Age | Commit message (Collapse) | Author |
|
Notable changes:
* crypto:
* add support for chacha20-poly1305 for AEAD (chux0519)
https://github.com/nodejs/node/pull/24081
* increase maxmem range from 32 to 53 bits (Tobias Nießen)
https://github.com/nodejs/node/pull/28799
* deps:
* update npm to 6.11.3 (claudiahdz)
https://github.com/nodejs/node/pull/29430
* upgrade openssl sources to 1.1.1d (Sam Roberts)
https://github.com/nodejs/node/pull/29921
* dns:
* remove dns.promises experimental warning (cjihrig)
https://github.com/nodejs/node/pull/26592
* fs:
* remove experimental warning for fs.promises (Anna Henningsen)
https://github.com/nodejs/node/pull/26581
* http:
* makes response.writeHead return the response (Mark S. Everitt)
https://github.com/nodejs/node/pull/25974
* http2:
* makes response.writeHead return the response (Mark S. Everitt)
https://github.com/nodejs/node/pull/25974
* n-api:
* make func argument of napi\_create\_threadsafe\_function optional
(legendecas)
https://github.com/nodejs/node/pull/27791
* mark version 5 N-APIs as stable (Gabriel Schulhof)
https://github.com/nodejs/node/pull/29401
* implement date object (Jarrod Connolly)
https://github.com/nodejs/node/pull/25917
* process:
* add --unhandled-rejections flag (Ruben Bridgewater)
https://github.com/nodejs/node/pull/26599
* stream:
* implement Readable.from async iterator utility (Guy Bedford)
https://github.com/nodejs/node/pull/27660
* make Symbol.asyncIterator support stable (Matteo Collina)
https://github.com/nodejs/node/pull/26989
PR-URL: https://github.com/nodejs/node/pull/29875
|
|
openSSL supports AEAD_CHACHA20_POLY1305(rfc7539) since 1.1.
PR-URL: https://github.com/nodejs/node/pull/24081
Fixes: https://github.com/nodejs/node/issues/24080
Refs: https://tools.ietf.org/html/rfc7539
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
|
|
PR-URL: https://github.com/nodejs/node/pull/29430
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
|
|
BUGFIXES
* [`27cccfbda`](https://github.com/npm/cli/commit/27cccfbdac8526cc807b07f416355949b1372a9b)
[#223](https://github.com/npm/cli/pull/223) vulns → vulnerabilities in
npm audit output ([@sapegin](https://github.com/sapegin))
* [`d5e865eb7`](https://github.com/npm/cli/commit/d5e865eb79329665a927cc2767b4395c03045dbb)
[#222](https://github.com/npm/cli/pull/222)
[#226](https://github.com/npm/cli/pull/226) install, doctor: don't crash
if registry unset ([@dmitrydvorkin](https://github.com/dmitrydvorkin),
[@isaacs](https://github.com/isaacs))
* [`5b3890226`](https://github.com/npm/cli/commit/5b389022652abeb0e1c278a152550eb95bc6c452)
[#227](https://github.com/npm/cli/pull/227)
[npm.community#9167](https://npm.community/t/npm-err-cb-never-called-permission-denied/9167/5)
Handle unhandledRejections, tell user what to do when encountering an
`EACCES` error in the cache. ([@isaacs](https://github.com/isaacs))
DEPENDENCIES
* [`77516df6e`](https://github.com/npm/cli/commit/77516df6eac94a6d7acb5e9ca06feaa0868d779b)
`licensee@7.0.3` ([@isaacs](https://github.com/isaacs))
* [`ceb993590`](https://github.com/npm/cli/commit/ceb993590e4e376a9a78264ce7bb4327fbbb37fe)
`query-string@6.8.2` ([@isaacs](https://github.com/isaacs))
* [`4050b9189`](https://github.com/npm/cli/commit/4050b91898c60e9b22998cf82b70b9b822de592a)
`hosted-git-info@2.8.2`
* [#46](https://github.com/npm/hosted-git-info/issues/46)
[#43](https://github.com/npm/hosted-git-info/issues/43)
[#47](https://github.com/npm/hosted-git-info/pull/47)
[#44](https://github.com/npm/hosted-git-info/pull/44) Add support for
GitLab subgroups ([@mterrel](https://github.com/mterrel),
[@isaacs](https://github.com/isaacs),
[@ybiquitous](https://github.com/ybiquitous))
* [`3b1d629`](https://github.com/npm/hosted-git-info/commit/3b1d629)
[#48](https://github.com/npm/hosted-git-info/issues/48) fix http
protocol using sshurl by default
([@fengmk2](https://github.com/fengmk2))
* [`5d4a8d7`](https://github.com/npm/hosted-git-info/commit/5d4a8d7)
ignore noCommittish on tarball url generation
([@isaacs](https://github.com/isaacs))
* [`1692435`](https://github.com/npm/hosted-git-info/commit/1692435)
use gist tarball url that works for anonymous gists
([@isaacs](https://github.com/isaacs))
* [`d5cf830`](https://github.com/npm/hosted-git-info/commit/d5cf8309be7af884032616c63ea302ce49dd321c)
Do not allow invalid gist urls ([@isaacs](https://github.com/isaacs))
* [`e518222`](https://github.com/npm/hosted-git-info/commit/e5182224351183ce619dd5ef00019ae700ed37b7)
Use LRU cache to prevent unbounded memory consumption
([@iarna](https://github.com/iarna))
PR-URL: https://github.com/nodejs/node/pull/29023
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/28853
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/28525
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com>
|
|
EVP_PKEY_CTX_set_rsa_keygen_pubexp() accepts ownership of the exponent
on success, so do not free it.
Fixes: https://github.com/nodejs/node/issues/27087
Fixes: https://github.com/nodejs/node/issues/29433
PR-URL: https://github.com/nodejs/node/pull/27092
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/26592
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/26592
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/26592
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/26989
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Masashi Hirano <shisama07@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/26989
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Masashi Hirano <shisama07@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
|
|
Refs: https://github.com/nodejs/node/pull/23804
PR-URL: https://github.com/nodejs/node/pull/23826
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: Matheus Marchini <mat@mmarchini.me>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
Using the non-indexed variant of `std::get<>` broke Travis CI.
Also, this allows us to be a bit more concise when returning
from `SignFinal()` due to some error condition.
Refs: https://github.com/nodejs/node/pull/23427
PR-URL: https://github.com/nodejs/node/pull/23779
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/29506
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/29502
Refs: https://github.com/nodejs/node/issues/445
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/28524
Fixes: https://github.com/nodejs/node/issues/27934
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
|
|
If there’s a lot of data waiting on a given stream, send
it out early, if possible. This helps trigger the backpressure
mechanism introduced in 8a4a1931b8b98 at a better time.
PR-URL: https://github.com/nodejs/node/pull/29398
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
This is an approach to address the issue linked below. Previously,
when `.write()` and `.flush()` calls to a zlib stream were interleaved
synchronously (i.e. without waiting for these operations to finish),
multiple flush calls would have been coalesced into a single flushing
operation.
This patch changes behaviour so that each `.flush()` all corresponds
to one flushing operation on the underlying zlib resource, and the
order of operations is as if the `.flush()` call were a `.write()`
call.
One test had to be removed because it specifically tested the previous
behaviour.
As a drive-by fix, this also makes sure that all flush callbacks are
called. Previously, that was not the case.
Fixes: https://github.com/nodejs/node/issues/28478
PR-URL: https://github.com/nodejs/node/pull/28520
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/27660
Reviewed-By: Gus Caplan <me@gus.host>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
|
|
OpenSSL dlloads itself to prevent unloading, in case it might be
dynamically loaded. However when linked statically this will lead to
dloading the main executable.
Refs: https://github.com/nodejs/node/pull/21848#issuecomment-498396551
Fixes: https://github.com/nodejs/node/issues/29992
Backport-PR-URL: https://github.com/nodejs/node/pull/30005
PR-URL: https://github.com/nodejs/node/pull/28045
Fixes: https://github.com/nodejs/node/issues/27925
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
|
|
This has been warning for long enough, without any API changes
in the last few months.
PR-URL: https://github.com/nodejs/node/pull/26581
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anto Aravinth <anto.aravinth.cse@gmail.com>
Reviewed-By: Yongsheng Zhang <zyszys98@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
While it is not entirely clear why this condition is being
triggered, it does resolve a reported bug.
Fixes: https://github.com/nodejs/node/issues/26315
Backport-PR-URL: https://github.com/nodejs/node/pull/29968
PR-URL: https://github.com/nodejs/node/pull/29912
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
|
|
OpenSSL 1.1.1d no longer generates warnings for some DH groups that used
to be considered unsafe. See below for discussion. This is considered a
bug fix.
See:
- https://github.com/openssl/openssl/pull/9363
- https://github.com/openssl/openssl/pull/9363#discussion_r324802618
PR-URL: https://github.com/nodejs/node/pull/29550
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
|
|
After an OpenSSL source update, all the config files need to be regenerated and
comitted by:
$ cd deps/openssl/config
$ make
$ git add deps/openssl/config/archs
$ git add deps/openssl/openssl/crypto/include/internal/bn_conf.h
$ git add deps/openssl/openssl/crypto/include/internal/dso_conf.h
$ git add deps/openssl/openssl/include/openssl/opensslconf.h
$ git commit
PR-URL: https://github.com/nodejs/node/pull/29921
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
|
|
This updates all sources in deps/openssl/openssl by:
$ cd deps/openssl/
$ rm -rf openssl
$ tar zxf ~/tmp/openssl-1.1.1d.tar.gz
$ mv openssl-1.1.1d openssl
$ git add --all openssl
$ git commit openssl
PR-URL: https://github.com/nodejs/node/pull/29921
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
|
|
This adds a missing return value for the worker specific fatal
exception handler.
PR-URL: https://github.com/nodejs/node/pull/29036
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
|
|
This adds a flag to define the default behavior for unhandled
rejections. Three modes exist: `none`, `warn` and `strict`. The first
is going to silence all unhandled rejection warnings. The second
behaves identical to the current default with the excetion that no
deprecation warning will be printed and the last is going to throw
an error for each unhandled rejection, just as regular exceptions do.
It is possible to intercept those with the `uncaughtException` hook
as with all other exceptions as well.
This PR has no influence on the existing `unhandledRejection` hook.
If that is used, it will continue to function as before.
PR-URL: https://github.com/nodejs/node/pull/26599
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Matheus Marchini <mat@mmarchini.me>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/28827
Fixes: https://github.com/nodejs/node/issues/28758
Refs: https://github.com/nodejs/node/pull/26821
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
|
|
Add documentation for tls.DEFAULT_MAX_VERSION and
tls.DEFAULT_MIN_VERSION, which existed in v10.6.0
Fixes: https://github.com/nodejs/node/issues/28758
Refs: https://github.com/nodejs/node/pull/26821
PR-URL: https://github.com/nodejs/node/pull/28827
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
|
|
When CMD is used to launch a process and CMD is killed too quickly,
the process can stay behind running in suspended state, never
completing. This only happens in Windows Server 2008R2.
Refs: https://github.com/nodejs/build/issues/1829
PR-URL: https://github.com/nodejs/node/pull/28723
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
|
|
Fixes: https://github.com/nodejs/node/issues/25935
PR-URL: https://github.com/nodejs/node/pull/25974
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
|
|
Fixes: https://github.com/nodejs/node/issues/25935
PR-URL: https://github.com/nodejs/node/pull/25974
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
|
|
TLSWrap::DoWrite() now concatenates data chunks and makes a single
call to SSL_write(). Grouping data into a single segment:
- reduces network overhead: by factors of even 2 or 3 in usages
like `http2` or `form-data`
- improves security: segment lengths can reveal lots of info, i.e.
with `form-data`, how many fields are sent and the approximate length
of every individual field and its headers
- reduces encryption overhead: a quick benchmark showed a ~30% CPU time
decrease for an extreme case, see
https://github.com/nodejs/node/issues/27573#issuecomment-493787867
Fixes: https://github.com/nodejs/node/issues/27573
Backport-PR-URL: https://github.com/nodejs/node/pull/28904
PR-URL: https://github.com/nodejs/node/pull/27861
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
|
|
Backport-PR-URL: https://github.com/nodejs/node/pull/28904
PR-URL: https://github.com/nodejs/node/pull/28903
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Rich Trott <rtrott@gmail.com>
|
|
Correct docs to clarify that behaviour,
and fix a race condition in test-http2-large-write-destroy.js.
Fixes: https://github.com/nodejs/node/issues/27863
Backport-PR-URL: https://github.com/nodejs/node/pull/28904
PR-URL: https://github.com/nodejs/node/pull/27891
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
|
|
It is not needed, and causes an unnecessary runtime dependency with some
linkers, such as devtoolset-6 on centos7-ppc64le.
See: https://github.com/nodejs/node/issues/29718
PR-URL: https://github.com/nodejs/node/pull/29729
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: David Carlier <devnexen@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/29461
Backport-PR-URL: https://github.com/nodejs/node/pull/29643
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
|
|
Don’t start reading more input data if we’re still busy writing output.
This was overlooked in 8a4a1931b8b98.
Fixes: https://github.com/nodejs/node/issues/29353
Fixes: https://github.com/nodejs/node/issues/29393
PR-URL: https://github.com/nodejs/node/pull/29399
Backport-PR-URL: https://github.com/nodejs/node/pull/29619
Reviewed-By: David Carlier <devnexen@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
|
|
Do not crash when the session is no longer available.
Fixes: https://github.com/nodejs/node/issues/29457
PR-URL: https://github.com/nodejs/node/pull/29459
Backport-PR-URL: https://github.com/nodejs/node/pull/29619
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Minwoo Jung <minwoo@nodesource.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/29401
Backport-PR-URL: https://github.com/nodejs/node/pull/29458
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
|
|
Fixes: https://github.com/nodejs/node/issues/28755
Backport-PR-URL: https://github.com/nodejs/node/pull/29316
PR-URL: https://github.com/nodejs/node/pull/28799
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
|
|
Remove (SEMVER-MINOR) label from patch commit. Add link to table.
Refs: https://github.com/nodejs/node/pull/26990
PR-URL: https://github.com/nodejs/node/pull/29159
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
|
|
Minor cleanup in the lifetime for the platform worker initialization
synchronization barrier.
PR-URL: https://github.com/nodejs/node/pull/23419
Backport-PR-URL: https://github.com/nodejs/node/pull/28844
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/27791
Backport-PR-URL: https://github.com/nodejs/node/pull/28399
Refs: https://github.com/nodejs/node/issues/27592
Reviewed-By: Gabriel Schulhof <gabriel.schulhof@intel.com>
|
|
Implements `napi_create_date()` as well as `napi_is_date()` to
allow working with JavaScript Date objects.
Backport-PR-URL: https://github.com/nodejs/node/pull/28298
PR-URL: https://github.com/nodejs/node/pull/25917
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
PR-URL: https://github.com/nodejs/node/pull/29148
|
|
This is a security release.
Notable changes:
Node.js, as well as many other implementations of HTTP/2, have been
found vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.
Vulnerabilities fixed:
* CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of
data from a specified resource over multiple streams. They manipulate
window size and stream priority to force the server to queue the data
in 1-byte chunks. Depending on how efficiently this data is queued,
this can consume excess CPU, memory, or both, potentially leading to a
denial of service.
* CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an
HTTP/2 peer, causing the peer to build an internal queue of responses.
Depending on how efficiently this data is queued, this can consume
excess CPU, memory, or both, potentially leading to a denial of
service.
* CVE-2019-9513 “Resource Loop”: The attacker creates multiple request
streams and continually shuffles the priority of the streams in a way
that causes substantial churn to the priority tree. This can consume
excess CPU, potentially leading to a denial of service.
* CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams
and sends an invalid request over each stream that should solicit a
stream of RST_STREAM frames from the peer. Depending on how the peer
queues the RST_STREAM frames, this can consume excess memory, CPU,or
both, potentially leading to a denial of service.
* CVE-2019-9515 “Settings Flood”: The attacker sends a stream of
SETTINGS frames to the peer. Since the RFC requires that the peer
reply with one acknowledgement per SETTINGS frame, an empty SETTINGS
frame is almost equivalent in behavior to a ping. Depending on how
efficiently this data is queued, this can consume excess CPU, memory,
or both, potentially leading to a denial of service.
* CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of
headers with a 0-length header name and 0-length header value,
optionally Huffman encoded into 1-byte or greater headers. Some
implementations allocate memory for these headers and keep the
allocation alive until the session dies. This can consume excess
memory, potentially leading to a denial of service.
* CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2
window so the peer can send without constraint; however, they leave
the TCP window closed so the peer cannot actually write (many of) the
bytes on the wire. The attacker then sends a stream of requests for a
large response object. Depending on how the servers queue the
responses, this can consume excess memory, CPU, or both, potentially
leading to a denial of service.
* CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of
frames with an empty payload and without the end-of-stream flag. These
frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The
peer spends time processing each frame disproportionate to attack
bandwidth. This can consume excess CPU, potentially leading to a
denial of service. (Discovered by Piotr Sikora of Google)
PR-URL: https://github.com/nodejs/node/pull/29148
|
|
Refs: https://github.com/nodejs/node/pull/27914
Backport-PR-URL: https://github.com/nodejs/node/pull/29123
PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|
|
nghttp2 has updated its limit for outstanding Ping/Settings ACKs
to 1000. This commit allows reverting to the old default of 10000.
The associated CVEs are CVE-2019-9512/CVE-2019-9515.
Backport-PR-URL: https://github.com/nodejs/node/pull/29123
PR-URL: https://github.com/nodejs/node/pull/29122
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
|