Age | Commit message (Collapse) | Author |
|
|
|
PR-URL: https://github.com/nodejs/node/pull/44758
Reviewed-By: Ruy Adorno <ruyadorno@google.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Tierney Cyren <hello@bnb.im>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
|
|
This updates the deprecation, DEP0164, to clarify its scope.
Previously, `process.exitCode` wasn't mentioned but it needs
to be applied with the same deprecation because its meaning
is the same as the `code` value and it's overridden with the
`code` value in `process.exit()`.
Signed-off-by: Daeyeon Jeong <daeyeon.dev@gmail.com>
Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/44714
Refs: https://github.com/nodejs/node/pull/44712
Refs: https://github.com/nodejs/node/pull/43738
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
|
|
This is a security release.
Notable changes:
* crypto: fix weak randomness in WebCrypto keygen (Ben Noordhuis) https://github.com/nodejs-private/node-private/pull/346
* deps: MacOS - fix location of OpenSSL config file (Michael Dawson) https://github.com/nodejs-private/node-private/pull/345
* http: disable chunked encoding when OBS fold is used (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/341
* src: fix IPv4 non routable validation (RafaelGSS) https://github.com/nodejs-private/node-private/pull/337
PR-URL: https://github.com/nodejs-private/node-private/pull/350
|
|
This is a security release.
Notable changes:
crypto:
* fix weak randomness in WebCrypto keygen (Ben Noordhuis) https://github.com/nodejs-private/node-private/pull/346
http:
* disable chunked encoding when using OBS fold is used (Paolo Insogna) https://github.com/nodejs-private/node-private/pull/341
src:
* fix IPv4 non routable validation (RafaelGSS) https://github.com/nodejs-private/node-private/pull/337
PR-URL: https://github.com/nodejs-private/node-private/pull/352
|
|
This is a security release.
Notable changes:
The following CVEs are fixed in this release:
* CVE-2022-32212: DNS rebinding in --inspect on macOS (High)
* CVE-2022-32213: bypass via obs-fold mechanic (Medium)
* CVE-2022-35256: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields (Medium)
PR-URL: https://github.com/nodejs-private/node-private/pull/348
|
|
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Vladimir de Turckheim <vlad2t@hotmail.com>
PR-URL: #341
CVE-ID: CVE-2022-32213, CVE-2022-32215, CVE-2022-35256
|
|
Commit dae283d96f from August 2020 introduced a call to EntropySource()
in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There
are two problems with that:
1. It does not check the return value, it assumes EntropySource() always
succeeds, but it can (and sometimes will) fail.
2. The random data returned byEntropySource() may not be
cryptographically strong and therefore not suitable as keying
material.
An example is a freshly booted system or a system without /dev/random or
getrandom(2).
EntropySource() calls out to openssl's RAND_poll() and RAND_bytes() in a
best-effort attempt to obtain random data. OpenSSL has a built-in CSPRNG
but that can fail to initialize, in which case it's possible either:
1. No random data gets written to the output buffer, i.e., the output is
unmodified, or
2. Weak random data is written. It's theoretically possible for the
output to be fully predictable because the CSPRNG starts from a
predictable state.
Replace EntropySource() and CheckEntropy() with new function CSPRNG()
that enforces checking of the return value. Abort on startup when the
entropy pool fails to initialize because that makes it too easy to
compromise the security of the process.
Refs: https://hackerone.com/bugs?report_id=1690000
Refs: https://github.com/nodejs/node/pull/35093
|
|
- Restore the location were the OpenSSL config file is
loaded by default on MacOS back to where it was on earlier versions
- Remove warnings about OPENSSLDIR being multiply defined
Signed-off-by: Michael Dawson <mdawson@devrus.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
PR-URL: https://github.com/nodejs-private/node-private/pull/345
CVE-ID: CVE-2022-32222
|
|
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
PR-URL: https://github.com/nodejs-private/node-private/pull/337
CVE-ID: CVE-2022-32212, CVE-2018-7160
|
|
- updated based on decision to use node: prefix in
https://github.com/nodejs/TSC/pull/1206
- updated based on agreement in TSC meeting
on adding /promises to existing modules as per
minutes - https://github.com/nodejs/TSC/pull/1281
Signed-off-by: Michael Dawson <mdawson@devrus.com>
PR-URL: https://github.com/nodejs/node/pull/44576
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Danielle Adams <adamzdanielle@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
|
|
PR-URL: https://github.com/nodejs/node/pull/44687
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
|
|
In order to meet the specification, this includes mainly the followings:
- Adding the 'release steps' to ReadableStreamController
- Responding to a pull request from a released reader in
ReadableByteStreamController
Signed-off-by: Daeyeon Jeong daeyeon.dev@gmail.com
PR-URL: https://github.com/nodejs/node/pull/44702
Refs: https://streams.spec.whatwg.org/#abstract-opdef-readablebytestreamcontroller-releasesteps
Refs: https://streams.spec.whatwg.org/#readable-byte-stream-controller-respond-in-readable-state
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Minwoo Jung <nodecorelab@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/44748
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
|
|
openssl/provider.h header is not part of OpenSSL 1.1.1 so do not
include it when building with an older instance.
Fixes: https://github.com/nodejs/node/issues/44722
PR-URL: https://github.com/nodejs/node/pull/44725
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
|
|
PR-URL: https://github.com/nodejs/node/pull/41212
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/44733
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Akhil Marsonya <akhil.marsonya27@gmail.com>
|
|
This allows the misc/startup benchmark to run again
after the renaming of the C++ `native_module` to `builtins`
PR-URL: https://github.com/nodejs/node/pull/44727
Refs: https://github.com/nodejs/node/pull/44135
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Daeyeon Jeong <daeyeon.dev@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
|
|
Add missing examples for webstreams consumers
Doc URL: https://nodejs.org/api/webstreams.html#streamconsumerstextstream
PR-URL: https://github.com/nodejs/node/pull/44387
Reviewed-By: Erick Wendel <erick.workspace@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
|
|
Fix multiple instances of those uncovered while running the tests on
debug builds.
Fixes: https://github.com/nodejs/node-v8/issues/227
PR-URL: https://github.com/nodejs/node/pull/44669
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/44723
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/44210
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/44691
Reviewed-By: Danielle Adams <adamzdanielle@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/44734
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
|
|
Deprecation should reference a valid deprecation code.
PR-URL: https://github.com/nodejs/node/pull/44624
Refs: https://github.com/nodejs/node/pull/36510
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Michael Dawson <midawson@redhat.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/44621
Fixes: https://github.com/nodejs/node/issues/44655
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/44701
Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
|
|
This updates dnlup's name to their preferred email per their last pull
request.
This will also prevent duplicate entries for dnlup when the
update-authors job runs.
It also moves one unrelated line in .mailmap so that all lines are
sorted in lexical order.
PR-URL: https://github.com/nodejs/node/pull/44716
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Daeyeon Jeong <daeyeon.dev@gmail.com>
Reviewed-By: Darshan Sen <raisinten@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
|
|
PR-URL: https://github.com/nodejs/node/pull/44652
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com>
Co-authored-by: Tobias Nießen <tniessen@tnie.de>
Co-authored-by: Luigi Pinca <luigipinca@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/44705
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Daeyeon Jeong <daeyeon.dev@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
|
|
The file does not use sysconf() and its use of gethostname() has been
removed, so including <unistd.h> appears to be unnecessary.
PR-URL: https://github.com/nodejs/node/pull/44668
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
|
|
Refs: https://github.com/nodejs/node/pull/44619
Co-authored-by: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/44622
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/44537
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/44704
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
|
|
Prefer tagged versions over the latest commit on the development branch,
and a few other minor improvements.
PR-URL: https://github.com/nodejs/node/pull/44619
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/44378
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/44667
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Akhil Marsonya <akhil.marsonya27@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/44665
Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
|
|
PR-URL: https://github.com/nodejs/node/pull/44632
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
|
|
`CryptoKey` is already available on the global object.
PR-URL: https://github.com/nodejs/node/pull/42083
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
|
|
Enables `--experimental-global-webcrypto` by default, and ensures that
the classic `node:crypto` core module is still available in `--eval` or
`--print` contexts.
PR-URL: https://github.com/nodejs/node/pull/42083
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/44635
Reviewed-By: Kohei Ueno <kohei.ueno119@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Daeyeon Jeong <daeyeon.dev@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: LiviaMedeiros <livia@cirno.name>
Reviewed-By: Akhil Marsonya <akhil.marsonya27@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/44625
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
|
|
There are two lists of MODP groups, one of which is redundant and does
not mark weak groups as deprecated. Remove said list and refer readers
to the first list instead.
Refs: https://github.com/nodejs/node/pull/43986
Refs: https://github.com/nodejs/node/pull/44588
PR-URL: https://github.com/nodejs/node/pull/44644
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
|
|
Refs: https://github.com/nodejs/node/issues/42949
Looking at the documentation for setTimeout
(https://nodejs.org/api/timers.html#settimeoutcallback-delay-args)
there is no guarantee that setTimeout won't complete early.
From the failure of https://github.com/nodejs/node/issues/42949 this
is likely what happened.
I have updated the assert.ok test to allow some variation in
the test.
PR-URL: https://github.com/nodejs/node/pull/44637
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Akhil Marsonya <akhil.marsonya27@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
|
|
Refs: https://github.com/nodejs/TSC/issues/1282
Signed-off-by: Michael Dawson <mdawson@devrus.com>
PR-URL: https://github.com/nodejs/node/pull/44662
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/44664
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
|
|
Fixes: https://github.com/nodejs/node/issues/43134
PR-URL: https://github.com/nodejs/node/pull/43988
Reviewed-By: Steven R Loomis <srloomis@us.ibm.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/42686
Refs: https://coverage.nodejs.org/coverage-a0461255c05c79cf/lib/readline.js.html#L105
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
|
|
Retrospectively document the changes history of the `inspector.close`
API.
PR-URL: https://github.com/nodejs/node/pull/44628
Refs: https://github.com/nodejs/node/pull/44489
Refs: https://github.com/nodejs/node/pull/13228
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
Reviewed-By: Daeyeon Jeong <daeyeon.dev@gmail.com>
Reviewed-By: Kohei Ueno <kohei.ueno119@gmail.com>
|