been received. Will be overridden if the remote peer sets its own value for @@ -2186,23 +2186,23 @@ changes: exceed this limit will result in a `'frameError'` event being emitted and the stream being closed and destroyed. * `paddingStrategy` {number} Identifies the strategy used for determining the - amount of padding to use for `HEADERS` and `DATA` frames. **Default:** - `http2.constants.PADDING_STRATEGY_NONE`. Value may be one of: - * `http2.constants.PADDING_STRATEGY_NONE` - Specifies that no padding is - to be applied. - * `http2.constants.PADDING_STRATEGY_MAX` - Specifies that the maximum - amount of padding, as determined by the internal implementation, is to - be applied. - * `http2.constants.PADDING_STRATEGY_CALLBACK` - Specifies that the user - provided `options.selectPadding()` callback is to be used to determine - the amount of padding. - * `http2.constants.PADDING_STRATEGY_ALIGNED` - Will *attempt* to apply - enough padding to ensure that the total frame length, including the - 9-byte header, is a multiple of 8. For each frame, however, there is a - maximum allowed number of padding bytes that is determined by current - flow control state and settings. If this maximum is less than the - calculated amount needed to ensure alignment, the maximum will be used - and the total frame length will *not* necessarily be aligned at 8 bytes. + amount of padding to use for `HEADERS` and `DATA` frames. **Default:** + `http2.constants.PADDING_STRATEGY_NONE`. Value may be one of: + * `http2.constants.PADDING_STRATEGY_NONE` - Specifies that no padding is + to be applied. + * `http2.constants.PADDING_STRATEGY_MAX` - Specifies that the maximum + amount of padding, as determined by the internal implementation, is to + be applied. + * `http2.constants.PADDING_STRATEGY_CALLBACK` - Specifies that the user + provided `options.selectPadding()` callback is to be used to determine + the amount of padding. + * `http2.constants.PADDING_STRATEGY_ALIGNED` - Will *attempt* to apply + enough padding to ensure that the total frame length, including the + 9-byte header, is a multiple of 8. For each frame, however, there is a + maximum allowed number of padding bytes that is determined by current + flow control state and settings. If this maximum is less than the + calculated amount needed to ensure alignment, the maximum will be used + and the total frame length will *not* necessarily be aligned at 8 bytes. * `peerMaxConcurrentStreams` {number} Sets the maximum number of concurrent streams for the remote peer as if a `SETTINGS` frame had been received. Will be overridden if the remote peer sets its own value for diff --git a/doc/api/process.md b/doc/api/process.md index a36cad64191b70..bac396dfe89913 100644 --- a/doc/api/process.md +++ b/doc/api/process.md @@ -723,8 +723,8 @@ added: v6.1.0 * `previousValue` {Object} A previous return value from calling `process.cpuUsage()` * Returns: {Object} - * `user` {integer} - * `system` {integer} + * `user` {integer} + * `system` {integer} The `process.cpuUsage()` method returns the user and system CPU time usage of the current process, in an object with properties `user` and `system`, whose @@ -1450,10 +1450,10 @@ changes: --> * Returns: {Object} - * `rss` {integer} - * `heapTotal` {integer} - * `heapUsed` {integer} - * `external` {integer} + * `rss` {integer} + * `heapTotal` {integer} + * `heapUsed` {integer} + * `external` {integer} The `process.memoryUsage()` method returns an object describing the memory usage of the Node.js process measured in bytes. @@ -1866,45 +1866,45 @@ added: v12.6.0 * Returns: {Object} the resource usage for the current process. All of these values come from the `uv_getrusage` call which returns a [`uv_rusage_t` struct][uv_rusage_t]. - * `userCPUTime` {integer} maps to `ru_utime` computed in microseconds. - It is the same value as [`process.cpuUsage().user`][process.cpuUsage]. - * `systemCPUTime` {integer} maps to `ru_stime` computed in microseconds. - It is the same value as [`process.cpuUsage().system`][process.cpuUsage]. - * `maxRSS` {integer} maps to `ru_maxrss` which is the maximum resident set - size used in kilobytes. - * `sharedMemorySize` {integer} maps to `ru_ixrss` but is not supported by - any platform. - * `unsharedDataSize` {integer} maps to `ru_idrss` but is not supported by - any platform. - * `unsharedStackSize` {integer} maps to `ru_isrss` but is not supported by - any platform. - * `minorPageFault` {integer} maps to `ru_minflt` which is the number of - minor page faults for the process, see - [this article for more details][wikipedia_minor_fault]. - * `majorPageFault` {integer} maps to `ru_majflt` which is the number of - major page faults for the process, see - [this article for more details][wikipedia_major_fault]. This field is not - supported on Windows. - * `swappedOut` {integer} maps to `ru_nswap` but is not supported by any - platform. - * `fsRead` {integer} maps to `ru_inblock` which is the number of times the - file system had to perform input. - * `fsWrite` {integer} maps to `ru_oublock` which is the number of times the - file system had to perform output. - * `ipcSent` {integer} maps to `ru_msgsnd` but is not supported by any - platform. - * `ipcReceived` {integer} maps to `ru_msgrcv` but is not supported by any - platform. - * `signalsCount` {integer} maps to `ru_nsignals` but is not supported by any - platform. - * `voluntaryContextSwitches` {integer} maps to `ru_nvcsw` which is the - number of times a CPU context switch resulted due to a process voluntarily - giving up the processor before its time slice was completed (usually to - await availability of a resource). This field is not supported on Windows. - * `involuntaryContextSwitches` {integer} maps to `ru_nivcsw` which is the - number of times a CPU context switch resulted due to a higher priority - process becoming runnable or because the current process exceeded its - time slice. This field is not supported on Windows. + * `userCPUTime` {integer} maps to `ru_utime` computed in microseconds. + It is the same value as [`process.cpuUsage().user`][process.cpuUsage]. + * `systemCPUTime` {integer} maps to `ru_stime` computed in microseconds. + It is the same value as [`process.cpuUsage().system`][process.cpuUsage]. + * `maxRSS` {integer} maps to `ru_maxrss` which is the maximum resident set + size used in kilobytes. + * `sharedMemorySize` {integer} maps to `ru_ixrss` but is not supported by + any platform. + * `unsharedDataSize` {integer} maps to `ru_idrss` but is not supported by + any platform. + * `unsharedStackSize` {integer} maps to `ru_isrss` but is not supported by + any platform. + * `minorPageFault` {integer} maps to `ru_minflt` which is the number of + minor page faults for the process, see + [this article for more details][wikipedia_minor_fault]. + * `majorPageFault` {integer} maps to `ru_majflt` which is the number of + major page faults for the process, see + [this article for more details][wikipedia_major_fault]. This field is not + supported on Windows. + * `swappedOut` {integer} maps to `ru_nswap` but is not supported by any + platform. + * `fsRead` {integer} maps to `ru_inblock` which is the number of times the + file system had to perform input. + * `fsWrite` {integer} maps to `ru_oublock` which is the number of times the + file system had to perform output. + * `ipcSent` {integer} maps to `ru_msgsnd` but is not supported by any + platform. + * `ipcReceived` {integer} maps to `ru_msgrcv` but is not supported by any + platform. + * `signalsCount` {integer} maps to `ru_nsignals` but is not supported by any + platform. + * `voluntaryContextSwitches` {integer} maps to `ru_nvcsw` which is the + number of times a CPU context switch resulted due to a process voluntarily + giving up the processor before its time slice was completed (usually to + await availability of a resource). This field is not supported on Windows. + * `involuntaryContextSwitches` {integer} maps to `ru_nivcsw` which is the + number of times a CPU context switch resulted due to a higher priority + process becoming runnable or because the current process exceeded its + time slice. This field is not supported on Windows. ```js console.log(process.resourceUsage()); diff --git a/doc/api/url.md b/doc/api/url.md index 94551f162b8eef..a65cb2a6786053 100644 --- a/doc/api/url.md +++ b/doc/api/url.md @@ -1143,9 +1143,9 @@ The formatting process operates as follows: colon (`:`) character, the literal string `:` will be appended to `result`. * If either of the following conditions is true, then the literal string `//` will be appended to `result`: - * `urlObject.slashes` property is true; - * `urlObject.protocol` begins with `http`, `https`, `ftp`, `gopher`, or - `file`; + * `urlObject.slashes` property is true; + * `urlObject.protocol` begins with `http`, `https`, `ftp`, `gopher`, or + `file`; * If the value of the `urlObject.auth` property is truthy, and either `urlObject.host` or `urlObject.hostname` are not `undefined`, the value of `urlObject.auth` will be coerced into a string and appended to `result` diff --git a/doc/api/vm.md b/doc/api/vm.md index 530853736384e5..c657aeb07d2885 100644 --- a/doc/api/vm.md +++ b/doc/api/vm.md @@ -90,12 +90,12 @@ changes: `import()` will reject with [`ERR_VM_DYNAMIC_IMPORT_CALLBACK_MISSING`][]. This option is part of the experimental API for the `--experimental-modules` flag, and should not be considered stable. - * `specifier` {string} specifier passed to `import()` - * `module` {vm.SourceTextModule} - * Returns: {Module Namespace Object|vm.SourceTextModule} Returning a - `vm.SourceTextModule` is recommended in order to take advantage of error - tracking, and to avoid issues with namespaces that contain `then` - function exports. + * `specifier` {string} specifier passed to `import()` + * `module` {vm.SourceTextModule} + * Returns: {Module Namespace Object|vm.SourceTextModule} Returning a + `vm.SourceTextModule` is recommended in order to take advantage of error + tracking, and to avoid issues with namespaces that contain `then` + function exports. If `options` is a string, then it specifies the filename. @@ -432,12 +432,12 @@ const contextifiedSandbox = vm.createContext({ secret: 42 }); * `importModuleDynamically` {Function} Called during evaluation of this module when `import()` is called. If this option is not specified, calls to `import()` will reject with [`ERR_VM_DYNAMIC_IMPORT_CALLBACK_MISSING`][]. - * `specifier` {string} specifier passed to `import()` - * `module` {vm.SourceTextModule} - * Returns: {Module Namespace Object|vm.SourceTextModule} Returning a - `vm.SourceTextModule` is recommended in order to take advantage of error - tracking, and to avoid issues with namespaces that contain `then` - function exports. + * `specifier` {string} specifier passed to `import()` + * `module` {vm.SourceTextModule} + * Returns: {Module Namespace Object|vm.SourceTextModule} Returning a + `vm.SourceTextModule` is recommended in order to take advantage of error + tracking, and to avoid issues with namespaces that contain `then` + function exports. Creates a new ES `Module` object. @@ -817,12 +817,12 @@ changes: `import()` will reject with [`ERR_VM_DYNAMIC_IMPORT_CALLBACK_MISSING`][]. This option is part of the experimental API for the `--experimental-modules` flag, and should not be considered stable. - * `specifier` {string} specifier passed to `import()` - * `module` {vm.SourceTextModule} - * Returns: {Module Namespace Object|vm.SourceTextModule} Returning a - `vm.SourceTextModule` is recommended in order to take advantage of error - tracking, and to avoid issues with namespaces that contain `then` - function exports. + * `specifier` {string} specifier passed to `import()` + * `module` {vm.SourceTextModule} + * Returns: {Module Namespace Object|vm.SourceTextModule} Returning a + `vm.SourceTextModule` is recommended in order to take advantage of error + tracking, and to avoid issues with namespaces that contain `then` + function exports. * Returns: {any} the result of the very last statement executed in the script. The `vm.runInContext()` method compiles `code`, runs it within the context of @@ -915,12 +915,12 @@ changes: `import()` will reject with [`ERR_VM_DYNAMIC_IMPORT_CALLBACK_MISSING`][]. This option is part of the experimental API for the `--experimental-modules` flag, and should not be considered stable. - * `specifier` {string} specifier passed to `import()` - * `module` {vm.SourceTextModule} - * Returns: {Module Namespace Object|vm.SourceTextModule} Returning a - `vm.SourceTextModule` is recommended in order to take advantage of error - tracking, and to avoid issues with namespaces that contain `then` - function exports. + * `specifier` {string} specifier passed to `import()` + * `module` {vm.SourceTextModule} + * Returns: {Module Namespace Object|vm.SourceTextModule} Returning a + `vm.SourceTextModule` is recommended in order to take advantage of error + tracking, and to avoid issues with namespaces that contain `then` + function exports. * Returns: {any} the result of the very last statement executed in the script. The `vm.runInNewContext()` first contextifies the given `sandbox` object (or @@ -993,12 +993,12 @@ changes: `import()` will reject with [`ERR_VM_DYNAMIC_IMPORT_CALLBACK_MISSING`][]. This option is part of the experimental API for the `--experimental-modules` flag, and should not be considered stable. - * `specifier` {string} specifier passed to `import()` - * `module` {vm.SourceTextModule} - * Returns: {Module Namespace Object|vm.SourceTextModule} Returning a - `vm.SourceTextModule` is recommended in order to take advantage of error - tracking, and to avoid issues with namespaces that contain `then` - function exports. + * `specifier` {string} specifier passed to `import()` + * `module` {vm.SourceTextModule} + * Returns: {Module Namespace Object|vm.SourceTextModule} Returning a + `vm.SourceTextModule` is recommended in order to take advantage of error + tracking, and to avoid issues with namespaces that contain `then` + function exports. * Returns: {any} the result of the very last statement executed in the script. `vm.runInThisContext()` compiles `code`, runs it within the context of the diff --git a/doc/changelogs/CHANGELOG_V10.md b/doc/changelogs/CHANGELOG_V10.md index 6503ed141c92b0..3b9af6e2de5ed2 100644 --- a/doc/changelogs/CHANGELOG_V10.md +++ b/doc/changelogs/CHANGELOG_V10.md @@ -987,8 +987,8 @@ Fixes for the following CVEs are included in this release: * **deps**: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735 * **http**: - * Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina) - * A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with `server.headersTimeout`. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with `server.setTimeout()`, this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach ([liebdich.com](https://liebdich.com)). (CVE-2018-12122 / Matteo Collina) + * Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina) + * A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with `server.headersTimeout`. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with `server.setTimeout()`, this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach ([liebdich.com](https://liebdich.com)). (CVE-2018-12122 / Matteo Collina) * **url**: Fix a bug that would allow a hostname being spoofed when parsing URLs with `url.parse()` with the `'javascript:'` protocol. Reported by [Martin Bajanik](https://twitter.com/_bayotop) ([Kentico](https://kenticocloud.com/)). (CVE-2018-12123 / Matteo Collina) ### Commits diff --git a/doc/changelogs/CHANGELOG_V11.md b/doc/changelogs/CHANGELOG_V11.md index e5d86047f53fba..3154b4219c7eb8 100644 --- a/doc/changelogs/CHANGELOG_V11.md +++ b/doc/changelogs/CHANGELOG_V11.md @@ -2065,8 +2065,8 @@ Fixes for the following CVEs are included in this release: * **deps**: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735 * **http**: - * Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina) - * A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with `server.headersTimeout`. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with `server.setTimeout()`, this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach ([liebdich.com](https://liebdich.com)). (CVE-2018-12122 / Matteo Collina) + * Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina) + * A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with `server.headersTimeout`. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with `server.setTimeout()`, this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach ([liebdich.com](https://liebdich.com)). (CVE-2018-12122 / Matteo Collina) * **url**: Fix a bug that would allow a hostname being spoofed when parsing URLs with `url.parse()` with the `'javascript:'` protocol. Reported by [Martin Bajanik](https://twitter.com/_bayotop) ([Kentico](https://kenticocloud.com/)). (CVE-2018-12123 / Matteo Collina) ### Commits diff --git a/doc/changelogs/CHANGELOG_V12.md b/doc/changelogs/CHANGELOG_V12.md index fe7b4342933861..664ebf5be477b6 100644 --- a/doc/changelogs/CHANGELOG_V12.md +++ b/doc/changelogs/CHANGELOG_V12.md @@ -1550,109 +1550,109 @@ Vulnerabilities fixed: ### Notable Changes * **assert**: - * validate required arguments (Ruben Bridgewater) [#26641](https://github.com/nodejs/node/pull/26641) - * adjust loose assertions (Ruben Bridgewater) [#25008](https://github.com/nodejs/node/pull/25008) + * validate required arguments (Ruben Bridgewater) [#26641](https://github.com/nodejs/node/pull/26641) + * adjust loose assertions (Ruben Bridgewater) [#25008](https://github.com/nodejs/node/pull/25008) * **async_hooks**: - * remove deprecated `emitBefore` and `emitAfter` (Matteo Collina) [#26530](https://github.com/nodejs/node/pull/26530) - * remove promise object from resource (Andreas Madsen) [#23443](https://github.com/nodejs/node/pull/23443) + * remove deprecated `emitBefore` and `emitAfter` (Matteo Collina) [#26530](https://github.com/nodejs/node/pull/26530) + * remove promise object from resource (Andreas Madsen) [#23443](https://github.com/nodejs/node/pull/23443) * **bootstrap**: make Buffer and process non-enumerable (Ruben Bridgewater) [#24874](https://github.com/nodejs/node/pull/24874) * **buffer**: - * use stricter range checks (Ruben Bridgewater) [#27045](https://github.com/nodejs/node/pull/27045) - * harden `SlowBuffer` creation (ZYSzys) [#26272](https://github.com/nodejs/node/pull/26272) - * harden validation of buffer allocation size (ZYSzys) [#26162](https://github.com/nodejs/node/pull/26162) - * do proper error propagation in addon methods (Anna Henningsen) [#23939](https://github.com/nodejs/node/pull/23939) + * use stricter range checks (Ruben Bridgewater) [#27045](https://github.com/nodejs/node/pull/27045) + * harden `SlowBuffer` creation (ZYSzys) [#26272](https://github.com/nodejs/node/pull/26272) + * harden validation of buffer allocation size (ZYSzys) [#26162](https://github.com/nodejs/node/pull/26162) + * do proper error propagation in addon methods (Anna Henningsen) [#23939](https://github.com/nodejs/node/pull/23939) * **child_process**: - * remove `options.customFds` (cjihrig) [#25279](https://github.com/nodejs/node/pull/25279) - * harden fork arguments validation (ZYSzys) [#27039](https://github.com/nodejs/node/pull/27039) - * use non-infinite `maxBuffer` defaults (kohta ito) [#23027](https://github.com/nodejs/node/pull/23027) + * remove `options.customFds` (cjihrig) [#25279](https://github.com/nodejs/node/pull/25279) + * harden fork arguments validation (ZYSzys) [#27039](https://github.com/nodejs/node/pull/27039) + * use non-infinite `maxBuffer` defaults (kohta ito) [#23027](https://github.com/nodejs/node/pull/23027) * **console**: don't use ANSI escape codes when `TERM=dumb` (Vladislav Kaminsky) [#26261](https://github.com/nodejs/node/pull/26261) * **crypto**: - * remove legacy native handles (Tobias Nießen) [#27011](https://github.com/nodejs/node/pull/27011) - * decode missing passphrase errors (Tobias Nießen) [#25208](https://github.com/nodejs/node/pull/25208) - * remove `Cipher.setAuthTag()` and `Decipher.getAuthTag()` (Tobias Nießen) [#26249](https://github.com/nodejs/node/pull/26249) - * remove deprecated `crypto._toBuf()` (Tobias Nießen) [#25338](https://github.com/nodejs/node/pull/25338) - * set `DEFAULT\_ENCODING` property to non-enumerable (Antoine du Hamel) [#23222](https://github.com/nodejs/node/pull/23222) + * remove legacy native handles (Tobias Nießen) [#27011](https://github.com/nodejs/node/pull/27011) + * decode missing passphrase errors (Tobias Nießen) [#25208](https://github.com/nodejs/node/pull/25208) + * remove `Cipher.setAuthTag()` and `Decipher.getAuthTag()` (Tobias Nießen) [#26249](https://github.com/nodejs/node/pull/26249) + * remove deprecated `crypto._toBuf()` (Tobias Nießen) [#25338](https://github.com/nodejs/node/pull/25338) + * set `DEFAULT\_ENCODING` property to non-enumerable (Antoine du Hamel) [#23222](https://github.com/nodejs/node/pull/23222) * **deps**: - * update V8 to 7.4.288.13 (Michaël Zasso, cjihrig, Refael Ackermann, Anna Henningsen, Ujjwal Sharma) [#26685](https://github.com/nodejs/node/pull/26685) - * bump minimum icu version to 63 (Ujjwal Sharma) [#25852](https://github.com/nodejs/node/pull/25852) - * update OpenSSL to 1.1.1b (Sam Roberts, Shigeki Ohtsu) [#26327](https://github.com/nodejs/node/pull/26327) + * update V8 to 7.4.288.13 (Michaël Zasso, cjihrig, Refael Ackermann, Anna Henningsen, Ujjwal Sharma) [#26685](https://github.com/nodejs/node/pull/26685) + * bump minimum icu version to 63 (Ujjwal Sharma) [#25852](https://github.com/nodejs/node/pull/25852) + * update OpenSSL to 1.1.1b (Sam Roberts, Shigeki Ohtsu) [#26327](https://github.com/nodejs/node/pull/26327) * **errors**: update error name (Ruben Bridgewater) [#26738](https://github.com/nodejs/node/pull/26738) * **fs**: - * use proper .destroy() implementation for SyncWriteStream (Matteo Collina) [#26690](https://github.com/nodejs/node/pull/26690) - * improve mode validation (Ruben Bridgewater) [#26575](https://github.com/nodejs/node/pull/26575) - * harden validation of start option in `createWriteStream()` (ZYSzys) [#25579](https://github.com/nodejs/node/pull/25579) - * make writeFile consistent with readFile wrt fd (Sakthipriyan Vairamani (thefourtheye)) [#23709](https://github.com/nodejs/node/pull/23709) + * use proper .destroy() implementation for SyncWriteStream (Matteo Collina) [#26690](https://github.com/nodejs/node/pull/26690) + * improve mode validation (Ruben Bridgewater) [#26575](https://github.com/nodejs/node/pull/26575) + * harden validation of start option in `createWriteStream()` (ZYSzys) [#25579](https://github.com/nodejs/node/pull/25579) + * make writeFile consistent with readFile wrt fd (Sakthipriyan Vairamani (thefourtheye)) [#23709](https://github.com/nodejs/node/pull/23709) * **http**: - * validate timeout in `ClientRequest()` (cjihrig) [#26214](https://github.com/nodejs/node/pull/26214) - * return HTTP 431 on `HPE_HEADER_OVERFLOW` error (Albert Still) [#25605](https://github.com/nodejs/node/pull/25605) - * switch default parser to llhttp (Anna Henningsen) [#24870](https://github.com/nodejs/node/pull/24870) - * Runtime-deprecate `outgoingMessage._headers` and `outgoingMessage._headerNames` (Morgan Roderick) [#24167](https://github.com/nodejs/node/pull/24167) + * validate timeout in `ClientRequest()` (cjihrig) [#26214](https://github.com/nodejs/node/pull/26214) + * return HTTP 431 on `HPE_HEADER_OVERFLOW` error (Albert Still) [#25605](https://github.com/nodejs/node/pull/25605) + * switch default parser to llhttp (Anna Henningsen) [#24870](https://github.com/nodejs/node/pull/24870) + * Runtime-deprecate `outgoingMessage._headers` and `outgoingMessage._headerNames` (Morgan Roderick) [#24167](https://github.com/nodejs/node/pull/24167) * **lib**: - * remove `Atomics.wake()` (Gus Caplan) [#27033](https://github.com/nodejs/node/pull/27033) - * move DTRACE\_\* probes out of global scope (James M Snell) [#26541](https://github.com/nodejs/node/pull/26541) - * deprecate `_stream_wrap` (Sam Roberts) [#26245](https://github.com/nodejs/node/pull/26245) - * use ES6 class inheritance style (Ruben Bridgewater) [#24755](https://github.com/nodejs/node/pull/24755) + * remove `Atomics.wake()` (Gus Caplan) [#27033](https://github.com/nodejs/node/pull/27033) + * move DTRACE\_\* probes out of global scope (James M Snell) [#26541](https://github.com/nodejs/node/pull/26541) + * deprecate `_stream_wrap` (Sam Roberts) [#26245](https://github.com/nodejs/node/pull/26245) + * use ES6 class inheritance style (Ruben Bridgewater) [#24755](https://github.com/nodejs/node/pull/24755) * **module**: - * remove unintended access to deps/ (Anna Henningsen) [#25138](https://github.com/nodejs/node/pull/25138) - * improve error message for MODULE\_NOT\_FOUND (Ali Ijaz Sheikh) [#25690](https://github.com/nodejs/node/pull/25690) - * requireStack property for MODULE\_NOT\_FOUND (Ali Ijaz Sheikh) [#25690](https://github.com/nodejs/node/pull/25690) - * remove dead code (Ruben Bridgewater) [#26983](https://github.com/nodejs/node/pull/26983) - * make `require('.')` never resolve outside the current directory (Ruben Bridgewater) [#26973](https://github.com/nodejs/node/pull/26973) - * throw an error for invalid package.json main entries (Ruben Bridgewater) [#26823](https://github.com/nodejs/node/pull/26823) - * don't search in `require.resolve.paths` (cjihrig) [#23683](https://github.com/nodejs/node/pull/23683) + * remove unintended access to deps/ (Anna Henningsen) [#25138](https://github.com/nodejs/node/pull/25138) + * improve error message for MODULE\_NOT\_FOUND (Ali Ijaz Sheikh) [#25690](https://github.com/nodejs/node/pull/25690) + * requireStack property for MODULE\_NOT\_FOUND (Ali Ijaz Sheikh) [#25690](https://github.com/nodejs/node/pull/25690) + * remove dead code (Ruben Bridgewater) [#26983](https://github.com/nodejs/node/pull/26983) + * make `require('.')` never resolve outside the current directory (Ruben Bridgewater) [#26973](https://github.com/nodejs/node/pull/26973) + * throw an error for invalid package.json main entries (Ruben Bridgewater) [#26823](https://github.com/nodejs/node/pull/26823) + * don't search in `require.resolve.paths` (cjihrig) [#23683](https://github.com/nodejs/node/pull/23683) * **net**: - * remove `Server.listenFD()` (cjihrig) [#27127](https://github.com/nodejs/node/pull/27127) - * do not add `.host` and `.port` properties to DNS error (Ruben Bridgewater) [#26751](https://github.com/nodejs/node/pull/26751) - * emit "write after end" errors in the next tick (Ouyang Yadong) [#24457](https://github.com/nodejs/node/pull/24457) - * deprecate `_setSimultaneousAccepts()` undocumented function (James M Snell) [#23760](https://github.com/nodejs/node/pull/23760) + * remove `Server.listenFD()` (cjihrig) [#27127](https://github.com/nodejs/node/pull/27127) + * do not add `.host` and `.port` properties to DNS error (Ruben Bridgewater) [#26751](https://github.com/nodejs/node/pull/26751) + * emit "write after end" errors in the next tick (Ouyang Yadong) [#24457](https://github.com/nodejs/node/pull/24457) + * deprecate `_setSimultaneousAccepts()` undocumented function (James M Snell) [#23760](https://github.com/nodejs/node/pull/23760) * **os**: - * implement `os.type()` using `uv_os_uname()` (cjihrig) [#25659](https://github.com/nodejs/node/pull/25659) - * remove `os.getNetworkInterfaces()` (cjihrig) [#25280](https://github.com/nodejs/node/pull/25280) + * implement `os.type()` using `uv_os_uname()` (cjihrig) [#25659](https://github.com/nodejs/node/pull/25659) + * remove `os.getNetworkInterfaces()` (cjihrig) [#25280](https://github.com/nodejs/node/pull/25280) * **process**: - * make global.process, global.Buffer getters (Guy Bedford) [#26882](https://github.com/nodejs/node/pull/26882) - * move DEP0062 (node --debug) to end-of-life (Joyee Cheung) [#25828](https://github.com/nodejs/node/pull/25828) - * exit on --debug and --debug-brk after option parsing (Joyee Cheung) [#25828](https://github.com/nodejs/node/pull/25828) - * improve `--redirect-warnings` handling (Ruben Bridgewater) [#24965](https://github.com/nodejs/node/pull/24965) + * make global.process, global.Buffer getters (Guy Bedford) [#26882](https://github.com/nodejs/node/pull/26882) + * move DEP0062 (node --debug) to end-of-life (Joyee Cheung) [#25828](https://github.com/nodejs/node/pull/25828) + * exit on --debug and --debug-brk after option parsing (Joyee Cheung) [#25828](https://github.com/nodejs/node/pull/25828) + * improve `--redirect-warnings` handling (Ruben Bridgewater) [#24965](https://github.com/nodejs/node/pull/24965) * **readline**: support TERM=dumb (Vladislav Kaminsky) [#26261](https://github.com/nodejs/node/pull/26261) * **repl**: - * add welcome message (gengjiawen) [#25947](https://github.com/nodejs/node/pull/25947) - * fix terminal default setting (Ruben Bridgewater) [#26518](https://github.com/nodejs/node/pull/26518) - * check colors with `.getColorDepth()` (Vladislav Kaminsky) [#26261](https://github.com/nodejs/node/pull/26261) - * deprecate REPLServer.rli (Ruben Bridgewater) [#26260](https://github.com/nodejs/node/pull/26260) + * add welcome message (gengjiawen) [#25947](https://github.com/nodejs/node/pull/25947) + * fix terminal default setting (Ruben Bridgewater) [#26518](https://github.com/nodejs/node/pull/26518) + * check colors with `.getColorDepth()` (Vladislav Kaminsky) [#26261](https://github.com/nodejs/node/pull/26261) + * deprecate REPLServer.rli (Ruben Bridgewater) [#26260](https://github.com/nodejs/node/pull/26260) * **src**: - * remove unused `INT_MAX` constant (Sam Roberts) [#27078](https://github.com/nodejs/node/pull/27078) - * update `NODE_MODULE_VERSION` to 72 (Ujjwal Sharma) [#26685](https://github.com/nodejs/node/pull/26685) - * remove `AddPromiseHook()` (Anna Henningsen) [#26574](https://github.com/nodejs/node/pull/26574) - * clean up `MultiIsolatePlatform` interface (Anna Henningsen) [#26384](https://github.com/nodejs/node/pull/26384) - * properly configure default heap limits (Ali Ijaz Sheikh) [#25576](https://github.com/nodejs/node/pull/25576) - * remove `icuDataDir` from node config (GauthamBanasandra) [#24780](https://github.com/nodejs/node/pull/24780) + * remove unused `INT_MAX` constant (Sam Roberts) [#27078](https://github.com/nodejs/node/pull/27078) + * update `NODE_MODULE_VERSION` to 72 (Ujjwal Sharma) [#26685](https://github.com/nodejs/node/pull/26685) + * remove `AddPromiseHook()` (Anna Henningsen) [#26574](https://github.com/nodejs/node/pull/26574) + * clean up `MultiIsolatePlatform` interface (Anna Henningsen) [#26384](https://github.com/nodejs/node/pull/26384) + * properly configure default heap limits (Ali Ijaz Sheikh) [#25576](https://github.com/nodejs/node/pull/25576) + * remove `icuDataDir` from node config (GauthamBanasandra) [#24780](https://github.com/nodejs/node/pull/24780) * **tls**: - * support TLSv1.3 (Sam Roberts) [#26209](https://github.com/nodejs/node/pull/26209) - * return correct version from `getCipher()` (Sam Roberts) [#26625](https://github.com/nodejs/node/pull/26625) - * check arg types of renegotiate() (Sam Roberts) [#25876](https://github.com/nodejs/node/pull/25876) - * add code for `ERR_TLS_INVALID_PROTOCOL_METHOD` (Sam Roberts) [#24729](https://github.com/nodejs/node/pull/24729) - * emit a warning when servername is an IP address (Rodger Combs) [#23329](https://github.com/nodejs/node/pull/23329) - * disable TLS v1.0 and v1.1 by default (Ben Noordhuis) [#23814](https://github.com/nodejs/node/pull/23814) - * remove unused arg to createSecureContext() (Sam Roberts) [#24241](https://github.com/nodejs/node/pull/24241) - * deprecate `Server.prototype.setOptions()` (cjihrig) [#23820](https://github.com/nodejs/node/pull/23820) - * load `NODE_EXTRA_CA_CERTS` at startup (Ouyang Yadong) [#23354](https://github.com/nodejs/node/pull/23354) + * support TLSv1.3 (Sam Roberts) [#26209](https://github.com/nodejs/node/pull/26209) + * return correct version from `getCipher()` (Sam Roberts) [#26625](https://github.com/nodejs/node/pull/26625) + * check arg types of renegotiate() (Sam Roberts) [#25876](https://github.com/nodejs/node/pull/25876) + * add code for `ERR_TLS_INVALID_PROTOCOL_METHOD` (Sam Roberts) [#24729](https://github.com/nodejs/node/pull/24729) + * emit a warning when servername is an IP address (Rodger Combs) [#23329](https://github.com/nodejs/node/pull/23329) + * disable TLS v1.0 and v1.1 by default (Ben Noordhuis) [#23814](https://github.com/nodejs/node/pull/23814) + * remove unused arg to createSecureContext() (Sam Roberts) [#24241](https://github.com/nodejs/node/pull/24241) + * deprecate `Server.prototype.setOptions()` (cjihrig) [#23820](https://github.com/nodejs/node/pull/23820) + * load `NODE_EXTRA_CA_CERTS` at startup (Ouyang Yadong) [#23354](https://github.com/nodejs/node/pull/23354) * **util**: - * remove `util.print()`, `util.puts()`, `util.debug()` and `util.error()` (cjihrig) [#25377](https://github.com/nodejs/node/pull/25377) - * change inspect compact and breakLength default (Ruben Bridgewater) [#27109](https://github.com/nodejs/node/pull/27109) - * improve inspect edge cases (Ruben Bridgewater) [#27109](https://github.com/nodejs/node/pull/27109) - * only the first line of the error message (Simon Zünd) [#26685](https://github.com/nodejs/node/pull/26685) - * don't set the prototype of callbackified functions (Ruben Bridgewater) [#26893](https://github.com/nodejs/node/pull/26893) - * rename callbackified function (Ruben Bridgewater) [#26893](https://github.com/nodejs/node/pull/26893) - * increase function length when using `callbackify()` (Ruben Bridgewater) [#26893](https://github.com/nodejs/node/pull/26893) - * prevent tampering with internals in `inspect()` (Ruben Bridgewater) [#26577](https://github.com/nodejs/node/pull/26577) - * prevent Proxy traps being triggered by `.inspect()` (Ruben Bridgewater) [#26241](https://github.com/nodejs/node/pull/26241) - * prevent leaking internal properties (Ruben Bridgewater) [#24971](https://github.com/nodejs/node/pull/24971) - * protect against monkeypatched Object prototype for inspect() (Rich Trott) [#25953](https://github.com/nodejs/node/pull/25953) - * treat format arguments equally (Roman Reiss) [#23162](https://github.com/nodejs/node/pull/23162) + * remove `util.print()`, `util.puts()`, `util.debug()` and `util.error()` (cjihrig) [#25377](https://github.com/nodejs/node/pull/25377) + * change inspect compact and breakLength default (Ruben Bridgewater) [#27109](https://github.com/nodejs/node/pull/27109) + * improve inspect edge cases (Ruben Bridgewater) [#27109](https://github.com/nodejs/node/pull/27109) + * only the first line of the error message (Simon Zünd) [#26685](https://github.com/nodejs/node/pull/26685) + * don't set the prototype of callbackified functions (Ruben Bridgewater) [#26893](https://github.com/nodejs/node/pull/26893) + * rename callbackified function (Ruben Bridgewater) [#26893](https://github.com/nodejs/node/pull/26893) + * increase function length when using `callbackify()` (Ruben Bridgewater) [#26893](https://github.com/nodejs/node/pull/26893) + * prevent tampering with internals in `inspect()` (Ruben Bridgewater) [#26577](https://github.com/nodejs/node/pull/26577) + * prevent Proxy traps being triggered by `.inspect()` (Ruben Bridgewater) [#26241](https://github.com/nodejs/node/pull/26241) + * prevent leaking internal properties (Ruben Bridgewater) [#24971](https://github.com/nodejs/node/pull/24971) + * protect against monkeypatched Object prototype for inspect() (Rich Trott) [#25953](https://github.com/nodejs/node/pull/25953) + * treat format arguments equally (Roman Reiss) [#23162](https://github.com/nodejs/node/pull/23162) * **win, fs**: detect if symlink target is a directory (Bartosz Sosnowski) [#23724](https://github.com/nodejs/node/pull/23724) * **zlib**: - * throw TypeError if callback is missing (Anna Henningsen) [#24929](https://github.com/nodejs/node/pull/24929) - * make “bare” constants un-enumerable (Anna Henningsen) [#24824](https://github.com/nodejs/node/pull/24824) + * throw TypeError if callback is missing (Anna Henningsen) [#24929](https://github.com/nodejs/node/pull/24929) + * make “bare” constants un-enumerable (Anna Henningsen) [#24824](https://github.com/nodejs/node/pull/24824) ### Semver-Major Commits diff --git a/doc/changelogs/CHANGELOG_V6.md b/doc/changelogs/CHANGELOG_V6.md index c495b4f8ec09d8..4bb02b0bc1f71f 100644 --- a/doc/changelogs/CHANGELOG_V6.md +++ b/doc/changelogs/CHANGELOG_V6.md @@ -191,9 +191,9 @@ Fixes for the following CVEs are included in this release: * **debugger**: Backport of [nodejs/node#8106](https://github.com/nodejs/node/pull/8106) to prevent the debugger from listening on `0.0.0.0`. It now defaults to `127.0.0.1`. Reported by Ben Noordhuis. (CVE-2018-12120 / Ben Noordhuis). * **deps**: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407 * **http**: - * Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina) - * A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with `server.headersTimeout`. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with `server.setTimeout()`, this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach ([liebdich.com](https://liebdich.com)). (CVE-2018-12122 / Matteo Collina) - * Two-byte characters are now strictly disallowed for the `path` option in HTTP client requests. Paths containing characters outside of the range `\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior can be reverted if necessary by supplying the `--security-revert=CVE-2018-12116` command line argument (this is not recommended). Reported as security concern for Node.js 6 and 8 by [Arkadiy Tetelman](https://twitter.com/arkadiyt) ([Lob](https://lob.com)), fixed by backporting a change by Benno Fünfstück applied to Node.js 10 and later. (CVE-2018-12116 / Matteo Collina) + * Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina) + * A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with `server.headersTimeout`. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with `server.setTimeout()`, this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach ([liebdich.com](https://liebdich.com)). (CVE-2018-12122 / Matteo Collina) + * Two-byte characters are now strictly disallowed for the `path` option in HTTP client requests. Paths containing characters outside of the range `\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior can be reverted if necessary by supplying the `--security-revert=CVE-2018-12116` command line argument (this is not recommended). Reported as security concern for Node.js 6 and 8 by [Arkadiy Tetelman](https://twitter.com/arkadiyt) ([Lob](https://lob.com)), fixed by backporting a change by Benno Fünfstück applied to Node.js 10 and later. (CVE-2018-12116 / Matteo Collina) * **url**: Fix a bug that would allow a hostname being spoofed when parsing URLs with `url.parse()` with the `'javascript:'` protocol. Reported by [Martin Bajanik](https://twitter.com/_bayotop) ([Kentico](https://kenticocloud.com/)). (CVE-2018-12123 / Matteo Collina) ### Commits @@ -2826,14 +2826,14 @@ are updates to dependencies. * **build**: shared library support is now working for AIX builds (Stewart Addison) [#9675](https://github.com/nodejs/node/pull/9675) * **deps**: - - *npm*: upgrade npm to 3.10.10 (Rebecca Turner) [#9847](https://github.com/nodejs/node/pull/9847) - - *V8*: Destructuring of arrow function arguments via computed property no longer throws (Michaël Zasso) [#10386](https://github.com/nodejs/node/pull/10386) + - *npm*: upgrade npm to 3.10.10 (Rebecca Turner) [#9847](https://github.com/nodejs/node/pull/9847) + - *V8*: Destructuring of arrow function arguments via computed property no longer throws (Michaël Zasso) [#10386](https://github.com/nodejs/node/pull/10386) * **inspector**: /json/version returns object, not an object wrapped in an array (Ben Noordhuis) [#9762](https://github.com/nodejs/node/pull/9762) * **module**: using --debug-brk and --eval together now works as expected (Kelvin Jin) [#8876](https://github.com/nodejs/node/pull/8876) * **process**: improve performance of nextTick up to 20% (Evan Lucas) [#8932](https://github.com/nodejs/node/pull/8932) * **repl**: - - the division operator will no longer be accidentally parsed as regex (Teddy Katz) [#10103](https://github.com/nodejs/node/pull/10103) - - improved support for generator functions (Teddy Katz) [#9852](https://github.com/nodejs/node/pull/9852) + - the division operator will no longer be accidentally parsed as regex (Teddy Katz) [#10103](https://github.com/nodejs/node/pull/10103) + - improved support for generator functions (Teddy Katz) [#9852](https://github.com/nodejs/node/pull/9852) * **timers**: Re canceling a cancelled timers will no longer throw (Jeremiah Senkpiel) [#9685](https://github.com/nodejs/node/pull/9685) ### Commits @@ -3162,10 +3162,10 @@ commits which are updates to dependencies. * **buffer**: coerce slice parameters consistently (Sakthipriyan Vairamani (thefourtheye)) [#9101](https://github.com/nodejs/node/pull/9101) * **deps**: - - *npm*: upgrade npm to 3.10.9 (Kat Marchán) [#9286](https://github.com/nodejs/node/pull/9286) - - *V8*: Various fixes to destructuring edge cases - - cherry-pick 3c39bac from V8 upstream (Cristian Cavalli) [#9138](https://github.com/nodejs/node/pull/9138) - - cherry pick 7166503 from upstream v8 (Cristian Cavalli) [#9173](https://github.com/nodejs/node/pull/9173) + - *npm*: upgrade npm to 3.10.9 (Kat Marchán) [#9286](https://github.com/nodejs/node/pull/9286) + - *V8*: Various fixes to destructuring edge cases + - cherry-pick 3c39bac from V8 upstream (Cristian Cavalli) [#9138](https://github.com/nodejs/node/pull/9138) + - cherry pick 7166503 from upstream v8 (Cristian Cavalli) [#9173](https://github.com/nodejs/node/pull/9173) * **gtest**: the test reporter now outputs tap comments as yamlish (Johan Bergström) [#9262](https://github.com/nodejs/node/pull/9262) * **inspector**: inspector now prompts user to use 127.0.0.1 rather than localhost (Eugene Ostroukhov) [#9451](https://github.com/nodejs/node/pull/9451) * **tls**: fix memory leak when writing data to TLSWrap instance during handshake (Fedor Indutny) [#9586](https://github.com/nodejs/node/pull/9586) diff --git a/doc/changelogs/CHANGELOG_V7.md b/doc/changelogs/CHANGELOG_V7.md index c3a33b3ee6ae24..7c903c35fb331b 100644 --- a/doc/changelogs/CHANGELOG_V7.md +++ b/doc/changelogs/CHANGELOG_V7.md @@ -786,10 +786,10 @@ This release contains **v8 5.5**, you can read more about this version in the of ### Notable changes * **deps**: - * update V8 to 5.5 (Michaël Zasso) [#11029](https://github.com/nodejs/node/pull/11029) - * upgrade libuv to 1.11.0 (cjihrig) [#11094](https://github.com/nodejs/node/pull/11094) - * add node-inspect 1.10.4 (Jan Krems) [#10187](https://github.com/nodejs/node/pull/10187) - * upgrade zlib to 1.2.11 (Sam Roberts) [#10980](https://github.com/nodejs/node/pull/10980) + * update V8 to 5.5 (Michaël Zasso) [#11029](https://github.com/nodejs/node/pull/11029) + * upgrade libuv to 1.11.0 (cjihrig) [#11094](https://github.com/nodejs/node/pull/11094) + * add node-inspect 1.10.4 (Jan Krems) [#10187](https://github.com/nodejs/node/pull/10187) + * upgrade zlib to 1.2.11 (Sam Roberts) [#10980](https://github.com/nodejs/node/pull/10980) * **lib**: build `node inspect` into `node` (Anna Henningsen) [#10187](https://github.com/nodejs/node/pull/10187) * **crypto**: Remove expired certs from CNNIC whitelist (Shigeki Ohtsu) [#9469](https://github.com/nodejs/node/pull/9469) * **inspector**: add --inspect-brk (Josh Gavant) [#11149](https://github.com/nodejs/node/pull/11149) diff --git a/doc/changelogs/CHANGELOG_V8.md b/doc/changelogs/CHANGELOG_V8.md index 1eb2ebd281a9d6..7e3599f9c156b4 100644 --- a/doc/changelogs/CHANGELOG_V8.md +++ b/doc/changelogs/CHANGELOG_V8.md @@ -287,9 +287,9 @@ Fixes for the following CVEs are included in this release: * **deps**: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407 * **http**: - * Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina) - * A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with `server.headersTimeout`. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with `server.setTimeout()`, this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach ([liebdich.com](https://liebdich.com)). (CVE-2018-12122 / Matteo Collina) - * Two-byte characters are now strictly disallowed for the `path` option in HTTP client requests. Paths containing characters outside of the range `\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior can be reverted if necessary by supplying the `--security-revert=CVE-2018-12116` command line argument (this is not recommended). Reported as security concern for Node.js 6 and 8 by [Arkadiy Tetelman](https://twitter.com/arkadiyt) ([Lob](https://lob.com)), fixed by backporting a change by Benno Fünfstück applied to Node.js 10 and later. (CVE-2018-12116 / Matteo Collina) + * Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina) + * A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with `server.headersTimeout`. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with `server.setTimeout()`, this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach ([liebdich.com](https://liebdich.com)). (CVE-2018-12122 / Matteo Collina) + * Two-byte characters are now strictly disallowed for the `path` option in HTTP client requests. Paths containing characters outside of the range `\u0021` - `\u00ff` will now be rejected with a `TypeError`. This behavior can be reverted if necessary by supplying the `--security-revert=CVE-2018-12116` command line argument (this is not recommended). Reported as security concern for Node.js 6 and 8 by [Arkadiy Tetelman](https://twitter.com/arkadiyt) ([Lob](https://lob.com)), fixed by backporting a change by Benno Fünfstück applied to Node.js 10 and later. (CVE-2018-12116 / Matteo Collina) * **url**: Fix a bug that would allow a hostname being spoofed when parsing URLs with `url.parse()` with the `'javascript:'` protocol. Reported by [Martin Bajanik](https://twitter.com/_bayotop) ([Kentico](https://kenticocloud.com/)). (CVE-2018-12123 / Matteo Collina) ### Commits @@ -3430,10 +3430,10 @@ Big thanks to @addaleax who prepared the vast majority of this release. [[`dc3f6b9ac1`](https://github.com/nodejs/node/commit/dc3f6b9ac1)] [#14235](https://github.com/nodejs/node/pull/14235) * `npm` Changelogs: - - [v5.0.4](https://github.com/npm/npm/releases/tag/v5.0.4) - - [v5.1.0](https://github.com/npm/npm/releases/tag/v5.1.0) - - [v5.2.0](https://github.com/npm/npm/releases/tag/v5.2.0) - - [v5.3.0](https://github.com/npm/npm/releases/tag/v5.3.0) + - [v5.0.4](https://github.com/npm/npm/releases/tag/v5.0.4) + - [v5.1.0](https://github.com/npm/npm/releases/tag/v5.1.0) + - [v5.2.0](https://github.com/npm/npm/releases/tag/v5.2.0) + - [v5.3.0](https://github.com/npm/npm/releases/tag/v5.3.0) ### Commits diff --git a/doc/guides/adding-new-napi-api.md b/doc/guides/adding-new-napi-api.md index aad0e6ba7ab9ca..dc8d9dda233f31 100644 --- a/doc/guides/adding-new-napi-api.md +++ b/doc/guides/adding-new-napi-api.md @@ -6,16 +6,16 @@ a set of principles and guidelines to keep in mind while adding a new N-API API. * A new API **must** adhere to N-API API shape and spirit. - * **Must** be a C API. - * **Must** not throw exceptions. - * **Must** return `napi_status`. - * **Should** consume `napi_env`. - * **Must** operate only on primitive data types, pointers to primitive - datatypes or opaque handles. - * **Must** be a necessary API and not a nice to have. Convenience APIs - belong in node-addon-api. - * **Must** not change the signature of an existing N-API API or break - ABI compatibility with other versions of Node.js. + * **Must** be a C API. + * **Must** not throw exceptions. + * **Must** return `napi_status`. + * **Should** consume `napi_env`. + * **Must** operate only on primitive data types, pointers to primitive + datatypes or opaque handles. + * **Must** be a necessary API and not a nice to have. Convenience APIs + belong in node-addon-api. + * **Must** not change the signature of an existing N-API API or break + ABI compatibility with other versions of Node.js. * New API **should** be agnostic towards the underlying JavaScript VM. * New API PRs **must** have a corresponding documentation update. * New API PRs **must** be tagged as **n-api**. @@ -31,19 +31,19 @@ N-API API. * A new API **must** be considered experimental for at least one minor version release of Node.js before it can be considered for promotion out of experimental. - * Experimental APIs **must** be documented as such. - * Experimental APIs **must** require an explicit compile-time flag - (`#define`) to be set to opt-in. - * Experimental APIs **must** be considered for backport. - * Experimental status exit criteria **must** involve at least the - following: - * A new PR **must** be opened in `nodejs/node` to remove experimental - status. This PR **must** be tagged as **n-api** and **semver-minor**. - * Exiting an API from experimental **must** be signed off by the team. - * If a backport is merited, an API **must** have a down-level - implementation. - * The API **should** be used by a published real-world module. Use of - the API by a real-world published module will contribute favorably - to the decision to take an API out of experimental status. - * The API **must** be implemented in a Node.js implementation with an - alternate VM. + * Experimental APIs **must** be documented as such. + * Experimental APIs **must** require an explicit compile-time flag + (`#define`) to be set to opt-in. + * Experimental APIs **must** be considered for backport. + * Experimental status exit criteria **must** involve at least the + following: + * A new PR **must** be opened in `nodejs/node` to remove experimental + status. This PR **must** be tagged as **n-api** and **semver-minor**. + * Exiting an API from experimental **must** be signed off by the team. + * If a backport is merited, an API **must** have a down-level + implementation. + * The API **should** be used by a published real-world module. Use of + the API by a real-world published module will contribute favorably + to the decision to take an API out of experimental status. + * The API **must** be implemented in a Node.js implementation with an + alternate VM. diff --git a/doc/guides/diagnostic-tooling-support-tiers.md b/doc/guides/diagnostic-tooling-support-tiers.md index 1368cdd666048e..62bca48e1b7af7 100644 --- a/doc/guides/diagnostic-tooling-support-tiers.md +++ b/doc/guides/diagnostic-tooling-support-tiers.md @@ -18,16 +18,16 @@ the following tiers. early warning of potential issues. No commit to the current and LTS release branches should break this tool/API if the next major release is within 1 month. In addition: - * The maintainers of the tool must remain responsive when there - are problems; - * The tool must be actively used by the ecosystem; - * The tool must be heavily depended on; - * The tool must have a guide or other documentation in the Node.js GitHub - organization or website; - * The tool must be working on all supported platforms; - * The tool must only be using APIs exposed by Nodejs as opposed to - its dependencies; and - * The tool must be open source. + * The maintainers of the tool must remain responsive when there + are problems; + * The tool must be actively used by the ecosystem; + * The tool must be heavily depended on; + * The tool must have a guide or other documentation in the Node.js GitHub + organization or website; + * The tool must be working on all supported platforms; + * The tool must only be using APIs exposed by Nodejs as opposed to + its dependencies; and + * The tool must be open source. * Tier 2 - Must be working(CI tests passing) for all LTS releases. An LTS release will not be shipped if the test @@ -35,13 +35,13 @@ the following tiers. in this tier it must have a good test suite and that test suite and a job must exist in the Node.js CI so that it can be run as part of the release process. In addition: - * The maintainers of the tool must remain responsive when - there are problems; - * The tool must be actively used by the ecosystem; - * The tool must be heavily depended on; - * The tool must have a guide or other documentation in the Node.js GitHub - organization or website; - * The tool must be open source. + * The maintainers of the tool must remain responsive when + there are problems; + * The tool must be actively used by the ecosystem; + * The tool must be heavily depended on; + * The tool must have a guide or other documentation in the Node.js GitHub + organization or website; + * The tool must be open source. * Tier 3 - If possible its test suite will be run at least nightly in the Node.js CI and issues opened for diff --git a/doc/offboarding.md b/doc/offboarding.md index 5b7a1e1231e8d7..3db892b0f3de3d 100644 --- a/doc/offboarding.md +++ b/doc/offboarding.md @@ -10,7 +10,7 @@ Emeritus or leaves the project. moving to Collaborator Emeritus. * Determine what GitHub teams the Collaborator belongs to. In consultation with the Collaborator, determine which of those teams they should be removed from. - * Some teams may also require a pull request to remove the Collaborator from - a team listing. For example, if someone is removed from @nodejs/build, - they should also be removed from the Build WG README.md file in the - https://github.com/nodejs/build repository. + * Some teams may also require a pull request to remove the Collaborator from + a team listing. For example, if someone is removed from @nodejs/build, + they should also be removed from the Build WG README.md file in the + https://github.com/nodejs/build repository.