| Age | Commit message (Collapse) | Author |
|---|
|
Notable Changes:
Deprecations and Removals:
- (SEMVER-MAJOR) fs: runtime deprecate string coercion in `fs.write`,
`fs.writeFileSync`
(Livia Medeiros) (https://github.com/nodejs/node/pull/42607)
- (SEMVER-MAJOR) dns: remove `dns.lookup` and `dnsPromises.lookup`
options type coercion
(Antoine du Hamel) (https://github.com/nodejs/node/pull/41431)
- (SEMVER-MAJOR) process: runtime deprecate multipleResolves
(Benjamin Gruenbaum) (https://github.com/nodejs/node/pull/41896)
- (SEMVER-MAJOR) stream: remove thenable support (Robert Nagy)
(https://github.com/nodejs/node/pull/40773)
- (SEMVER-MAJOR) tls: move tls.parseCertString to end-of-life
(Tobias Nießen) (https://github.com/nodejs/node/pull/41479)
fetch (experimental):
An experimental fetch API is available on the global scope by default.
The implementation is based upon https://undici.nodejs.org/#/,
an HTTP/1.1 client written for Node.js by contributors to the project.
Through this addition, the following globals are made available: `fetch`
, `FormData`, `Headers`, `Request`, `Response`.
Disable this API with the `--no-experimental-fetch` command-line flag.
Contributed by Michaël Zasso in https://github.com/nodejs/node/pull/41811.
HTTP Timeouts:
`server.headersTimeout`, which limits the amount of time the parser will
wait to receive the complete HTTP headers, is now set to `60000` (60
seconds) by default.
`server.requestTimeout`, which sets the timeout value in milliseconds
for receiving the entire request from the client, is now set to `300000`
(5 minutes) by default.
If these timeouts expire, the server responds with status 408 without
forwarding the request to the request listener and then closes the
connection.
Both timeouts must be set to a non-zero value to protect against
potential Denial-of-Service attacks in case the server is deployed
without a reverse proxy in front.
Contributed by Paolo Insogna in https://github.com/nodejs/node/pull/41263.
Test Runner module (experimental):
The `node:test` module facilitates the creation of JavaScript tests that
report results in TAP format. This module is only available under the
`node:` scheme.
Contributed by Colin Ihrig in https://github.com/nodejs/node/pull/42325.
Toolchain and Compiler Upgrades:
- Prebuilt binaries for Linux are now built on Red Hat Enterprise Linux
(RHEL) 8 and are compatible with Linux distributions based on glibc
2.28 or later, for example, Debian 10, RHEL 8, Ubuntu 20.04.
- Prebuilt binaries for macOS now require macOS 10.15 or later.
- For AIX the minimum supported architecture has been raised from Power
7 to Power 8.
Prebuilt binaries for 32-bit Windows will initially not be available due
to issues building the V8 dependency in Node.js. We hope to restore
32-bit Windows binaries for Node.js 18 with a future V8 update.
Node.js does not support running on operating systems that are no longer
supported by their vendor. For operating systems where their vendor has
planned to end support earlier than April 2025, such as Windows 8.1
(January 2023) and Windows Server 2012 R2 (October 2023), support for
Node.js 18 will end at the earlier date.
Full details about the supported toolchains and compilers are documented
in the Node.js `BUILDING.md` file.
Contributed by Richard Lau in https://github.com/nodejs/node/pull/42292,
https://github.com/nodejs/node/pull/42604 and https://github.com/nodejs/node/pull/42659
, and Michaël Zasso in https://github.com/nodejs/node/pull/42105 and
https://github.com/nodejs/node/pull/42666.
V8 10.1:
The V8 engine is updated to version 10.1, which is part of Chromium 101.
Compared to the version included in Node.js 17.9.0, the following new
features are included:
- The `findLast` and `findLastIndex` array methods.
- Improvements to the `Intl.Locale` API.
- The `Intl.supportedValuesOf` function.
- Improved performance of class fields and private class methods (the
initialization of them is now as fast as ordinary property stores).
The data format returned by the serialization API (`v8.serialize(value)`)
has changed, and cannot be deserialized by earlier versions of Node.js.
On the other hand, it is still possible to deserialize the previous
format, as the API is backwards-compatible.
Contributed by Michaël Zasso in https://github.com/nodejs/node/pull/42657.
Web Streams API (experimental):
Node.js now exposes the experimental implementation of the Web Streams
API on the global scope. This means the following APIs are now globally
available:
- `ReadableStream`, `ReadableStreamDefaultReader`,
`ReadableStreamBYOBReader`, `ReadableStreamBYOBRequest`,
`ReadableByteStreamController`, `ReadableStreamDefaultController`,
`TransformStream`, `TransformStreamDefaultController`, `WritableStream`,
`WritableStreamDefaultWriter`, `WritableStreamDefaultController`,
`ByteLengthQueuingStrategy`, `CountQueuingStrategy`, `TextEncoderStream`,
`TextDecoderStream`, `CompressionStream`, `DecompressionStream`.
Contributed James Snell in https://github.com/nodejs/node/pull/39062,
and Antoine du Hamel in https://github.com/nodejs/node/pull/42225.
Other Notable Changes:
- (SEMVER-MAJOR) buffer: expose Blob as a global
(James M Snell) (https://github.com/nodejs/node/pull/41270)
- (SEMVER-MAJOR) child\_process: improve argument validation
(Rich Trott) (https://github.com/nodejs/node/pull/41305)
- doc: add RafaelGSS to collaborators
(RafaelGSS) (https://github.com/nodejs/node/pull/42718)
- (SEMVER-MAJOR) http: make TCP noDelay enabled by default
(Paolo Insogna) (https://github.com/nodejs/node/pull/42163)
- (SEMVER-MAJOR) net: make `server.address()` return an integer for
`family`
(Antoine du Hamel) (https://github.com/nodejs/node/pull/41431)
- (SEMVER-MAJOR) worker: expose BroadcastChannel as a global
(James M Snell) (https://github.com/nodejs/node/pull/41271)
- (SEMVER-MAJOR) worker: graduate BroadcastChannel to supported
(James M Snell) (https://github.com/nodejs/node/pull/41271)
Semver-Major Commits:
- (SEMVER-MAJOR) assert,util: compare RegExp.lastIndex while using deep
equal checks
(Ruben Bridgewater) (https://github.com/nodejs/node/pull/41020)
- (SEMVER-MAJOR) buffer: refactor `byteLength` to remove outdated
optimizations
(Rongjian Zhang) (https://github.com/nodejs/node/pull/38545)
- (SEMVER-MAJOR) buffer: expose Blob as a global
(James M Snell) (https://github.com/nodejs/node/pull/41270)
- (SEMVER-MAJOR) buffer: graduate Blob from experimental
(James M Snell) (https://github.com/nodejs/node/pull/41270)
- (SEMVER-MAJOR) build: make x86 Windows support temporarily
experimental
(Michaël Zasso) (https://github.com/nodejs/node/pull/42666)
- (SEMVER-MAJOR) build: bump macOS deployment target to 10.15
(Richard Lau) (https://github.com/nodejs/node/pull/42292)
- (SEMVER-MAJOR) build: downgrade Windows 8.1 and server 2012 R2 to
experimental
(Michaël Zasso) (https://github.com/nodejs/node/pull/42105)
- (SEMVER-MAJOR) child\_process: improve argument validation
(Rich Trott) (https://github.com/nodejs/node/pull/41305)
- (SEMVER-MAJOR) cluster: make `kill` to be just `process.kill`
(Bar Admoni) (https://github.com/nodejs/node/pull/34312)
- (SEMVER-MAJOR) crypto: cleanup validation
(Mohammed Keyvanzadeh) (https://github.com/nodejs/node/pull/39841)
- (SEMVER-MAJOR) crypto: prettify othername in PrintGeneralName
(Tobias Nießen) (https://github.com/nodejs/node/pull/42123)
- (SEMVER-MAJOR) crypto: fix X509Certificate toLegacyObject
(Tobias Nießen) (https://github.com/nodejs/node/pull/42124)
- (SEMVER-MAJOR) crypto: use RFC2253 format in PrintGeneralName
(Tobias Nießen) (https://github.com/nodejs/node/pull/42002)
- (SEMVER-MAJOR) crypto: change default check(Host|Email) behavior
(Tobias Nießen) (https://github.com/nodejs/node/pull/41600)
- (SEMVER-MAJOR) deps: V8: cherry-pick semver-major commits from 10.2
(Michaël Zasso) (https://github.com/nodejs/node/pull/42657)
- (SEMVER-MAJOR) deps: update V8 to 10.1.124.6
(Michaël Zasso) (https://github.com/nodejs/node/pull/42657)
- (SEMVER-MAJOR) deps: update V8 to 9.8.177.9
(Michaël Zasso) (https://github.com/nodejs/node/pull/41610)
- (SEMVER-MAJOR) deps: update V8 to 9.7.106.18
(Michaël Zasso) (https://github.com/nodejs/node/pull/40907)
- (SEMVER-MAJOR) dns: remove `dns.lookup` and `dnsPromises.lookup`
options type coercion
(Antoine du Hamel) (https://github.com/nodejs/node/pull/41431)
- (SEMVER-MAJOR) doc: update minimum glibc requirements for Linux
(Richard Lau) (https://github.com/nodejs/node/pull/42659)
- (SEMVER-MAJOR) doc: update AIX minimum supported arch
(Richard Lau) (https://github.com/nodejs/node/pull/42604)
- (SEMVER-MAJOR) fs: runtime deprecate string coercion in `fs.write`,
`fs.writeFileSync`
(Livia Medeiros) (https://github.com/nodejs/node/pull/42607)
- (SEMVER-MAJOR) http: refactor headersTimeout and requestTimeout logic
(Paolo Insogna) (https://github.com/nodejs/node/pull/41263)
- (SEMVER-MAJOR) http: make TCP noDelay enabled by default
(Paolo Insogna) (https://github.com/nodejs/node/pull/42163)
- (SEMVER-MAJOR) lib: enable fetch by default
(Michaël Zasso) (https://github.com/nodejs/node/pull/41811)
- (SEMVER-MAJOR) lib: replace validator and error
(Mohammed Keyvanzadeh) (https://github.com/nodejs/node/pull/41678)
- (SEMVER-MAJOR) module,repl: support 'node:'-only core modules
(Colin Ihrig) (https://github.com/nodejs/node/pull/42325)
- (SEMVER-MAJOR) net: make `server.address()` return an integer for
`family`
(Antoine du Hamel) (https://github.com/nodejs/node/pull/41431)
- (SEMVER-MAJOR) process: disallow some uses of Object.defineProperty()
on process.env
(Himself65) (https://github.com/nodejs/node/pull/28006)
- (SEMVER-MAJOR) process: runtime deprecate multipleResolves
(Benjamin Gruenbaum) (https://github.com/nodejs/node/pull/41896)
- (SEMVER-MAJOR) readline: fix question still called after closed
(Xuguang Mei) (https://github.com/nodejs/node/pull/42464)
- (SEMVER-MAJOR) stream: remove thenable support
(Robert Nagy) (https://github.com/nodejs/node/pull/40773)
- (SEMVER-MAJOR) stream: expose web streams globals, remove runtime
experimental warning
(Antoine du Hamel) (https://github.com/nodejs/node/pull/42225)
- (SEMVER-MAJOR) stream: need to cleanup event listeners if last stream
is readable
(Xuguang Mei) (https://github.com/nodejs/node/pull/41954)
- (SEMVER-MAJOR) stream: revert revert `map` spec compliance
(Benjamin Gruenbaum) (https://github.com/nodejs/node/pull/41933)
- (SEMVER-MAJOR) stream: throw invalid arg type from End Of Stream
(Jithil P Ponnan) (https://github.com/nodejs/node/pull/41766)
- (SEMVER-MAJOR) stream: don't emit finish after destroy
(Robert Nagy) (https://github.com/nodejs/node/pull/40852)
- (SEMVER-MAJOR) stream: add errored and closed props
(Robert Nagy) (https://github.com/nodejs/node/pull/40696)
- (SEMVER-MAJOR) test: add initial test module
(Colin Ihrig) (https://github.com/nodejs/node/pull/42325)
- (SEMVER-MAJOR) timers: refactor internal classes to ES2015 syntax
(Rabbit) (https://github.com/nodejs/node/pull/37408)
- (SEMVER-MAJOR) tls: represent registeredID numerically always
(Tobias Nießen) (https://github.com/nodejs/node/pull/41561)
- (SEMVER-MAJOR) tls: move tls.parseCertString to end-of-life
(Tobias Nießen) (https://github.com/nodejs/node/pull/41479)
- (SEMVER-MAJOR) url: throw on NULL in IPv6 hostname
(Rich Trott) (https://github.com/nodejs/node/pull/42313)
- (SEMVER-MAJOR) v8: make v8.writeHeapSnapshot() error codes consistent
(Darshan Sen) (https://github.com/nodejs/node/pull/42577)
- (SEMVER-MAJOR) v8: make writeHeapSnapshot throw if fopen fails
(Antonio Román) (https://github.com/nodejs/node/pull/41373)
- (SEMVER-MAJOR) worker: expose BroadcastChannel as a global
(James M Snell) (https://github.com/nodejs/node/pull/41271)
- (SEMVER-MAJOR) worker: graduate BroadcastChannel to supported
(James M Snell) (https://github.com/nodejs/node/pull/41271)
PR-URL: https://github.com/nodejs/node/pull/42262
|
|
Notable changes:
This is planned to be the final Node.js 12 release. Node.js 12 will
reach End-of-Life status on 30 April 2022, after which it will no
receive updates. You are strongly advised to migrate your applications
to Node.js 16 or 14 (both of which are Long Term Support (LTS) releases)
to continue to receive future security updates beyond 30 April 2022.
This release fixes a shutdown crash in Node-API (formerly N-API) and a
potential stack overflow when using `vm.runInNewContext()`.
The list of GPG keys used to sign releases and instructions on how to
fetch the keys for verifying binaries has been synchronized with the
main branch.
PR-URL: https://github.com/nodejs/node/pull/42531
|
|
Notable changes:
doc:
* add @ShogunPanda to collaborators (Shogun) https://github.com/nodejs/node/pull/42362
* deprecate string coercion in `fs.write`, `fs.writeFileSync` (Livia Medeiros) https://github.com/nodejs/node/pull/42149
http:
* (SEMVER-MINOR) trace http client by perf_hooks (theanarkh) https://github.com/nodejs/node/pull/42345
deps:
* upgrade npm to 8.5.5 (npm team) https://github.com/nodejs/node/pull/42382
* update undici to 4.15.1 (Michaël Zasso) https://github.com/nodejs/node/pull/42246
PR-URL: https://github.com/nodejs/node/pull/42425
|
|
This is a security release.
Notable changes:
Update to OpenSSL 3.0.2, which addresses the following vulnerability:
- Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)(CVE-2022-0778)
More details are available at https://www.openssl.org/news/secadv/20220315.txt
PR-URL: https://github.com/nodejs/node/pull/42381
|
|
This is a security release.
Notable changes:
Update to OpenSSL 1.1.1n, which addresses the following vulnerability:
- Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)(CVE-2022-0778)
More details are available at https://www.openssl.org/news/secadv/20220315.txt
PR-URL: https://github.com/nodejs/node/pull/42385
|
|
This is a security release.
Notable changes:
Update to OpenSSL 1.1.1n, which addresses the following vulnerability:
- Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)(CVE-2022-0778)
More details are available at https://www.openssl.org/news/secadv/20220315.txt
PR-URL: https://github.com/nodejs/node/pull/42371
|
|
This is a security release.
Notable changes:
Update to OpenSSL 1.1.1n, which addresses the following vulnerability:
- Infinite loop in BN_mod_sqrt() reachable when parsing certificates (High)(CVE-2022-0778)
More details are available at https://www.openssl.org/news/secadv/20220315.txt
Fix for building Node.js 12.x with Visual Studio 2019 to allow us to continue to
run CI tests.
PR-URL: https://github.com/nodejs/node/pull/42363
|
|
Notable changes:
* doc:
* add release key for Bryan English (Bryan English) https://github.com/nodejs/node/pull/42102
PR-URL: https://github.com/nodejs/node/pull/42200
|
|
Notable changes:
Fixed regression in url.resolve()
This release fixes an issue introduced in Node.js v17.7.0 with some URLs
that contain `@`. This issue affected yarn 1. This version reverts the
change that introduced the regression.
PR-URL: https://github.com/nodejs/node/pull/42285
|
|
Notable changes:
* (SEMVER-MINOR) crypto: add KeyObject.prototype.equals method (Filip Skokan) https://github.com/nodejs/node/pull/42093
* (SEMVER-MINOR) net: add new options to net.Socket and net.Server (Paolo Insogna) https://github.com/nodejs/node/pull/41310
* (SEMVER-MINOR) src: allow preventing InitializeInspector in env (Shelley Vohr) https://github.com/nodejs/node/pull/35025
* doc: add release key for Bryan English (Bryan English) https://github.com/nodejs/node/pull/42102
Dependency Updates:
* deps: update nghttp2 to 1.47.0 (Yash Ladha) https://github.com/nodejs/node/pull/42127
* deps: upgrade npm to 8.5.2 (npm team) https://github.com/nodejs/node/pull/42122
New Collaborators:
* doc: add JakobJingleheimer to collaborators list (Jacob Smith) https://github.com/nodejs/node/pull/42185
* doc: move bnoordhuis back to collaborators (Ben Noordhuis) https://github.com/nodejs/node/pull/42064
PR-URL: https://github.com/nodejs/node/pull/42254
|
|
Notable changes:
- doc: deprecate notice for process methods (Yash Ladha) https://github.com/nodejs/node/pull/41587
- stream: revert `map` spec compliance (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/41931
- build: remove broken x32 arch support (Ben Noordhuis) https://github.com/nodejs/node/pull/41905
- (SEMVER-MINOR) esm: support https remotely and http locally under flag (Bradley Farias) https://github.com/nodejs/node/pull/36328
- (SEMVER-MINOR) fs: support copy of relative links with cp and cpSync (Marcos Bjoerkelund) https://github.com/nodejs/node/pull/41819
- (SEMVER-MINOR) lib: add FormData global when fetch is enabled (Michaël Zasso) https://github.com/nodejs/node/pull/41956
- (SEMVER-MINOR) readline: bind keystroke `ctrl`+`6` to redo (Ray) https://github.com/nodejs/node/pull/41662
- process: deprecate multipleResolves (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/41872
- Documentation-only.
Dependency updates:
- deps: upgrade npm to 8.5.1 (npm-robot) https://github.com/nodejs/node/pull/42039
- deps: update undici to 3e267ece5f (Michaël Zasso) https://github.com/nodejs/node/pull/41955
- deps: upgrade npm to 8.5.0 (npm-robot) https://github.com/nodejs/node/pull/41925
New collaborators:
- doc: add marsonya to collaborators (Akhil Marsonya) https://github.com/nodejs/node/pull/41991
- doc: add joesepi to collaborators (Joe Sepi) https://github.com/nodejs/node/pull/41914
PR-URL: https://github.com/nodejs/node/pull/42072
|
|
Notable changes:
lib:
* (SEMVER-MINOR) add fetch (Michaël Zasso) https://github.com/nodejs/node/pull/41749
module:
* unflag esm json modules (Geoffrey Booth) https://github.com/nodejs/node/pull/41736
node-api:
* (SEMVER-MINOR) add node_api_symbol_for() (Darshan Sen) https://github.com/nodejs/node/pull/41329
stream:
* (SEMVER-MINOR) add iterator helper find (linkgoron) https://github.com/nodejs/node/pull/41849
* (SEMVER-MINOR) add toArray (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/41553
* (SEMVER-MINOR) add forEach method (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/41445
* (SEMVER-MINOR) support some and every (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/41573
deps:
* upgrade npm to 8.4.1 (npm team) [#41836](https://github.com/nodejs/node/pull/41836)
PR-URL: https://github.com/nodejs/node/pull/41897
|
|
Notable changes:
Importing JSON modules now requires experimental import assertions
syntax
This release adds experimental support for the import assertions stage 3
proposal.
To keep Node.js ESM implementation as compatible as possible with the
HTML spec, import assertions are now required to import JSON modules
(still behind the `--experimental-json-modules` CLI flag):
```mjs
import info from './package.json' assert { type: 'json' };
```
Or use dynamic import:
```mjs
const info = await import('./package.json', {
assert: { type: 'json' }
});
```
Contributed by Antoine du Hamel and Geoffrey Booth https://github.com/nodejs/node/pull/40250
Other notable changes:
* async_hooks:
* (SEMVER-MINOR) expose async_wrap providers (Rafael Gonzaga) https://github.com/nodejs/node/pull/40760
* child_process:
* (SEMVER-MINOR) add support for URL to `cp.fork` (Antoine du Hamel) https://github.com/nodejs/node/pull/41225
* doc:
* add @Mesteery to collaborators (Mestery) https://github.com/nodejs/node/pull/41543
* add @bnb as a collaborator (Tierney Cyren) https://github.com/nodejs/node/pull/41100
* esm:
* (SEMVER-MINOR) graduate capturerejections to supported (James M Snell) https://github.com/nodejs/node/pull/41267
* (SEMVER-MINOR) add EventEmitterAsyncResource to core (James M Snell) https://github.com/nodejs/node/pull/41246
* events:
* (SEMVER-MINOR) propagate weak option for kNewListener (James M Snell) https://github.com/nodejs/node/pull/40899
* fs:
* (SEMVER-MINOR) accept URL as argument for `fs.rm` and `fs.rmSync` (Antoine du Hamel) https://github.com/nodejs/node/pull/41132
* lib:
* (SEMVER-MINOR) make AbortSignal cloneable/transferable (James M Snell) https://github.com/nodejs/node/pull/41050
* (SEMVER-MINOR) add AbortSignal.timeout (James M Snell) https://github.com/nodejs/node/pull/40899
* (SEMVER-MINOR) add reason to AbortSignal (James M Snell) https://github.com/nodejs/node/pull/40807
* (SEMVER-MINOR) add unsubscribe method to non-active DC channels (simon-id) https://github.com/nodejs/node/pull/40433
* (SEMVER-MINOR) add return value for DC channel.unsubscribe (simon-id) https://github.com/nodejs/node/pull/40433
* loader:
* (SEMVER-MINOR) return package format from defaultResolve if known (Gabriel Bota) https://github.com/nodejs/node/pull/40980
* perf_hooks:
* (SEMVER-MINOR) multiple fixes for Histogram (James M Snell) https://github.com/nodejs/node/pull/41153
* process:
* (SEMVER-MINOR) add `getActiveResourcesInfo()` (Darshan Sen) https://github.com/nodejs/node/pull/40813
* src:
* (SEMVER-MINOR) add x509.fingerprint512 to crypto module (3nprob) https://github.com/nodejs/node/pull/39809
* (SEMVER-MINOR) add flags for controlling process behavior (Cheng Zhao) https://github.com/nodejs/node/pull/40339
* stream:
* (SEMVER-MINOR) add filter method to readable (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/41354
* (SEMVER-MINOR) add isReadable helper (Robert Nagy) https://github.com/nodejs/node/pull/41199
* (SEMVER-MINOR) add map method to Readable (Benjamin Gruenbaum) https://github.com/nodejs/node/pull/40815
* deprecate thenable support (Antoine du Hamel) https://github.com/nodejs/node/pull/40860
* util:
* (SEMVER-MINOR) pass through the inspect function to custom inspect functions (Ruben Bridgewater) https://github.com/nodejs/node/pull/41019
* (SEMVER-MINOR) add numericSeparator to util.inspect (Ruben Bridgewater) https://github.com/nodejs/node/pull/41003
* (SEMVER-MINOR) always visualize cause property in errors during inspection (Ruben Bridgewater) https://github.com/nodejs/node/pull/41002
* timers:
* (SEMVER-MINOR) add experimental scheduler api (James M Snell) https://github.com/nodejs/node/pull/40909
* v8:
* (SEMVER-MINOR) multi-tenant promise hook api (Stephen Belanger) https://github.com/nodejs/node/pull/39283
PR-URL: https://github.com/nodejs/node/pull/41804
|
|
Notable changes:
* Upgrade npm to 6.14.16
* Updated ICU time zone data
PR-URL: https://github.com/nodejs/node/pull/41710
|
|
Notable changes:
Corepack:
Node.js now includes Corepack, a script that acts as a bridge between
Node.js projects and the package managers they are intended to be used
with during development.
In practical terms, Corepack will let you use Yarn and pnpm without
having to install them - just like what currently happens with npm,
which is shipped in Node.js by default.
Contributed by Maël Nison - https://github.com/nodejs/node/pull/39608
ICU updated:
ICU has been updated to 70.1. This updates timezone database to 2021a3,
including bringing forward the start for DST for Jordan from March to
February.
Contributed by Michaël Zasso - https://github.com/nodejs/node/pull/40658
New option to disable loading of native addons:
A new command line option `--no-addons` has been added to disallow
loading of native addons.
Contributed by Dominic Elm - https://github.com/nodejs/node/pull/39977
Updated Root Certificates:
Root certificates have been updated to those from Mozilla's Network
Security Services 3.71.
Contributed by Richard Lau - https://github.com/nodejs/node/pull/40280
Other Notable Changes:
crypto:
* (SEMVER-MINOR) make FIPS related options always available (Vít Ondruch) https://github.com/nodejs/node/pull/36341
lib:
* (SEMVER-MINOR) add unsubscribe method to non-active DC channels (simon-id) https://github.com/nodejs/node/pull/40433
* (SEMVER-MINOR) add return value for DC channel.unsubscribe (simon-id) https://github.com/nodejs/node/pull/40433
module:
* (SEMVER-MINOR) support pattern trailers (Guy Bedford) https://github.com/nodejs/node/pull/39635
src:
* (SEMVER-MINOR) make napi_create_reference accept symbol (JckXia) https://github.com/nodejs/node/pull/39926
PR-URL: https://github.com/nodejs/node/pull/41696
|
|
Notable changes:
child_process:
* (SEMVER-MINOR) add support for URL to `cp.fork` (Antoine du Hamel) https://github.com/nodejs/node/pull/41225
crypto:
* (SEMVER-MINOR) alias webcrypto.subtle and webcrypto.getRandomValues on crypto (James M Snell) https://github.com/nodejs/node/pull/41266
doc:
* add Mesteery to collaborators (Mestery) https://github.com/nodejs/node/pull/41543
events:
* (SEMVER-MINOR) graduate capturerejections to supported (James M Snell) https://github.com/nodejs/node/pull/41267
* (SEMVER-MINOR) add EventEmitterAsyncResource to core (James M Snell) https://github.com/nodejs/node/pull/41246
loader:
* (SEMVER-MINOR) return package format from defaultResolve if known (Gabriel Bota) https://github.com/nodejs/node/pull/40980
perf_hooks:
* (SEMVER-MINOR) multiple fixes for Histogram (James M Snell) https://github.com/nodejs/node/pull/41153
stream:
* (SEMVER-MINOR) add filter method to readable (Benjamin Gruenbaum, Robert Nagy) https://github.com/nodejs/node/pull/41354
* (SEMVER-MINOR) add isReadable helper (Robert Nagy) https://github.com/nodejs/node/pull/41199
* (SEMVER-MINOR) add map method to Readable (Benjamin Gruenbaum, Robert Nagy) https://github.com/nodejs/node/pull/40815
PR-URL: https://github.com/nodejs/node/pull/41557
|
|
This is a security release.
Notable changes:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
is specifically defined to use a particular SAN type, can result in
bypassing name-constrained intermediates. Node.js was accepting URI SAN
types, which PKIs are often not defined to use. Additionally, when a
protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when
checking a certificate against a hostname. This behavior can be
reverted through the `--security-revert` command-line option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
- Node.js converts SANs (Subject Alternative Names) to a string format.
It uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate
chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the
problematic characters in order to prevent the injection. This
behavior can be reverted through the `--security-revert` command-line
option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
- Node.js did not handle multi-value Relative Distinguished Names
correctly. Attackers could craft certificate subjects containing a
single-value Relative Distinguished Name that would be interpreted as a
multi-value Relative Distinguished Name, for example, in order to inject
a Common Name that would allow bypassing the certificate subject
verification.
- Affected versions of Node.js do not accept multi-value Relative
Distinguished Names and are thus not vulnerable to such attacks
themselves. However, third-party code that uses node's ambiguous
presentation of certificate subjects may be vulnerable.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
- Due to the formatting logic of the `console.table()` function it was
not safe to allow user controlled input to be passed to the `properties`
parameter while simultaneously passing a plain object with at least one
property as the first parameter, which could be `__proto__`. The
prototype pollution has very limited control, in that it only allows an
empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the
object these properties are being assigned to.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
PR-URL: https://github.com/nodejs-private/node-private/pull/311
|
|
This is a security release.
Notable changes:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
is specifically defined to use a particular SAN type, can result in
bypassing name-constrained intermediates. Node.js was accepting URI SAN
types, which PKIs are often not defined to use. Additionally, when a
protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when
checking a certificate against a hostname. This behavior can be
reverted through the `--security-revert` command-line option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
- Node.js converts SANs (Subject Alternative Names) to a string format.
It uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate
chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the
problematic characters in order to prevent the injection. This
behavior can be reverted through the `--security-revert` command-line
option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
- Node.js did not handle multi-value Relative Distinguished Names
correctly. Attackers could craft certificate subjects containing a
single-value Relative Distinguished Name that would be interpreted as a
multi-value Relative Distinguished Name, for example, in order to inject
a Common Name that would allow bypassing the certificate subject
verification.
- Affected versions of Node.js do not accept multi-value Relative
Distinguished Names and are thus not vulnerable to such attacks
themselves. However, third-party code that uses node's ambiguous
presentation of certificate subjects may be vulnerable.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
- Due to the formatting logic of the `console.table()` function it was
not safe to allow user controlled input to be passed to the `properties`
parameter while simultaneously passing a plain object with at least one
property as the first parameter, which could be `__proto__`. The
prototype pollution has very limited control, in that it only allows an
empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the
object these properties are being assigned to.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
PR-URL: https://github.com/nodejs-private/node-private/pull/312
|
|
This is a security release.
Notable changes:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
is specifically defined to use a particular SAN type, can result in
bypassing name-constrained intermediates. Node.js was accepting URI SAN
types, which PKIs are often not defined to use. Additionally, when a
protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when
checking a certificate against a hostname. This behavior can be
reverted through the `--security-revert` command-line option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
- Node.js converts SANs (Subject Alternative Names) to a string format.
It uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate
chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the
problematic characters in order to prevent the injection. This
behavior can be reverted through the `--security-revert` command-line
option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
- Node.js did not handle multi-value Relative Distinguished Names
correctly. Attackers could craft certificate subjects containing a
single-value Relative Distinguished Name that would be interpreted as a
multi-value Relative Distinguished Name, for example, in order to inject
a Common Name that would allow bypassing the certificate subject
verification.
- Affected versions of Node.js do not accept multi-value Relative
Distinguished Names and are thus not vulnerable to such attacks
themselves. However, third-party code that uses node's ambiguous
presentation of certificate subjects may be vulnerable.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
- Due to the formatting logic of the `console.table()` function it was
not safe to allow user controlled input to be passed to the `properties`
parameter while simultaneously passing a plain object with at least one
property as the first parameter, which could be `__proto__`. The
prototype pollution has very limited control, in that it only allows an
empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the
object these properties are being assigned to.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
PR-URL: https://github.com/nodejs-private/node-private/pull/310
|
|
This is a security release.
Notable changes:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
is specifically defined to use a particular SAN type, can result in
bypassing name-constrained intermediates. Node.js was accepting URI SAN
types, which PKIs are often not defined to use. Additionally, when a
protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when
checking a certificate against a hostname. This behavior can be
reverted through the `--security-revert` command-line option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
- Node.js converts SANs (Subject Alternative Names) to a string format.
It uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate
chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the
problematic characters in order to prevent the injection. This
behavior can be reverted through the `--security-revert` command-line
option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
- Node.js did not handle multi-value Relative Distinguished Names
correctly. Attackers could craft certificate subjects containing a
single-value Relative Distinguished Name that would be interpreted as a
multi-value Relative Distinguished Name, for example, in order to inject
a Common Name that would allow bypassing the certificate subject
verification.
- Affected versions of Node.js do not accept multi-value Relative
Distinguished Names and are thus not vulnerable to such attacks
themselves. However, third-party code that uses node's ambiguous
presentation of certificate subjects may be vulnerable.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
- Due to the formatting logic of the `console.table()` function it was
not safe to allow user controlled input to be passed to the `properties`
parameter while simultaneously passing a plain object with at least one
property as the first parameter, which could be `__proto__`. The
prototype pollution has very limited control, in that it only allows an
empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the
object these properties are being assigned to.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
PR-URL: https://github.com/nodejs-private/node-private/pull/309
|
|
OpenSSL-3.0.1:
OpenSSL-3.0.1 contains a fix for CVE-2021-4044: Invalid handling of X509_verify_cert() internal errors
in libssl (Moderate). This is a vulnerability in OpenSSL that may be exploited through Node.js.
More information can be read here: https://www.openssl.org/news/secadv/20211214.txt.
Contributed by Richard Lau https://github.com/nodejs/node/pull/41177
Other Notable Changes:
* lib:
* make AbortSignal cloneable/transferable (James M Snell) https://github.com/nodejs/node/pull/41050
* deps:
* upgrade npm to 8.3.0 (npm team) https://github.com/nodejs/node/pull/41127
* doc:
* add @bnb as a collaborator (Tierney Cyren) https://github.com/nodejs/node/pull/41100
* process:
* add `getActiveResourcesInfo()` (Darshan Sen) https://github.com/nodejs/node/pull/40813
* timers:
* add experimental scheduler api (James M Snell) https://github.com/nodejs/node/pull/40909
PR-URL: https://github.com/nodejs/node/pull/41167
|
|
Notable changes:
This release contains a c-ares update to fix a regression introduced in
Node.js 12.22.5 resolving CNAME records containing underscores
(https://github.com/nodejs/node/issues/39780).
Root certificates have been updated to those from Mozilla's Network
Security Services 3.71 (https://github.com/nodejs/node/pull/40280).
PR-URL: https://github.com/nodejs/node/pull/41161
|
|
Notable changes:
- **deps**: upgrade npm to 8.1.2 (npm team)
[#40643](https://github.com/nodejs/node/pull/40643)
- **deps**: update c-ares to 1.18.1 (Richard Lau)
[#40660](https://github.com/nodejs/node/pull/40660)
- **doc**: add VoltrexMaster to collaborators (voltrexmaster)
[#40566](https://github.com/nodejs/node/pull/40566)
- **lib**: fix regular expression to detect \`/\` and \`\\\`
(Francesco Trotta) [#40325](https://github.com/nodejs/node/pull/40325)
PR-URL: https://github.com/nodejs/node/pull/40974
|
|
Notable changes:
async_hooks:
* (SEMVER-MINOR) expose async_wrap providers (Rafael Gonzaga) https://github.com/nodejs/node/pull/40760
deps:
* (SEMVER-MINOR) update V8 to 9.6.180.14 (Michaël Zasso) https://github.com/nodejs/node/pull/40488
lib:
* (SEMVER-MINOR) add reason to AbortSignal (James M Snell) https://github.com/nodejs/node/pull/40807
src:
* (SEMVER-MINOR) add x509.fingerprint512 to crypto module (3nprob) https://github.com/nodejs/node/pull/39809
stream:
* deprecate thenable support (Antoine du Hamel) https://github.com/nodejs/node/pull/40860
* fix finished regression when working with legacy Stream (Matteo Collina) https://github.com/nodejs/node/pull/40858
PR-URL: https://github.com/nodejs/node/pull/40983
|
|
Notable changes
This release contains a c-ares update to fix a regression introduced in
Node.js 14.17.5 resolving CNAME records containing underscores
(https://github.com/nodejs/node/issues/39780).
Also included are commits to allow Node.js 14 to continue to build and
pass tests on our Jenkins CI, including adding Python 3.10 to the list
of allowable Python versions for building.
PR-URL: https://github.com/nodejs/node/pull/40969
|
|
Notable changes:
doc:
* add VoltrexMaster to collaborators (voltrexmaster) https://github.com/nodejs/node/pull/40566
esm:
* (SEMVER-MINOR) add support for JSON import assertion (Antoine du Hamel) https://github.com/nodejs/node/pull/40250
lib:
* (SEMVER-MINOR) add unsubscribe method to non-active DC channels (simon-id) https://github.com/nodejs/node/pull/40433
* (SEMVER-MINOR) add return value for DC channel.unsubscribe (simon-id) https://github.com/nodejs/node/pull/40433
v8:
* (SEMVER-MINOR) multi-tenant promise hook api (Stephen Belanger) https://github.com/nodejs/node/pull/39283
PR-URL: https://github.com/nodejs/node/pull/40758
|
|
Update mdast-util-to-markdown to 1.2.4 which reduces unnecessary
escaping of `_` and some other characters. Re-run markdown formatter.
PR-URL: https://github.com/nodejs/node/pull/40645
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
|
|
Remove unnecessary `<sup>` usage and lint-disabling comment.
PR-URL: https://github.com/nodejs/node/pull/40475
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
|
|
Update missed changes for the main CHANGELOG.md for Node.js 16.13.0.
PR-URL: https://github.com/nodejs/node/pull/40617
Refs: https://github.com/nodejs/node/pull/40536
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
|
|
Notable changes:
This release marks the transition of Node.js 16.x into Long Term Support (LTS)
with the codename 'Gallium'. The 16.x release line now moves into "Active LTS"
and will remain so until October 2022. After that time, it will move into
"Maintenance" until end of life in April 2024.
PR-URL: https://github.com/nodejs/node/pull/40536
|
|
Notable changes:
Fixed distribution for native addon builds
This release fixes an issue introduced in Node.js v17.0.0, where some V8
headers were missing from the distributed tarball, making it impossible
to build native addons. These headers are now included.
https://github.com/nodejs/node/pull/40526
Fixed stream issues
* Fixed a regression in `stream.promises.pipeline`, which was introduced
in version 16.10.0, is fixed. It is now possible again to pass an
array of streams to the function.
https://github.com/nodejs/node/pull/40193
* Fixed a bug in `stream.Duplex.from`, which didn't work properly when
an async generator function was passed to it.
https://github.com/nodejs/node/pull/40499
PR-URL: https://github.com/nodejs/node/pull/40535
|
|
Notable Changes:
Experimental ESM Loader Hooks API:
Node.js ESM Loader hooks have been consolidated to represent the steps involved needed to facilitate future loader chaining:
1. `resolve`: `resolve` [+ `getFormat`]
2. `load`: `getFormat` + `getSource` + `transformSource`
For consistency, `getGlobalPreloadCode` has been renamed to `globalPreload`.
A loader exporting obsolete hook(s) will trigger a single deprecation warning (per loader) listing the errant hooks.
Contributed by Jacob Smith, Geoffrey Booth, and Bradley Farias - https://github.com/nodejs/node/pull/37468
Other Notable Changes:
deps:
* upgrade npm to 8.1.0 (npm team) https://github.com/nodejs/node/pull/40463
doc:
* deprecate (doc-only) http abort related (dr-js) https://github.com/nodejs/node/pull/36670
vm:
* (SEMVER-MINOR) add support for import assertions in dynamic imports (Antoine du Hamel) https://github.com/nodejs/node/pull/40249
PR-URL: https://github.com/nodejs/node/pull/40504
|
|
Notable Changes:
Deprecations and Removals:
- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup`
options
(Antoine du Hamel) [https://github.com/nodejs/node/pull/39793]
- doc: deprecate (doc-only) http abort related
(dr-js) [https://github.com/nodejs/node/pull/36670]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
(Guy Bedford) [https://github.com/nodejs/node/pull/40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
(Guy Bedford) [https://github.com/nodejs/node/pull/40117]
OpenSSL 3.0:
Node.js now includes OpenSSL 3.0, specifically https://github.com/quictls/openssl
which provides QUIC support.
While OpenSSL 3.0 APIs should be mostly compatible with those provided
by OpenSSL 1.1.1, we do anticipate some ecosystem impact due to
tightened restrictions on the allowed algorithms and key sizes.
If you hit an `ERR_OSSL_EVP_UNSUPPORTED` error in your application with
Node.js 17, it’s likely that your application or a module you’re using
is attempting to use an algorithm or key size which is no longer allowed
by default with OpenSSL 3.0. A command-line option,
`--openssl-legacy-provider`, has been added to revert to the legacy
provider as a temporary workaround for these tightened restrictions.
For details about all the features in
OpenSSL 3.0 please see https://www.openssl.org/blog/blog/2021/09/07/OpenSSL3.Final.
(Daniel Bevenius) [https://github.com/nodejs/node/pull/38512]
Contributed in https://github.com/nodejs/node/pull/38512, https://github.com/nodejs/node/pull/40478
V8 9.5:
The V8 JavaScript engine is updated to V8 9.5. This release comes with
additional supported types for the `Intl.DisplayNames` API and Extended
`timeZoneName` options in the `Intl.DateTimeFormat` API. You can read
more details in the V8 9.5 release post https://v8.dev/blog/v8-release-95.
(Michaël Zasso) [https://github.com/nodejs/node/pull/40178]
Readline Promise API:
The `readline` module provides an interface for reading data from a
Readable stream (such as `process.stdin`) one line at a time.
(Antoine du Hamel) [https://github.com/nodejs/node/pull/37947]
Other Notable Changes:
- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
(treysis) [https://github.com/nodejs/node/pull/39987]
- (SEMVER-MAJOR) errors: print Node.js version on fatal exceptions that
cause exit
(Divlo) [https://github.com/nodejs/node/pull/38332]
- deps: upgrade npm to 8.1.0
(npm team) [https://github.com/nodejs/node/pull/40463]
- (SEMVER-MINOR) fs: add FileHandle.prototype.readableWebStream()
(James M Snell) [https://github.com/nodejs/node/pull/39331]
- (SEMVER-MAJOR) lib: add structuredClone() global
(Ethan Arrowood) [https://github.com/nodejs/node/pull/39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
(Khaidi Chu) [https://github.com/nodejs/node/pull/39176]
- (SEMVER-MAJOR) stream: finished should error on errored stream
(Robert Nagy) [https://github.com/nodejs/node/pull/39235]
Semver-Major Commits:
- (SEMVER-MAJOR) build: compile with C++17 (MSVC)
(Richard Lau) [https://github.com/nodejs/node/pull/38807]
- (SEMVER-MAJOR) build: compile with --gnu++17
(Richard Lau) [https://github.com/nodejs/node/pull/38807]
- (SEMVER-MAJOR) deps: update V8 to 9.5.172.19
(Michaël Zasso) [https://github.com/nodejs/node/pull/40178]
- (SEMVER-MAJOR) deps,test,src,doc,tools: update to OpenSSL 3.0
(Daniel Bevenius) [https://github.com/nodejs/node/pull/38512]
- (SEMVER-MAJOR) dgram: tighten `address` validation in `socket.send`
(Voltrex) [https://github.com/nodejs/node/pull/39190]
- (SEMVER-MAJOR) dns: runtime deprecate type coercion of `dns.lookup` options
(Antoine du Hamel) [https://github.com/nodejs/node/pull/39793]
- (SEMVER-MAJOR) dns: default to verbatim=true in dns.lookup()
(treysis) [https://github.com/nodejs/node/pull/39987]
- (SEMVER-MAJOR) doc: update minimum supported FreeBSD to 12.2
(Michaël Zasso) [https://github.com/nodejs/node/pull/40179]
- (SEMVER-MAJOR) errors: disp ver on fatal except that causes exit
(Divlo) [https://github.com/nodejs/node/pull/38332]
- (SEMVER-MAJOR) fs: fix rmsync error swallowing
(Nitzan Uziely) [https://github.com/nodejs/node/pull/38684]
- (SEMVER-MAJOR) fs: aggregate errors in fsPromises to avoid error swallowing
(Nitzan Uziely) [https://github.com/nodejs/node/pull/38259]
- (SEMVER-MAJOR) lib: add structuredClone() global
(Ethan Arrowood) [https://github.com/nodejs/node/pull/39759]
- (SEMVER-MAJOR) lib: expose `DOMException` as global
(Khaidi Chu) [https://github.com/nodejs/node/pull/39176]
- (SEMVER-MAJOR) module: subpath folder mappings EOL
(Guy Bedford) [https://github.com/nodejs/node/pull/40121]
- (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns
(Guy Bedford) [https://github.com/nodejs/node/pull/40117]
- (SEMVER-MAJOR) readline: validate `AbortSignal`s and remove unused event listeners
(Antoine du Hamel) [https://github.com/nodejs/node/pull/37947]
- (SEMVER-MAJOR) readline: introduce promise-based API
(Antoine du Hamel) [https://github.com/nodejs/node/pull/37947]
- (SEMVER-MAJOR) readline: refactor `Interface` to ES2015 class
(Antoine du Hamel) [https://github.com/nodejs/node/pull/37947]
- (SEMVER-MAJOR) src: allow CAP\_NET\_BIND\_SERVICE in SafeGetenv
(Daniel Bevenius) [https://github.com/nodejs/node/pull/37727]
- (SEMVER-MAJOR) src: return Maybe from a couple of functions
(Darshan Sen) [https://github.com/nodejs/node/pull/39603]
- (SEMVER-MAJOR) src: allow custom PageAllocator in NodePlatform
(Shelley Vohr) [https://github.com/nodejs/node/pull/38362]
- (SEMVER-MAJOR) stream: fix highwatermark threshold and add the missing error
(Rongjian Zhang) [https://github.com/nodejs/node/pull/38700]
- (SEMVER-MAJOR) stream: don't emit 'data' after 'error' or 'close'
(Robert Nagy) [https://github.com/nodejs/node/pull/39639]
- (SEMVER-MAJOR) stream: do not emit `end` on readable error
(Szymon Marczak) [https://github.com/nodejs/node/pull/39607]
- (SEMVER-MAJOR) stream: forward errored to callback
(Robert Nagy) [https://github.com/nodejs/node/pull/39364]
- (SEMVER-MAJOR) stream: destroy readable on read error
(Robert Nagy) [https://github.com/nodejs/node/pull/39342]
- (SEMVER-MAJOR) stream: validate abort signal
(Robert Nagy) [https://github.com/nodejs/node/pull/39346]
- (SEMVER-MAJOR) stream: unify stream utils
(Robert Nagy) [https://github.com/nodejs/node/pull/39294]
- (SEMVER-MAJOR) stream: throw on premature close in Readable\
(Darshan Sen) [https://github.com/nodejs/node/pull/39117]
- (SEMVER-MAJOR) stream: finished should error on errored stream
(Robert Nagy) [https://github.com/nodejs/node/pull/39235]
- (SEMVER-MAJOR) stream: error Duplex write/read if not writable/readable
(Robert Nagy) [https://github.com/nodejs/node/pull/34385]
- (SEMVER-MAJOR) stream: bypass legacy destroy for pipeline and async iteration
(Robert Nagy) [https://github.com/nodejs/node/pull/38505]
- (SEMVER-MAJOR) url: throw invalid this on detached accessors
(James M Snell) [https://github.com/nodejs/node/pull/39752]
- (SEMVER-MAJOR) url: forbid certain confusable changes from being introduced by toASCII
(Timothy Gu) [https://github.com/nodejs/node/pull/38631]
PR-URL: https://github.com/nodejs/node/pull/40119
|
|
This is a security release.
Notable Changes:
* CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
* The http parser accepts requests with a space (SP) right after the
header name before the colon. This can lead to HTTP Request Smuggling
(HRS). More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22959
* CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
* The parse ignores chunk extensions when parsing the body of chunked
requests. This leads to HTTP Request Smuggling (HRS) under certain
conditions. More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22960
PR-URL: https://github.com/nodejs-private/node-private/pull/293
|
|
This is a security release.
Notable Changes:
* CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
* The http parser accepts requests with a space (SP) right after the
header name before the colon. This can lead to HTTP Request Smuggling
(HRS). More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22959
* CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
* The parse ignores chunk extensions when parsing the body of chunked requests.
requests. This leads to HTTP Request Smuggling (HRS) under certain conditions.
More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22960
PR-URL: https://github.com/nodejs-private/node-private/pull/294
|
|
This is a security release.
Notable changes:
* CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
* The http parser accepts requests with a space (SP) right after the
header name before the colon. This can lead to HTTP Request Smuggling
(HRS). More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22959
* CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
* The parse ignores chunk extensions when parsing the body of chunked
requests. This leads to HTTP Request Smuggling (HRS) under certain
conditions. More details are available at:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22960
PR-URL: https://github.com/nodejs-private/node-private/pull/295
|
|
Notable changes:
* crypto:
* update root certificates (Richard Lau) https://github.com/nodejs/node/pull/40280
* deps:
* upgrade npm to 8.0.0 (npm team) https://github.com/nodejs/node/pull/40369
* update `nghttp2` to v1.45.1 (thunder-coding) https://github.com/nodejs/node/pull/40206
* update V8 to 9.4.146.19 (Michaël Zasso) https://github.com/nodejs/node/pull/40285
* tools:
* update certdata.txt (Richard Lau) https://github.com/nodejs/node/pull/40280
PR-URL: https://github.com/nodejs/node/pull/40319
|
|
Use `make format-md` to format general markdown files.
PR-URL: https://github.com/nodejs/node/pull/40322
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Zijian Liu <lxxyxzj@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
|
|
Notable changes:
assert:
* change status of legacy asserts (James M Snell) https://github.com/nodejs/node/pull/38113
buffer:
* (SEMVER-MINOR) introduce Blob (James M Snell) https://github.com/nodejs/node/pull/36811
* (SEMVER-MINOR) add base64url encoding option (Filip Skokan) https://github.com/nodejs/node/pull/36952
child_process:
* (SEMVER-MINOR) allow `options.cwd` receive a URL (Khaidi Chu) https://github.com/nodejs/node/pull/38862
* (SEMVER-MINOR) add timeout to spawn and fork (Nitzan Uziely) https://github.com/nodejs/node/pull/37256
* (SEMVER-MINOR) allow promisified exec to be cancel (Carlos Fuentes) https://github.com/nodejs/node/pull/34249
* (SEMVER-MINOR) add 'overlapped' stdio flag (Thiago Padilha) https://github.com/nodejs/node/pull/29412
cli:
* (SEMVER-MINOR) add -C alias for --conditions flag (Guy Bedford) https://github.com/nodejs/node/pull/38755
* (SEMVER-MINOR) add --node-memory-debug option (Anna Henningsen) https://github.com/nodejs/node/pull/35537
dns:
* (SEMVER-MINOR) add "tries" option to Resolve options (Luan Devecchi) https://github.com/nodejs/node/pull/39610
* (SEMVER-MINOR) allow `--dns-result-order` to change default dns verbatim (Ouyang Yadong) https://github.com/nodejs/node/pull/38099
doc:
* (SEMVER-MINOR) add missing change to resolver ctor (Luan Devecchi) https://github.com/nodejs/node/pull/39610
* refactor fs docs structure (James M Snell) https://github.com/nodejs/node/pull/37170
errors:
* (SEMVER-MINOR) remove experimental from --enable-source-maps (Benjamin Coe) https://github.com/nodejs/node/pull/37362
esm:
* deprecate legacy main lookup for modules (Guy Bedford) https://github.com/nodejs/node/pull/36918
fs:
* (SEMVER-MINOR) allow empty string for temp directory prefix (Voltrex) https://github.com/nodejs/node/pull/39028
* (SEMVER-MINOR) allow no-params fsPromises fileHandle read (Nitzan Uziely) https://github.com/nodejs/node/pull/38287
* (SEMVER-MINOR) add support for async iterators to `fsPromises.writeFile` (HiroyukiYagihashi) https://github.com/nodejs/node/pull/37490
* improve fsPromises readFile performance (Nitzan Uziely) https://github.com/nodejs/node/pull/37608
* (SEMVER-MINOR) add fsPromises.watch() (James M Snell) https://github.com/nodejs/node/pull/37179
* (SEMVER-MINOR) allow `position` parameter to be a `BigInt` in read and readSync (Darshan Sen) https://github.com/nodejs/node/pull/36190
http2:
* (SEMVER-MINOR) add support for sensitive headers (Anna Henningsen) https://github.com/nodejs/node/pull/34145
* (SEMVER-MINOR) allow setting the local window size of a session (Yongsheng Zhang) https://github.com/nodejs/node/pull/35978
inspector:
* mark as stable (Gireesh Punathil) https://github.com/nodejs/node/pull/37748
module:
* (SEMVER-MINOR) add support for `URL` to `import.meta.resolve` (Antoine du Hamel) https://github.com/nodejs/node/pull/38587
* (SEMVER-MINOR) add support for `node:`‑prefixed `require(…)` calls (ExE Boss) https://github.com/nodejs/node/pull/37246
net:
* (SEMVER-MINOR) introduce net.BlockList (James M Snell) https://github.com/nodejs/node/pull/34625
node-api:
* (SEMVER-MINOR) allow retrieval of add-on file name (Gabriel Schulhof) https://github.com/nodejs/node/pull/37195
os:
* (SEMVER-MINOR) add os.devNull (Luigi Pinca) https://github.com/nodejs/node/pull/38569
perf_hooks:
* (SEMVER-MINOR) introduce createHistogram (James M Snell) https://github.com/nodejs/node/pull/37155
process:
* (SEMVER-MINOR) add api to enable source-maps programmatically (legendecas) https://github.com/nodejs/node/pull/39085
* (SEMVER-MINOR) add `'worker'` event (James M Snell) https://github.com/nodejs/node/pull/38659
* (SEMVER-MINOR) add direct access to rss without iterating pages (Adrien Maret) https://github.com/nodejs/node/pull/34291
readline:
* (SEMVER-MINOR) add AbortSignal support to interface (Nitzan Uziely) https://github.com/nodejs/node/pull/37932
* (SEMVER-MINOR) add support for the AbortController to the question method (Mattias Runge-Broberg) https://github.com/nodejs/node/pull/33676
* (SEMVER-MINOR) add history event and option to set initial history (Mattias Runge-Broberg) https://github.com/nodejs/node/pull/33662
repl:
* (SEMVER-MINOR) add auto‑completion for `node:`‑prefixed `require(…)` calls (ExE Boss) https://github.com/nodejs/node/pull/37246
src:
* (SEMVER-MINOR) call overload ctor from the original ctor (Darshan Sen) https://github.com/nodejs/node/pull/39768
* (SEMVER-MINOR) add a constructor overload for CallbackScope (Darshan Sen) https://github.com/nodejs/node/pull/39768
* (SEMVER-MINOR) allow to negate boolean CLI flags (Michaël Zasso) https://github.com/nodejs/node/pull/39023
* (SEMVER-MINOR) add --heapsnapshot-near-heap-limit option (Joyee Cheung) https://github.com/nodejs/node/pull/33010
* (SEMVER-MINOR) add way to get IsolateData and allocator from Environment (Anna Henningsen) https://github.com/nodejs/node/pull/36441
* (SEMVER-MINOR) allow preventing SetPrepareStackTraceCallback (Shelley Vohr) https://github.com/nodejs/node/pull/36447
* (SEMVER-MINOR) add maybe versions of EmitExit and EmitBeforeExit (Anna Henningsen) https://github.com/nodejs/node/pull/35486
stream:
* (SEMVER-MINOR) add readableDidRead if has been read from (Robert Nagy) https://github.com/nodejs/node/pull/39589
* (SEMVER-MINOR) pipeline accept Buffer as a valid first argument (Nitzan Uziely) https://github.com/nodejs/node/pull/37739
tls:
* (SEMVER-MINOR) allow reading data into a static buffer (Andrey Pechkurov) https://github.com/nodejs/node/pull/35753
tools:
* (SEMVER-MINOR) add `Worker` to type-parser (James M Snell) https://github.com/nodejs/node/pull/38659
url:
* (SEMVER-MINOR) expose urlToHttpOptions utility (Yongsheng Zhang) https://github.com/nodejs/node/pull/35960
util:
* (SEMVER-MINOR) expose toUSVString (Robert Nagy) https://github.com/nodejs/node/pull/39814
v8:
* (SEMVER-MINOR) implement v8.stopCoverage() (Joyee Cheung) https://github.com/nodejs/node/pull/33807
* (SEMVER-MINOR) implement v8.takeCoverage() (Joyee Cheung) https://github.com/nodejs/node/pull/33807
worker:
* (SEMVER-MINOR) add setEnvironmentData/getEnvironmentData (James M Snell) https://github.com/nodejs/node/pull/37486
PR-URL: https://github.com/nodejs/node/pull/39990
|
|
Notable changes:
crypto:
* (SEMVER-MINOR) add rsa-pss keygen parameters (Filip Skokan) https://github.com/nodejs/node/pull/39927
doc:
* add Ayase-252 to collaborators (Qingyu Deng) https://github.com/nodejs/node/pull/40078
fs:
* (SEMVER-MINOR) make `open` and `close` stream override optional when unused (Antoine du Hamel) https://github.com/nodejs/node/pull/40013
http:
* (SEMVER-MINOR) limit requests per connection (Artur K) https://github.com/nodejs/node/pull/40082
src:
* (SEMVER-MINOR) add --no-global-search-paths cli option (Cheng Zhao) https://github.com/nodejs/node/pull/39754
* (SEMVER-MINOR) add option to disable global search paths (Cheng Zhao) https://github.com/nodejs/node/pull/39754
* (SEMVER-MINOR) make napi_create_reference accept symbol (JckXia) https://github.com/nodejs/node/pull/39926
stream:
* (SEMVER-MINOR) add signal support to pipeline generators (Robert Nagy) https://github.com/nodejs/node/pull/39067
PR-URL: https://github.com/nodejs/node/pull/40175
|
|
Fix formatting that will change when run through upcoming remark preset.
PR-URL: https://github.com/nodejs/node/pull/40154
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
|
|
Notable changes:
This release fixes a regression introduced by the V8 9.3 update in Node.js 16.9.0.
PR-URL: https://github.com/nodejs/node/issues/40069
|
|
Notable changes:
crypto:
* (SEMVER-MINOR) add RSA-PSS params to asymmetricKeyDetails (Tobias Nießen) https://github.com/nodejs/node/pull/39851
deps:
* (SEMVER-MINOR) add corepack (Maël Nison) https://github.com/nodejs/node/pull/39608
* (SEMVER-MINOR) update V8 to 9.3.345.16 (Michaël Zasso) https://github.com/nodejs/node/pull/39947
module:
* (SEMVER-MINOR) support pattern trailers (Guy Bedford) https://github.com/nodejs/node/pull/39635
stream:
* (SEMVER-MINOR) add stream.compose (Robert Nagy) https://github.com/nodejs/node/pull/39029
PR-URL: https://github.com/nodejs/node/pull/40011
|
|
This is a security release.
Notable changes:
These are vulnerabilities in the node-tar, arborist, and npm cli modules which
are related to the initial reports and subsequent remediation of node-tar
vulnerabilities CVE-2021-32803 (https://github.com/advisories/GHSA-r628-mhmh-qjhw)
and CVE-2021-32804 (https://github.com/advisories/GHSA-3jfq-g458-7qm9).
Subsequent internal security review of node-tar and additional external bounty
reports have resulted in another 5 CVE being remediated in core npm CLI
dependencies including node-tar, and npm arborist.
You can read more about it in:
* CVE-2021-37701: https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc
* CVE-2021-37712: https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p
* CVE-2021-37713: https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh
* CVE-2021-39134: https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc
* CVE-2021-39135: https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2
PR-URL: https://github.com/nodejs-private/node-private/pull/287
|
|
This is a security release.
Notable changes:
These are vulnerabilities in the node-tar, arborist, and npm cli modules which
are related to the initial reports and subsequent remediation of node-tar
vulnerabilities CVE-2021-32803 (https://github.com/advisories/GHSA-r628-mhmh-qjhw)
and CVE-2021-32804 (https://github.com/advisories/GHSA-3jfq-g458-7qm9).
Subsequent internal security review of node-tar and additional external bounty
reports have resulted in another 5 CVE being remediated in core npm CLI
dependencies including node-tar, and npm arborist.
You can read more about it in:
* CVE-2021-37701: https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc
* CVE-2021-37712: https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p
* CVE-2021-37713: https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh
* CVE-2021-39134: https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc
* CVE-2021-39135: https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2
PR-URL: https://github.com/nodejs-private/node-private/pull/288
|
|
Notable changes:
doc:
* deprecate type coercion for `dns.lookup` options (Antoine du Hamel) https://github.com/nodejs/node/pull/38906
stream:
* (SEMVER-MINOR) add `stream.Duplex.from` utility (Robert Nagy) https://github.com/nodejs/node/pull/39519
* (SEMVER-MINOR) add `isDisturbed` helper (Robert Nagy) https://github.com/nodejs/node/pull/39628
util:
* (SEMVER-MINOR) expose `toUSVString` (Robert Nagy) https://github.com/nodejs/node/pull/39814
PR-URL: https://github.com/nodejs/node/pull/39875
|
|
Notable changes:
* fs:
* experimental: add recursive cp method (Benjamin Coe) https://github.com/nodejs/node/pull/39372
PR-URL: https://github.com/nodejs/node/pull/39782
|
|
This is a security release.
Notable Changes:
- CVE-2021-3672/CVE-2021-22931:
Improper handling of untypical characters in domain names (High)
- CVE-2021-22930:
Use after free on close http2 on stream canceling (High)
- CVE-2021-22939:
Incomplete validation of rejectUnauthorized parameter (Low)
PR-URL: https://github.com/nodejs-private/node-private/pull/280
|
|
This is a security release.
Notable Changes:
- CVE-2021-3672/CVE-2021-22931:
Improper handling of untypical characters in domain names (High)
- CVE-2021-22930:
Use after free on close http2 on stream canceling (High)
- CVE-2021-22939:
Incomplete validation of rejectUnauthorized parameter (Low)
PR-URL: https://github.com/nodejs-private/node-private/pull/279
|
|
This is a security release.
Notable Changes:
- CVE-2021-3672/CVE-2021-22931:
Improper handling of untypical characters in domain names (High)
- CVE-2021-22930:
Use after free on close http2 on stream canceling (High)
- CVE-2021-22939:
Incomplete validation of rejectUnauthorized parameter (Low)
PR-URL: https://github.com/nodejs-private/node-private/pull/278
|
