Skip to content
This repository has been archived by the owner on Jan 17, 2023. It is now read-only.

Update Node.js to v8.15.0 #5230

Closed
wants to merge 1 commit into from
Closed

Update Node.js to v8.15.0 #5230

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 2, 2018

This PR contains the following updates:

Package Type Update Change References
circleci/node docker minor 8.12.0 -> 8.15.0@b38dc27
node minor 8.12.0 -> 8.15.0@cb66110 source

Release Notes

nodejs/node

v8.15.0

Compare Source

The 8.14.0 security release introduced some unexpected breakages on the 8.x release line.
This is a special release to fix a regression in the HTTP binary upgrade response body and add
a missing CLI flag to adjust the max header size of the http parser.

Notable Changes
  • cli:
    • add --max-http-header-size flag (cjihrig) #​24811
  • http:
    • add maxHeaderSize property (cjihrig) #​24860
Commits

v8.14.1

Compare Source

Notable changes
  • assert:
    • revert breaking change (Ruben Bridgewater) #​24786
  • http2:
    • fix sequence of error/close events (Gerhard Stoebich) #​24789
Commits

v8.14.0

Compare Source

This is a security release. All Node.js users should consult the security release summary at:

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

  • Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
  • Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
  • Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)
  • Node.js: HTTP request splitting (CVE-2018-12116)
  • OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
  • OpenSSL: Microarchitecture timing vulnerability in ECC scalar multiplication (CVE-2018-5407)
Notable Changes
  • deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 and CVE-2018-5407
  • http:
    • Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina)
    • A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with server.headersTimeout. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with server.setTimeout(), this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach (liebdich.com). (CVE-2018-12122 / Matteo Collina)
    • Two-byte characters are now strictly disallowed for the path option in HTTP client requests. Paths containing characters outside of the range \u0021 - \u00ff will now be rejected with a TypeError. This behavior can be reverted if necessary by supplying the --security-revert=CVE-2018-12116 command line argument (this is not recommended). Reported as security concern for Node.js 6 and 8 by Arkadiy Tetelman (Lob), fixed by backporting a change by Benno Fünfstück applied to Node.js 10 and later. (CVE-2018-12116 / Matteo Collina)
  • url: Fix a bug that would allow a hostname being spoofed when parsing URLs with url.parse() with the 'javascript:' protocol. Reported by Martin Bajanik (Kentico). (CVE-2018-12123 / Matteo Collina)
Commits

v8.13.0

Compare Source

Notable changes
  • assert:
    • backport some assert commits (Ruben Bridgewater) #​23223
  • deps:
    • upgrade to libuv 1.23.2 (cjihrig) #​23336
    • V8: cherry-pick 64-bit hash seed commits (Yang Guo) #​23274
  • http:
    • added aborted property to request (Robert Nagy) #​20094
  • http2:
    • graduate from experimental (James M Snell) #​22466
Commits

Renovate configuration

📅 Schedule: "on Sunday" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever PR becomes conflicted, or if you modify the PR title to begin with "rebase!".

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot. View repository job log here.

@renovate renovate bot added the code quality Not a bug, targeted for fixing in 2018 label Dec 2, 2018
@renovate renovate bot force-pushed the renovate/node-8.x branch 9 times, most recently from 4d438c0 to 148654f Compare December 9, 2018 00:45
@renovate renovate bot force-pushed the renovate/node-8.x branch 8 times, most recently from 906c7c5 to 79eeb95 Compare December 16, 2018 01:46
@renovate renovate bot force-pushed the renovate/node-8.x branch 5 times, most recently from e7f1e99 to b494dfe Compare December 20, 2018 01:35
@renovate renovate bot changed the title Update Node.js to v8.14.0 Update Node.js Dec 20, 2018
@renovate renovate bot force-pushed the renovate/node-8.x branch 3 times, most recently from 0ccb73a to 6a46b81 Compare December 21, 2018 00:34
@renovate renovate bot changed the title Update Node.js Update Node.js to v8.14.1 Dec 21, 2018
@renovate renovate bot force-pushed the renovate/node-8.x branch 2 times, most recently from fb80ea3 to eba2275 Compare December 22, 2018 00:35
@renovate renovate bot force-pushed the renovate/node-8.x branch 10 times, most recently from efdf566 to 47b07c5 Compare January 10, 2019 00:47
@renovate renovate bot force-pushed the renovate/node-8.x branch 9 times, most recently from 45f8342 to 886b092 Compare January 18, 2019 02:43
@renovate renovate bot force-pushed the renovate/node-8.x branch 5 times, most recently from a9e2978 to 5fb807c Compare January 23, 2019 17:52
@renovate renovate bot force-pushed the renovate/node-8.x branch from 5fb807c to 90fc17e Compare January 24, 2019 01:51
@ianb
Copy link
Contributor

ianb commented Jan 24, 2019

Doesn't seem worth the potential issues to update at this stage.

@ianb ianb closed this Jan 24, 2019
@ianb ianb deleted the renovate/node-8.x branch January 24, 2019 21:28
@renovate
Copy link
Contributor Author

renovate bot commented Jan 24, 2019

Renovate Ignore Notification

As this PR has been closed unmerged, Renovate will now ignore this update (8.15.0). You will still receive a PR once a newer version is released, so if you wish to permanently ignore this dependency, please add it to the ignoreDeps array of your renovate config.

If this PR was closed by mistake or you changed your mind, you can simply rename this PR and you will soon get a fresh replacement PR opened.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
code quality Not a bug, targeted for fixing in 2018
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants