This repository has been archived by the owner on Jan 17, 2023. It is now read-only.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
8.12.0
->8.15.0@b38dc27
8.12.0
->8.15.0@cb66110
Release Notes
nodejs/node
v8.15.0
Compare Source
The 8.14.0 security release introduced some unexpected breakages on the 8.x release line.
This is a special release to fix a regression in the HTTP binary upgrade response body and add
a missing CLI flag to adjust the max header size of the http parser.
Notable Changes
Commits
693e362175
] - (SEMVER-MINOR) cli: add --max-http-header-size flag (cjihrig) #248114fb5a1be2f
] - (SEMVER-MINOR) deps: cherry-pick http_parser_set_max_header_size (cjihrig) #24811446f8b54e5
] - (SEMVER-MINOR) http: add maxHeaderSize property (cjihrig) #24860215ecfe4de
] - http: fix regression of binary upgrade response body (Matteo Collina) #25037e1fbc26c6a
] - test: move test-benchmark-path to sequential (Rich Trott) #21393aef71c05a2
] - test: mark test-http2-settings-flood as flaky on Windows (Rich Trott) #25048v8.14.1
Compare Source
Notable changes
Commits
62fb5dbec5
] - assert: revert breaking change (Ruben Bridgewater) #24786a8402fe1c8
] - build: only check REPLACEME & DEP...X for releases (Rod Vagg) #2457526743369d3
] - build: improve Travis CI settings (Timothy Gu) #214591da04c208d
] - build: install markdown linter for travis (Richard Lau) #212157612024939
] - build: initial .travis.yml implementation (Anna Henningsen) #21059f70e79a7b2
] - build: allow for overwriting of use_openssl_def (Shelley Vohr) #2376315d1f67c60
] - build,doc: remove outdatedlint-md-build
(Michaël Zasso) #2299185a6daeaef
] - build,meta: switch to gcc-4.9 on travis (Refael Ackermann) #23778313ef6fa73
] - build,tools: tweak the travis config (Refael Ackermann) #2241722b41495ea
] - child_process: handle undefined/null for fork() args (Shobhit Chittora) #22416499605618b
] - crypto: add SET_INTEGER_CONSANT macro (Daniel Bevenius) #2368734d91296df
] - deps: icu: apply workaround patch (Steven R. Loomis) #2376450347297a1
] - deps: cherry-pickd2e0166
from V8 upstream (Vasili Skurydzin) #239589bedae5266
] - deps: cherry-pick6bc4bfe
from V8 upstream (Vasili Skurydzin) #239584f3c9e6aab
] - deps,v8: fix gyp build on Aix platform (Vasili Skurydzin) #2395874c1074d53
] - doc: add description for inspector-only console methods. (Benjamin Zaslavsky) #17004692223182c
] - doc: fix api documentation of http.createServer (Ari Autio) #248696d8c65e574
] - doc: update to adding listens on SIGUSR1 (willhayslett) #1970933b7c50036
] - doc: remove "if provided" for optional arguments (Rich Trott) #19690216e7da8c5
] - doc: do not identify string as "JavaScript string" (Rich Trott) #1968917e84217c7
] - doc: fix grammar error in process.md (Kenji Okamoto) #1964106daf5276f
] - doc: remove use of "random port" re dgram send (Thomas Hunter II) #19620bf95392e86
] - doc: improve assert legacy text (Rich Trott) #19622e48cc3c403
] - doc: remove confusing note about child process stdio (Anna Henningsen) #195529d249bf6d5
] - doc: add BethGriggs to collaborators (Beth Griggs) #19610c3ecf05b01
] - doc: documentmake docopen
(Ayush Gupta) #193218338700d05
] - doc: add directory structure in writing-tests.md (juggernaut451) #1880263d8632611
] - doc: add types for someprocess
properties (Vse Mozhet Byt) #19571b2fc3b556c
] - doc: fix n-api example string (Steven R. Loomis) #19205d79e7d6e89
] - doc: minor improvements to buffer.md (Rich Trott) #1954706491482f8
] - doc: update child_process.md (Ari Leo Frankel) #190754db289ca17
] - doc: move StackOverflow to unofficial section (josephleon) #19416f5683a9a6d
] - doc: correct async_hooks resource names (Gerhard Stoebich) #24684ffe1f8033c
] - doc: sort bottom-of-file markdown links (Sam Roberts) #2468278d9a5e6e4
] - doc: address bits of proof reading work (Jagannath Bhat) #23978d1eebb2e43
] - doc: revise COLLABORATOR_GUIDE.md (Rich Trott) #23990003eb0c8e1
] - doc: simplify CODE_OF_CONDUCT.md (Rich Trott) #23989c1723c8bca
] - doc: add branding to style guide (Rich Trott) #239678bb67a1fb9
] - doc: use Node.js instead of Node (Rich Trott) #2396773e0bb1f52
] - doc: fix typographical issues (Denis McDonald) #239706d76f852a9
] - doc: add documentation for http.IncomingMessage$complete (James M Snell) #239143025f351db
] - doc: remove mailing list (Rich Trott) #239322459e150bb
] - doc: add note about ABI compatibility (Myles Borins) #2223727b35833bd
] - doc: make example more clarified in cluster.md (ZYSzys) #239310d4de59967
] - doc: simplify valid security issue descriptions (Rich Trott) #238819afdc09f98
] - doc: simplify path.basename() on POSIX and Windows (ZYSzys) #238643f2a01688d
] - doc: add review suggestions to require() (erickwendel) #23605f037942fe7
] - doc: move @phillipj to emeriti (Phillip Johnsen) #23790e5f75cf82e
] - doc: add note about removeListener order (James M Snell) #237620ff88a3510
] - doc: document ACL limitation for fs.access on Windows (James M Snell) #2377232ae851710
] - doc: document that addMembership must be called once in a cluster (James M Snell) #23746e2d2ce6706
] - doc: remove reference to sslv3 in tls.md (James M Snell) #237454c24a82a65
] - http2: fix sequence of error/close events (Gerhard Stoebich) #247898afbd5ce41
] - lib: fix a typo in lib/timers "read through" (wangzengdi) #19666fa12532000
] - lib: remove useless cwd in posix.resolve (ZYSzys) #23902e8dbd09414
] - src: use "constants" string instead of creating new one (Ouyang Yadong) #23894394cb42962
] - test: verify order of error in h2 server stream (Myles Borins) #246855e09a3d4ed
] - test: test process.setuid for bad argument types (Divyanshu Singh) #19703970164f3a8
] - test: improve assert message (fatahn) #19629086570e4e1
] - test: remove third argument from call to assert.strictEqual() (Forrest Wolf) #19659a7b3274af4
] - test: fix flaky test-cluster-send-handle-twice (Rich Trott) #197001bda58289a
] - test: rename regression tests more expressively (Ujjwal Sharma) #19668bd9cc92e8d
] - test: remove 3rd argument from assert.strictEqual (Arian Santrach) #197073ca10faf00
] - test: use createReadStream instead of ReadStream (Daniel Bevenius) #196368a546e822d
] - test: removed default message from assert.strictEqual (jaspal-yupana) #19660a62df1b379
] - test: refactor test-net-dns-error (Luigi Pinca) #196408a0ecf4360
] - test: refactor test-http-expect-continue (Rich Trott) #196250cbe813e90
] - test: update link according to NIST bibliography (Tobias Nießen) #19593ea1fda6228
] - test: remove third param from assert.strictEqual (davis.okoth@kemsa.co.ke) #1953618c4e5e886
] - test: remove message from assert.strictEqual() (willhayslett) #19525146c488bf5
] - test: refactor parallel/test-tls-ca-concat.js (juggernaut451) #190928fa5bd3761
] - test: rename regression tests file names (Ujjwal Sharma) #19332d34ade8755
] - test: fix strictEqual arguments order (Esteban Sotillo) #239566ae07a9248
] - test: add property for RangeError in test-buffer-copy (mritunjaygoutam12) #23968b1e6de80c1
] - test: fix regression when compiled with FIPS (Adam Majer) #23871d0368b8245
] - test: fix strictEqual() argument order (Loic) #238293a864d716e
] - test: fix strictEqual() arguments order (Nolan Rigo) #23800e7a573a9e2
] - test: fix test-require-symlink on Windows (Bartosz Sosnowski) #23691ac91346776
] - test: fix strictEqual() argument order (Romain Lanz) #237680f98c4926a
] - test: fix strictEqual() arguments order (Thomas GENTILHOMME) #2377173d19b1516
] - test: ensure openssl version prints correctly (Sam Roberts) #23678544e64d68d
] - test: fix assertion arguments order (Elian Gutierrez) #23787e84c01d1f3
] - tools: update alternative docs versions (Richard Lau) #2398002209c5fa7
] - tools: clarify commit message linting (Rich Trott) #2374222043ccb84
] - tools: do not lint commit message if var undefined (Rich Trott) #237252a8a28c436
] - tools: make Travis commit linting more robust (Rich Trott) #23397c15d236545
] - tools: apply linting to first commit in PRs (Rich Trott) #22452v8.14.0
Compare Source
This is a security release. All Node.js users should consult the security release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
Notable Changes
server.headersTimeout
. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction withserver.setTimeout()
, this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach (liebdich.com). (CVE-2018-12122 / Matteo Collina)path
option in HTTP client requests. Paths containing characters outside of the range\u0021
-\u00ff
will now be rejected with aTypeError
. This behavior can be reverted if necessary by supplying the--security-revert=CVE-2018-12116
command line argument (this is not recommended). Reported as security concern for Node.js 6 and 8 by Arkadiy Tetelman (Lob), fixed by backporting a change by Benno Fünfstück applied to Node.js 10 and later. (CVE-2018-12116 / Matteo Collina)url.parse()
with the'javascript:'
protocol. Reported by Martin Bajanik (Kentico). (CVE-2018-12123 / Matteo Collina)Commits
add20f373c
] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/node#1836c4e382cce3
] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) nodejs/node#1389f1d1f12519
] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) nodejs/node#138969037ad5c4
] - deps: copy all openssl header files to include dir (Sam Roberts) #24530f5b34336bb
] - deps: upgrade openssl sources to 1.0.2q (Sam Roberts) #2453093dba83fb0
] - deps,http: http_parser set max header size to 8KB (Matteo Collina) nodejs-private/node-private#143576038fb61
] - (SEMVER-MINOR) http: add --security-revert for CVE-2018-12116 (Matteo Collina) nodejs-private/node-private#146513e9747a2
] - (SEMVER-MINOR) http: disallow two-byte characters in URL path (Benno Fünfstück) nodejs-private/node-private#146696f063c5e
] - (SEMVER-MINOR) http,https: protect against slow headers attack (Matteo Collina) nodejs-private/node-private#1517f362a11ee
] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) nodejs/node#138953a6e4eb20
] - url: avoid hostname spoofing w/ javascript protocol (Matteo Collina) nodejs-private/node-private#145v8.13.0
Compare Source
Notable changes
Commits
0d241ba385
] - assert: ensure .rejects() disallows sync throws (Teddy Katz) #196503babc5bb53
] - (SEMVER-MINOR) assert: add rejects() and doesNotReject() (feugy) #1802318071db274
] - assert: fix throws trace (Ruben Bridgewater) #18595562787efb2
] - assert: fix strict regression (Ruben Bridgewater) #17903f2af930ebb
] - (SEMVER-MINOR) assert: .throws accept objects (Ruben Bridgewater) #17584147aeedc8d
] - (SEMVER-MINOR) assert: improve assert.throws (Ruben Bridgewater) #17585c9d84b6d4f
] - assert: fix throws and doesNotThrow stack frames (Ruben Bridgewater) #17703a42d0726ac
] - assert: use object argument in innerFail (Ruben Bridgewater) #1758284948cf14f
] - assert: fix .throws operator (Ruben Bridgewater) #17575c6d94f8fa5
] - (SEMVER-MINOR) assert: add strict functionality export (Ruben Bridgewater) #1700226d145a77f
] - async_hooks: add missing async_hooks destroys in AsyncReset (Bastian Krol) #23272104fbc64ed
] - build: update arm64 minimum supported platform (Gibson Fahnestock) #19164afcf059898
] - build: do not cd on vcbuild help (Vse Mozhet Byt) #19291ca8d4e3450
] - build: define NOMINMAX on windows (Ben Noordhuis) #227315245d6ac97
] - deps: V8: partially revertd868eb7
(Ali Ijaz Sheikh) #2449962dd1d7bd4
] - deps: upgrade to libuv 1.23.2 (cjihrig) #23336b38190ebb0
] - deps: upgrade to libuv 1.23.1 (cjihrig) #22997d9d541c415
] - deps: upgrade to libuv 1.23.0 (cjihrig) #22365e3d08af7c1
] - deps: upgrade to libuv 1.22.0 (cjihrig) #2173111cb09b25a
] - deps: upgrade to libuv 1.21.0 (cjihrig) #21466c54f4bc8e8
] - deps: upgrade to libuv 1.20.3 (cjihrig) #205852307653abf
] - deps: upgrade to libuv 1.20.2 (cjihrig) #20129a1b94d35e7
] - deps: upgrade libuv to 1.20.0 (cjihrig) #19758ce65d84537
] - deps: backporta8f6869
from upstream V8 (Ben Newman) #227147ab253f62e
] - deps: V8: cherry-pick 64-bit hash seed commits (Yang Guo) #2327460f7bfa4d7
] - deps: update to nghttp2 1.33.0 (Anna Henningsen) #2264948f31bdf20
] - deps: V8: backport 20 CPU profiler commits from upstream (Peter Marshall) #215589e2077afee
] - deps: backport9a23bdd
from upstream V8 (Daniel Beckert) #22418610297e2ab
] - doc: improve best practices in onboarding-extras (Rich Trott) #193159446bb68ea
] - doc: fix minor issues in async_hooks.md (Rich Trott) #193135b9af6ea73
] - doc: update username and email (Yuta Hiroto) #19338bae7c608e2
] - doc: document http2 timeouts (Sagi Tsofan) #22798d0be932375
] - doc: simplify http2 wording and formatting (Rich Trott) #225413fe9293efc
] - doc: make createPushResponse() more detailled (MaleDong) #223663980ca1840
] - doc: clarify http2 docs around class exports (James M Snell) #2224732bfd7ebfb
] - doc: add missingrequire
to example in http2.md (Kevin Simper) #218582116ace0ad
] - doc: fix http2stream.pushStream error doc (Сковорода Никита Андреевич) #214874228141012
] - doc: Improve doc for Http2 headers object (Gerhard Stoebich) #2129611a63ddf48
] - doc: fix typo in http2.md (Keita Akutsu) #208434f0035485f
] - doc: add parameters for Http2Stream:error event (Ujjwal Sharma) #2061077acef4af2
] - doc: add params for ClientHttp2Session:altsvc (Ujjwal Sharma) #20598448922d0de
] - doc: add parameters for Http2Session:stream event (Ujjwal Sharma) #2054741e89316e6
] - doc: add parameters for settings events (Ujjwal Sharma) #203711a6a054899
] - doc: improve parameters for Http2Session:goaway event (Ujjwal Sharma)98ed30f3f5
] - doc: improve docs for Http2Session:frameError (Ujjwal Sharma) #20236b32cf8fa40
] - doc: add parameters for Http2Session:error event (Ujjwal Sharma) #20206c0d1423bd3
] - doc: close event does not take arguments (Indranil Dasgupta) #20031459690aca4
] - doc: improve style guide text (Rich Trott) #19269eaabbf4ff0
] - doc: make caveat in stream.md more concise (Rich Trott) #192510340dd8c8d
] - doc: add and unify return statements in crypto.md (Vse Mozhet Byt) #19853b0d6067d87
] - doc: fix 8.12.0 changelog (Myles Borins) #22803af5cebb326
] - doc,http2: add parameters for Http2Session:connect event (Ujjwal Sharma) #2019357618aae0a
] - errors: fix undefined HTTP2 and tls errors (Shailesh Shekhawat) #21564e3bddeec18
] - http: fix undefined error in parser event (Anatoli Papirovski) #200291edd7f6393
] - (SEMVER-MINOR) http: added aborted property to request (Robert Nagy) #200947f34c277ac
] - http2: simplify timeout tracking (Anna Henningsen) #1920618a2b3dc8e
] - (SEMVER-MINOR) http2: graduate from experimental (James M Snell) #2246610576d6e77
] - (SEMVER-MINOR) http2: add ping event (James M Snell) #23009ca933ce577
] - http2: do not falsely emit 'aborted' on push (Anatoli Papirovski) #2287849f44f3b44
] - (SEMVER-MINOR) http2: add origin frame support (James M Snell) #229569f7934159e
] - http2: check if stream is not destroyed before sending trailers (Matteo Collina) #228962de17ead89
] - (SEMVER-MINOR) http2: add http2stream.endAfterHeaders property (James M Snell) #22843805bf40bfd
] - http2: don't expose the original socket through the socket proxy (Szymon Marczak) #226506a396ff911
] - http2: throw better error when accessing unbound socket proxy (James M Snell) #22486348cde07fd
] - http2: emit timeout on compat request and response (James M Snell) #22252cc561cc5a7
] - http2: explicitly disallow nested push streams (James M Snell) #222455c3edd3479
] - http2: avoid race condition in OnHeaderCallback (James M Snell) #22256f2f66b4cfb
] - http2: removestreamError
from docs (James M Snell) #22246d602c7a2ed
] - http2: release request()'s "connect" event listener after it runs (James Ide) #21916745e1e6192
] - http2: remove unused nghttp2 error list (Anna Henningsen) #21827e5175e6596
] - http2: removewaitTrailers
listener after closing a stream (RidgeA) #21764071a022dbc
] - http2: order declarations in core.js (Rich Trott) #216891cdf93ecdc
] - http2: pass incoming set-cookie header as array (Gerhard Stoebich) #2136020b72fc94d
] - http2: track memory allocated by nghttp2 (Anna Henningsen) #21374e9e4f434b3
] - http2: fix memory leak when headers are not emitted (Anna Henningsen) #213730f3e65099d
] - http2: fix memory leak for uncommon headers (Anna Henningsen) #213360a8d0861f2
] - http2: safer Http2Session destructor (Anatoli Papirovski) #211943c8c53f4f4
] - http2: fix premature destroy (Anatoli Papirovski) #21051b22266cc97
] - http2: force through RST_STREAM in destroy (Anatoli Papirovski) #2101691be1dc2a5
] - http2: delay closing stream (Anatoli Papirovski) #209970a6672fbcf
] - http2: fix several serious bugs (Anatoli Papirovski) #20772b0c92cadfa
] - http2: fix end without read (Anatoli Papirovski) #20621d1b78252b1
] - http2: avoid bind and properly clean up in compat (Robert Nagy) #20374395ce845da
] - http2: rename http2_state class to Http2State (Daniel Bevenius) #2042374192ddb66
] - http2: reduce require calls in http2/core (Daniel Bevenius) #2042228a6e59bd3
] - http2: fix ping callback (Ruben Bridgewater) #2031141dca9e851
] - http2: fix responses to long payload reqs (Anatoli Papirovski) #20084fa5a3809a3
] - http2: refactor how trailers are done (James M Snell) #199595862d0372c
] - http2: fix ping duration calculation (James M Snell) #199562ae98ce7cb
] - lib: define printErr() in script string (cjihrig) #19285b0e3ce9c4b
] - net,http2: refactor _write and _writev (Ujjwal Sharma) #206430187e3bef8
] - process: avoid using the same fd for ipc and stdio (cjihrig) #214665b2f6508f9
] - src: make AsyncWrap constructors delegate (Daniel Bevenius) #193669e8f4e5047
] - src: remove unused uv.h include from async_wrap.cc (Daniel Bevenius) #19342042434f9af
] - src: fix indenting of wrap->EmitTraceEventBefore (Daniel Bevenius) #193403ad10e5789
] - src: add extractPromiseWrap function (Daniel Bevenius) #19340b67bf38f31
] - src: fix fs.write() externalized string handling (Ben Noordhuis) #182160157e3ebca
] - src,deps: add ABI safe use of CheckMemoryPressure (Ali Ijaz Sheikh) #24499dbc7d9baae
] - test: read() on dir on AIX does not return EISDIR (Ben Noordhuis) #233303cd4462370
] - test: ensure failed assertions cause build to fail (Teddy Katz) #196509f15bc40b8
] - test: skip failing tests for osx mojave (jn99) #23550aba1ff202c
] - test: refactor test-fs-readfile-tostring-fail (Rich Trott) #1940438ed6c2b25
] - test: fix flaky test-http2-ping-flood (Rich Trott) #19395b407060556
] - test: fix flaky test-http2-settings-flood (Rich Trott) #19349069fd79424
] - test: improve debugging information for http2 test (Rich Trott) #23058c0f8e49c32
] - test: remove setImmediate from timeout test (Rich Trott) #23058b66cba0766
] - test: add test-http2-large-file sequential test (James M Snell) #222547ea08eedac
] - test: improve reliability in http2-session-timeout (Rich Trott) #22026dcf04dc7df
] - test: refactor test-http2-compat-serverresponse-finished.js (Anto Aravinth) #21929322f39d490
] - test: minor adjustments to test-http2-respond-file (Anna Henningsen) #210985d29e2c631
] - test: fix flaky http2-session-unref (Anatoli Papirovski) #20772e5f8b08305
] - test: improve reliability of http2-session-timeout (Rich Trott) #20692c30a8f468d
] - test: fix flaky http2-flow-control test (Anatoli Papirovski) #20556aa341d1d3d
] - test: verify arguments length in common.expectsError (Ruben Bridgewater) #20311c7ba556264
] - test: removed assert.strictEqual message (kailash k yogeshwar) #202235abe246a44
] - test: add strictEqual method to assert (Christine E. Taylor) #20189887417eb37
] - test: remove message from strictEqual assertions (Bryan Azofeifa) #20174fe3836a871
] - test: delete test/parallel/test-regress-GH-4948 (Ujjwal Sharma)4bcdc1b83c
] - test: fix assertion argument order (Rich Trott) #19264534bc82578
] - test: name test files appropriately (Ujjwal Sharma) #19212d58867a6a7
] - test: call gc() explicitly to avoid OOM (Refael Ackermann) #223018209ccb313
] - test: prepare test-assert for strictEqual linting (Rich Trott) #2284952b21caff2
] - test: remove string literal from assertion (Rich Trott) #22849976d55f9e3
] - test: remove string literal from assertion (Rich Trott) #22849702d67f4c4
] - test: refactor flag check (Rich Trott) #22849e9416d4f67
] - test: simplify assertion in http2 tests (Rich Trott) #22849f2158f30fb
] - test: improve assertion in test-inspector.js (Rich Trott) #22849f5985c734c
] - tls,http2: handle writes after SSL destroy more gracefully (Anna Henningsen) #18987Renovate configuration
📅 Schedule: "on Sunday" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻️ Rebasing: Whenever PR becomes conflicted, or if you modify the PR title to begin with "
rebase!
".🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Renovate Bot. View repository job log here.