Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto: change default check(Host|Email) behavior #41600

Conversation

tniessen
Copy link
Member

This changes the default behavior of the X509Certificate functions checkHost and checkEmail to match the default behavior of OpenSSL's X509_check_host and X509_check_email functions, respectively, which is also what RFC 2818 mandates for HTTPS.

As demonstrated in the modified test case, the new default matches the behavior of checkServerIdentity.

Refs: #36804
Refs: #41569

@tniessen tniessen added the semver-major PRs that contain breaking changes and should be released in the next major version. label Jan 19, 2022
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jan 19, 2022

Review requested:

  • @nodejs/crypto
  • @nodejs/tsc

@nodejs-github-bot nodejs-github-bot added crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. labels Jan 19, 2022
@tniessen tniessen added request-ci Add this label to start a Jenkins CI on a PR. tls Issues and PRs related to the tls subsystem. labels Jan 19, 2022
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jan 19, 2022
@nodejs-github-bot

This comment has been minimized.

@nodejs-github-bot
Copy link
Collaborator

doc/api/crypto.md Outdated Show resolved Hide resolved
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@tniessen
Copy link
Member Author

This is technically ready but needs to be rebased. I'd like to wait until after #41599 is approved so I only need to rebase once, and to prevent conflicts when backporting the non-semver-major changes from #41599.

@panva
Copy link
Member

panva commented Jan 22, 2022

@tniessen go ahead and rebase

This changes the default behavior of the X509Certificate functions
checkHost and checkEmail to match the default behavior of OpenSSL's
X509_check_host and X509_check_email functions, respectively, which
is also what RFC 2818 mandates for HTTPS.

Refs: nodejs#36804
Refs: nodejs#41569
@tniessen tniessen force-pushed the crypto-x509-check-flag-subject-default branch from e6ba945 to 992e7d4 Compare January 22, 2022 14:33
@tniessen tniessen added the request-ci Add this label to start a Jenkins CI on a PR. label Jan 22, 2022
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jan 22, 2022
@nodejs-github-bot

This comment has been minimized.

@nodejs-github-bot
Copy link
Collaborator

@panva panva added the commit-queue Add this label to land a pull request using GitHub Actions. label Jan 22, 2022
@nodejs-github-bot nodejs-github-bot added commit-queue-failed An error occurred while landing this pull request using GitHub Actions. and removed commit-queue Add this label to land a pull request using GitHub Actions. labels Jan 22, 2022
@nodejs-github-bot
Copy link
Collaborator

Commit Queue failed
- Loading data for nodejs/node/pull/41600
✔  Done loading data for nodejs/node/pull/41600
----------------------------------- PR info ------------------------------------
Title      crypto: change default check(Host|Email) behavior (#41600)
   ⚠  Could not retrieve the email or name of the PR author's from user's GitHub profile!
Branch     tniessen:crypto-x509-check-flag-subject-default -> nodejs:master
Labels     tls, crypto, semver-major, needs-ci
Commits    1
 - crypto: change default check(Host|Email) behavior
Committers 1
 - Tobias Nießen 
PR-URL: https://github.com/nodejs/node/pull/41600
Refs: https://github.com/nodejs/node/pull/36804
Refs: https://github.com/nodejs/node/pull/41569
Reviewed-By: Matteo Collina 
Reviewed-By: Rich Trott 
Reviewed-By: Filip Skokan 
------------------------------ Generated metadata ------------------------------
PR-URL: https://github.com/nodejs/node/pull/41600
Refs: https://github.com/nodejs/node/pull/36804
Refs: https://github.com/nodejs/node/pull/41569
Reviewed-By: Matteo Collina 
Reviewed-By: Rich Trott 
Reviewed-By: Filip Skokan 
--------------------------------------------------------------------------------
   ⚠  Commits were pushed since the last review:
   ⚠  - crypto: change default check(Host|Email) behavior
   ℹ  This PR was created on Wed, 19 Jan 2022 19:11:19 GMT
   ✔  Approvals: 3
   ✔  - Matteo Collina (@mcollina) (TSC): https://github.com/nodejs/node/pull/41600#pullrequestreview-858521373
   ✔  - Rich Trott (@Trott) (TSC): https://github.com/nodejs/node/pull/41600#pullrequestreview-858584651
   ✔  - Filip Skokan (@panva): https://github.com/nodejs/node/pull/41600#pullrequestreview-860210859
   ✖  GitHub CI is still running
   ℹ  Last Full PR CI on 2022-01-22T15:54:27Z: https://ci.nodejs.org/job/node-test-pull-request/42085/
- Querying data for job/node-test-pull-request/42085/
   ✔  Last Jenkins CI successful
--------------------------------------------------------------------------------
   ✔  Aborted `git node land` session in /home/runner/work/node/node/.ncu
https://github.com/nodejs/node/actions/runs/1733554817

@panva
Copy link
Member

panva commented Jan 22, 2022

I can't see a pending github CI, ... 🤷

@panva
Copy link
Member

panva commented Jan 22, 2022

Landed in 18365d8

@panva panva closed this Jan 22, 2022
panva pushed a commit that referenced this pull request Jan 22, 2022
This changes the default behavior of the X509Certificate functions
checkHost and checkEmail to match the default behavior of OpenSSL's
X509_check_host and X509_check_email functions, respectively, which
is also what RFC 2818 mandates for HTTPS.

Refs: #36804
Refs: #41569

PR-URL: #41600
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
@tniessen tniessen removed the commit-queue-failed An error occurred while landing this pull request using GitHub Actions. label Jan 23, 2022
Linkgoron pushed a commit to Linkgoron/node that referenced this pull request Jan 31, 2022
This changes the default behavior of the X509Certificate functions
checkHost and checkEmail to match the default behavior of OpenSSL's
X509_check_host and X509_check_email functions, respectively, which
is also what RFC 2818 mandates for HTTPS.

Refs: nodejs#36804
Refs: nodejs#41569

PR-URL: nodejs#41600
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
@tniessen tniessen mentioned this pull request Feb 28, 2022
24 tasks
BethGriggs added a commit that referenced this pull request Apr 18, 2022
Notable Changes:

Deprecations and Removals:

- (SEMVER-MAJOR) fs: runtime deprecate string coercion in `fs.write`,
  `fs.writeFileSync`
  (Livia Medeiros) (#42607)
- (SEMVER-MAJOR) dns: remove `dns.lookup` and `dnsPromises.lookup`
  options type coercion
  (Antoine du Hamel) (#41431)
- (SEMVER-MAJOR) process: runtime deprecate multipleResolves
  (Benjamin Gruenbaum) (#41896)
- (SEMVER-MAJOR) stream: remove thenable support (Robert Nagy)
  (#40773)
- (SEMVER-MAJOR) tls: move tls.parseCertString to end-of-life
  (Tobias Nießen) (#41479)

fetch (experimental):

An experimental fetch API is available on the global scope by default.
The implementation is based upon https://undici.nodejs.org/#/,
an HTTP/1.1 client written for Node.js by contributors to the project.

Through this addition, the following globals are made available: `fetch`
, `FormData`, `Headers`, `Request`, `Response`.

Disable this API with the `--no-experimental-fetch` command-line flag.

Contributed by Michaël Zasso in #41811.

HTTP Timeouts:

`server.headersTimeout`, which limits the amount of time the parser will
wait to receive the complete HTTP headers, is now set to `60000` (60
seconds) by default.

`server.requestTimeout`, which sets the timeout value in milliseconds
for receiving the entire request from the client, is now set to `300000`
(5 minutes) by default.

If these timeouts expire, the server responds with status 408 without
forwarding the request to the request listener and then closes the
connection.

Both timeouts must be set to a non-zero value to protect against
potential Denial-of-Service attacks in case the server is deployed
without a reverse proxy in front.

Contributed by Paolo Insogna in #41263.

Test Runner module (experimental):

The `node:test` module facilitates the creation of JavaScript tests that
report results in TAP format. This module is only available under the
`node:` scheme.

Contributed by Colin Ihrig in #42325.

Toolchain and Compiler Upgrades:

- Prebuilt binaries for Linux are now built on Red Hat Enterprise Linux
  (RHEL) 8 and are compatible with Linux distributions based on glibc
  2.28 or later, for example, Debian 10, RHEL 8, Ubuntu 20.04.
- Prebuilt binaries for macOS now require macOS 10.15 or later.
- For AIX the minimum supported architecture has been raised from Power
  7 to Power 8.

Prebuilt binaries for 32-bit Windows will initially not be available due
to issues building the V8 dependency in Node.js. We hope to restore
32-bit Windows binaries for Node.js 18 with a future V8 update.

Node.js does not support running on operating systems that are no longer
supported by their vendor. For operating systems where their vendor has
planned to end support earlier than April 2025, such as Windows 8.1
(January 2023) and Windows Server 2012 R2 (October 2023), support for
Node.js 18 will end at the earlier date.

Full details about the supported toolchains and compilers are documented
in the Node.js `BUILDING.md` file.

Contributed by Richard Lau in #42292,
#42604 and #42659
, and Michaël Zasso in #42105 and
#42666.

V8 10.1:

The V8 engine is updated to version 10.1, which is part of Chromium 101.
Compared to the version included in Node.js 17.9.0, the following new
features are included:

- The `findLast` and `findLastIndex` array methods.
- Improvements to the `Intl.Locale` API.
- The `Intl.supportedValuesOf` function.
- Improved performance of class fields and private class methods (the
  initialization of them is now as fast as ordinary property stores).

The data format returned by the serialization API (`v8.serialize(value)`)
has changed, and cannot be deserialized by earlier versions of Node.js.
On the other hand, it is still possible to deserialize the previous
format, as the API is backwards-compatible.

Contributed by Michaël Zasso in #42657.

Web Streams API (experimental):

Node.js now exposes the experimental implementation of the Web Streams
API on the global scope. This means the following APIs are now globally
available:

- `ReadableStream`, `ReadableStreamDefaultReader`,
`ReadableStreamBYOBReader`, `ReadableStreamBYOBRequest`,
`ReadableByteStreamController`, `ReadableStreamDefaultController`,
`TransformStream`, `TransformStreamDefaultController`, `WritableStream`,
`WritableStreamDefaultWriter`, `WritableStreamDefaultController`,
`ByteLengthQueuingStrategy`, `CountQueuingStrategy`, `TextEncoderStream`,
`TextDecoderStream`, `CompressionStream`, `DecompressionStream`.

Contributed James Snell in #39062,
and Antoine du Hamel in #42225.

Other Notable Changes:

- (SEMVER-MAJOR) buffer: expose Blob as a global
  (James M Snell) (#41270)
- (SEMVER-MAJOR) child\_process: improve argument validation
  (Rich Trott) (#41305)
- doc: add RafaelGSS to collaborators
  (RafaelGSS) (#42718)
- (SEMVER-MAJOR) http: make TCP noDelay enabled by default
  (Paolo Insogna) (#42163)
- (SEMVER-MAJOR) net: make `server.address()` return an integer for
  `family`
  (Antoine du Hamel) (#41431)
- (SEMVER-MAJOR) worker: expose BroadcastChannel as a global
  (James M Snell) (#41271)
- (SEMVER-MAJOR) worker: graduate BroadcastChannel to supported
  (James M Snell) (#41271)

Semver-Major Commits:

- (SEMVER-MAJOR) assert,util: compare RegExp.lastIndex while using deep
  equal checks
  (Ruben Bridgewater) (#41020)
- (SEMVER-MAJOR) buffer: refactor `byteLength` to remove outdated
  optimizations
  (Rongjian Zhang) (#38545)
- (SEMVER-MAJOR) buffer: expose Blob as a global
  (James M Snell) (#41270)
- (SEMVER-MAJOR) buffer: graduate Blob from experimental
  (James M Snell) (#41270)
- (SEMVER-MAJOR) build: make x86 Windows support temporarily
  experimental
  (Michaël Zasso) (#42666)
- (SEMVER-MAJOR) build: bump macOS deployment target to 10.15
  (Richard Lau) (#42292)
- (SEMVER-MAJOR) build: downgrade Windows 8.1 and server 2012 R2 to
  experimental
  (Michaël Zasso) (#42105)
- (SEMVER-MAJOR) child\_process: improve argument validation
  (Rich Trott) (#41305)
- (SEMVER-MAJOR) cluster: make `kill` to be just `process.kill`
  (Bar Admoni) (#34312)
- (SEMVER-MAJOR) crypto: cleanup validation
  (Mohammed Keyvanzadeh) (#39841)
- (SEMVER-MAJOR) crypto: prettify othername in PrintGeneralName
  (Tobias Nießen) (#42123)
- (SEMVER-MAJOR) crypto: fix X509Certificate toLegacyObject
  (Tobias Nießen) (#42124)
- (SEMVER-MAJOR) crypto: use RFC2253 format in PrintGeneralName
  (Tobias Nießen) (#42002)
- (SEMVER-MAJOR) crypto: change default check(Host|Email) behavior
  (Tobias Nießen) (#41600)
- (SEMVER-MAJOR) deps: V8: cherry-pick semver-major commits from 10.2
  (Michaël Zasso) (#42657)
- (SEMVER-MAJOR) deps: update V8 to 10.1.124.6
  (Michaël Zasso) (#42657)
- (SEMVER-MAJOR) deps: update V8 to 9.8.177.9
  (Michaël Zasso) (#41610)
- (SEMVER-MAJOR) deps: update V8 to 9.7.106.18
  (Michaël Zasso) (#40907)
- (SEMVER-MAJOR) dns: remove `dns.lookup` and `dnsPromises.lookup`
  options type coercion
  (Antoine du Hamel) (#41431)
- (SEMVER-MAJOR) doc: update minimum glibc requirements for Linux
  (Richard Lau) (#42659)
- (SEMVER-MAJOR) doc: update AIX minimum supported arch
  (Richard Lau) (#42604)
- (SEMVER-MAJOR) fs: runtime deprecate string coercion in `fs.write`,
  `fs.writeFileSync`
  (Livia Medeiros) (#42607)
- (SEMVER-MAJOR) http: refactor headersTimeout and requestTimeout logic
  (Paolo Insogna) (#41263)
- (SEMVER-MAJOR) http: make TCP noDelay enabled by default
  (Paolo Insogna) (#42163)
- (SEMVER-MAJOR) lib: enable fetch by default
  (Michaël Zasso) (#41811)
- (SEMVER-MAJOR) lib: replace validator and error
  (Mohammed Keyvanzadeh) (#41678)
- (SEMVER-MAJOR) module,repl: support 'node:'-only core modules
  (Colin Ihrig) (#42325)
- (SEMVER-MAJOR) net: make `server.address()` return an integer for
  `family`
  (Antoine du Hamel) (#41431)
- (SEMVER-MAJOR) process: disallow some uses of Object.defineProperty()
  on process.env
  (Himself65) (#28006)
- (SEMVER-MAJOR) process: runtime deprecate multipleResolves
  (Benjamin Gruenbaum) (#41896)
- (SEMVER-MAJOR) readline: fix question still called after closed
  (Xuguang Mei) (#42464)
- (SEMVER-MAJOR) stream: remove thenable support
  (Robert Nagy) (#40773)
- (SEMVER-MAJOR) stream: expose web streams globals, remove runtime
  experimental warning
  (Antoine du Hamel) (#42225)
- (SEMVER-MAJOR) stream: need to cleanup event listeners if last stream
  is readable
  (Xuguang Mei) (#41954)
- (SEMVER-MAJOR) stream: revert revert `map` spec compliance
  (Benjamin Gruenbaum) (#41933)
- (SEMVER-MAJOR) stream: throw invalid arg type from End Of Stream
  (Jithil P Ponnan) (#41766)
- (SEMVER-MAJOR) stream: don't emit finish after destroy
  (Robert Nagy) (#40852)
- (SEMVER-MAJOR) stream: add errored and closed props
  (Robert Nagy) (#40696)
- (SEMVER-MAJOR) test: add initial test module
  (Colin Ihrig) (#42325)
- (SEMVER-MAJOR) timers: refactor internal classes to ES2015 syntax
  (Rabbit) (#37408)
- (SEMVER-MAJOR) tls: represent registeredID numerically always
  (Tobias Nießen) (#41561)
- (SEMVER-MAJOR) tls: move tls.parseCertString to end-of-life
  (Tobias Nießen) (#41479)
- (SEMVER-MAJOR) url: throw on NULL in IPv6 hostname
  (Rich Trott) (#42313)
- (SEMVER-MAJOR) v8: make v8.writeHeapSnapshot() error codes consistent
  (Darshan Sen) (#42577)
- (SEMVER-MAJOR) v8: make writeHeapSnapshot throw if fopen fails
  (Antonio Román) (#41373)
- (SEMVER-MAJOR) worker: expose BroadcastChannel as a global
  (James M Snell) (#41271)
- (SEMVER-MAJOR) worker: graduate BroadcastChannel to supported
  (James M Snell) (#41271)

PR-URL: #42262
BethGriggs added a commit that referenced this pull request Apr 19, 2022
Notable Changes:

Deprecations and Removals:

- (SEMVER-MAJOR) fs: runtime deprecate string coercion in `fs.write`,
  `fs.writeFileSync`
  (Livia Medeiros) (#42607)
- (SEMVER-MAJOR) dns: remove `dns.lookup` and `dnsPromises.lookup`
  options type coercion
  (Antoine du Hamel) (#41431)
- (SEMVER-MAJOR) process: runtime deprecate multipleResolves
  (Benjamin Gruenbaum) (#41896)
- (SEMVER-MAJOR) stream: remove thenable support (Robert Nagy)
  (#40773)
- (SEMVER-MAJOR) tls: move tls.parseCertString to end-of-life
  (Tobias Nießen) (#41479)

fetch (experimental):

An experimental fetch API is available on the global scope by default.
The implementation is based upon https://undici.nodejs.org/#/,
an HTTP/1.1 client written for Node.js by contributors to the project.

Through this addition, the following globals are made available: `fetch`
, `FormData`, `Headers`, `Request`, `Response`.

Disable this API with the `--no-experimental-fetch` command-line flag.

Contributed by Michaël Zasso in #41811.

HTTP Timeouts:

`server.headersTimeout`, which limits the amount of time the parser will
wait to receive the complete HTTP headers, is now set to `60000` (60
seconds) by default.

`server.requestTimeout`, which sets the timeout value in milliseconds
for receiving the entire request from the client, is now set to `300000`
(5 minutes) by default.

If these timeouts expire, the server responds with status 408 without
forwarding the request to the request listener and then closes the
connection.

Both timeouts must be set to a non-zero value to protect against
potential Denial-of-Service attacks in case the server is deployed
without a reverse proxy in front.

Contributed by Paolo Insogna in #41263.

Test Runner module (experimental):

The `node:test` module facilitates the creation of JavaScript tests that
report results in TAP format. This module is only available under the
`node:` scheme.

Contributed by Colin Ihrig in #42325.

Toolchain and Compiler Upgrades:

- Prebuilt binaries for Linux are now built on Red Hat Enterprise Linux
  (RHEL) 8 and are compatible with Linux distributions based on glibc
  2.28 or later, for example, Debian 10, RHEL 8, Ubuntu 20.04.
- Prebuilt binaries for macOS now require macOS 10.15 or later.
- For AIX the minimum supported architecture has been raised from Power
  7 to Power 8.

Prebuilt binaries for 32-bit Windows will initially not be available due
to issues building the V8 dependency in Node.js. We hope to restore
32-bit Windows binaries for Node.js 18 with a future V8 update.

Node.js does not support running on operating systems that are no longer
supported by their vendor. For operating systems where their vendor has
planned to end support earlier than April 2025, such as Windows 8.1
(January 2023) and Windows Server 2012 R2 (October 2023), support for
Node.js 18 will end at the earlier date.

Full details about the supported toolchains and compilers are documented
in the Node.js `BUILDING.md` file.

Contributed by Richard Lau in #42292,
#42604 and #42659
, and Michaël Zasso in #42105 and
#42666.

V8 10.1:

The V8 engine is updated to version 10.1, which is part of Chromium 101.
Compared to the version included in Node.js 17.9.0, the following new
features are included:

- The `findLast` and `findLastIndex` array methods.
- Improvements to the `Intl.Locale` API.
- The `Intl.supportedValuesOf` function.
- Improved performance of class fields and private class methods (the
  initialization of them is now as fast as ordinary property stores).

The data format returned by the serialization API (`v8.serialize(value)`)
has changed, and cannot be deserialized by earlier versions of Node.js.
On the other hand, it is still possible to deserialize the previous
format, as the API is backwards-compatible.

Contributed by Michaël Zasso in #42657.

Web Streams API (experimental):

Node.js now exposes the experimental implementation of the Web Streams
API on the global scope. This means the following APIs are now globally
available:

- `ReadableStream`, `ReadableStreamDefaultReader`,
`ReadableStreamBYOBReader`, `ReadableStreamBYOBRequest`,
`ReadableByteStreamController`, `ReadableStreamDefaultController`,
`TransformStream`, `TransformStreamDefaultController`, `WritableStream`,
`WritableStreamDefaultWriter`, `WritableStreamDefaultController`,
`ByteLengthQueuingStrategy`, `CountQueuingStrategy`, `TextEncoderStream`,
`TextDecoderStream`, `CompressionStream`, `DecompressionStream`.

Contributed James Snell in #39062,
and Antoine du Hamel in #42225.

Other Notable Changes:

- (SEMVER-MAJOR) buffer: expose Blob as a global
  (James M Snell) (#41270)
- (SEMVER-MAJOR) child\_process: improve argument validation
  (Rich Trott) (#41305)
- doc: add RafaelGSS to collaborators
  (RafaelGSS) (#42718)
- (SEMVER-MAJOR) http: make TCP noDelay enabled by default
  (Paolo Insogna) (#42163)
- (SEMVER-MAJOR) net: make `server.address()` return an integer for
  `family`
  (Antoine du Hamel) (#41431)
- (SEMVER-MAJOR) worker: expose BroadcastChannel as a global
  (James M Snell) (#41271)
- (SEMVER-MAJOR) worker: graduate BroadcastChannel to supported
  (James M Snell) (#41271)

Semver-Major Commits:

- (SEMVER-MAJOR) assert,util: compare RegExp.lastIndex while using deep
  equal checks
  (Ruben Bridgewater) (#41020)
- (SEMVER-MAJOR) buffer: refactor `byteLength` to remove outdated
  optimizations
  (Rongjian Zhang) (#38545)
- (SEMVER-MAJOR) buffer: expose Blob as a global
  (James M Snell) (#41270)
- (SEMVER-MAJOR) buffer: graduate Blob from experimental
  (James M Snell) (#41270)
- (SEMVER-MAJOR) build: make x86 Windows support temporarily
  experimental
  (Michaël Zasso) (#42666)
- (SEMVER-MAJOR) build: bump macOS deployment target to 10.15
  (Richard Lau) (#42292)
- (SEMVER-MAJOR) build: downgrade Windows 8.1 and server 2012 R2 to
  experimental
  (Michaël Zasso) (#42105)
- (SEMVER-MAJOR) child\_process: improve argument validation
  (Rich Trott) (#41305)
- (SEMVER-MAJOR) cluster: make `kill` to be just `process.kill`
  (Bar Admoni) (#34312)
- (SEMVER-MAJOR) crypto: cleanup validation
  (Mohammed Keyvanzadeh) (#39841)
- (SEMVER-MAJOR) crypto: prettify othername in PrintGeneralName
  (Tobias Nießen) (#42123)
- (SEMVER-MAJOR) crypto: fix X509Certificate toLegacyObject
  (Tobias Nießen) (#42124)
- (SEMVER-MAJOR) crypto: use RFC2253 format in PrintGeneralName
  (Tobias Nießen) (#42002)
- (SEMVER-MAJOR) crypto: change default check(Host|Email) behavior
  (Tobias Nießen) (#41600)
- (SEMVER-MAJOR) deps: V8: cherry-pick semver-major commits from 10.2
  (Michaël Zasso) (#42657)
- (SEMVER-MAJOR) deps: update V8 to 10.1.124.6
  (Michaël Zasso) (#42657)
- (SEMVER-MAJOR) deps: update V8 to 9.8.177.9
  (Michaël Zasso) (#41610)
- (SEMVER-MAJOR) deps: update V8 to 9.7.106.18
  (Michaël Zasso) (#40907)
- (SEMVER-MAJOR) dns: remove `dns.lookup` and `dnsPromises.lookup`
  options type coercion
  (Antoine du Hamel) (#41431)
- (SEMVER-MAJOR) doc: update minimum glibc requirements for Linux
  (Richard Lau) (#42659)
- (SEMVER-MAJOR) doc: update AIX minimum supported arch
  (Richard Lau) (#42604)
- (SEMVER-MAJOR) fs: runtime deprecate string coercion in `fs.write`,
  `fs.writeFileSync`
  (Livia Medeiros) (#42607)
- (SEMVER-MAJOR) http: refactor headersTimeout and requestTimeout logic
  (Paolo Insogna) (#41263)
- (SEMVER-MAJOR) http: make TCP noDelay enabled by default
  (Paolo Insogna) (#42163)
- (SEMVER-MAJOR) lib: enable fetch by default
  (Michaël Zasso) (#41811)
- (SEMVER-MAJOR) lib: replace validator and error
  (Mohammed Keyvanzadeh) (#41678)
- (SEMVER-MAJOR) module,repl: support 'node:'-only core modules
  (Colin Ihrig) (#42325)
- (SEMVER-MAJOR) net: make `server.address()` return an integer for
  `family`
  (Antoine du Hamel) (#41431)
- (SEMVER-MAJOR) process: disallow some uses of Object.defineProperty()
  on process.env
  (Himself65) (#28006)
- (SEMVER-MAJOR) process: runtime deprecate multipleResolves
  (Benjamin Gruenbaum) (#41896)
- (SEMVER-MAJOR) readline: fix question still called after closed
  (Xuguang Mei) (#42464)
- (SEMVER-MAJOR) stream: remove thenable support
  (Robert Nagy) (#40773)
- (SEMVER-MAJOR) stream: expose web streams globals, remove runtime
  experimental warning
  (Antoine du Hamel) (#42225)
- (SEMVER-MAJOR) stream: need to cleanup event listeners if last stream
  is readable
  (Xuguang Mei) (#41954)
- (SEMVER-MAJOR) stream: revert revert `map` spec compliance
  (Benjamin Gruenbaum) (#41933)
- (SEMVER-MAJOR) stream: throw invalid arg type from End Of Stream
  (Jithil P Ponnan) (#41766)
- (SEMVER-MAJOR) stream: don't emit finish after destroy
  (Robert Nagy) (#40852)
- (SEMVER-MAJOR) stream: add errored and closed props
  (Robert Nagy) (#40696)
- (SEMVER-MAJOR) test: add initial test module
  (Colin Ihrig) (#42325)
- (SEMVER-MAJOR) timers: refactor internal classes to ES2015 syntax
  (Rabbit) (#37408)
- (SEMVER-MAJOR) tls: represent registeredID numerically always
  (Tobias Nießen) (#41561)
- (SEMVER-MAJOR) tls: move tls.parseCertString to end-of-life
  (Tobias Nießen) (#41479)
- (SEMVER-MAJOR) url: throw on NULL in IPv6 hostname
  (Rich Trott) (#42313)
- (SEMVER-MAJOR) v8: make v8.writeHeapSnapshot() error codes consistent
  (Darshan Sen) (#42577)
- (SEMVER-MAJOR) v8: make writeHeapSnapshot throw if fopen fails
  (Antonio Román) (#41373)
- (SEMVER-MAJOR) worker: expose BroadcastChannel as a global
  (James M Snell) (#41271)
- (SEMVER-MAJOR) worker: graduate BroadcastChannel to supported
  (James M Snell) (#41271)

PR-URL: #42262
xtx1130 pushed a commit to xtx1130/node that referenced this pull request Apr 25, 2022
Notable Changes:

Deprecations and Removals:

- (SEMVER-MAJOR) fs: runtime deprecate string coercion in `fs.write`,
  `fs.writeFileSync`
  (Livia Medeiros) (nodejs#42607)
- (SEMVER-MAJOR) dns: remove `dns.lookup` and `dnsPromises.lookup`
  options type coercion
  (Antoine du Hamel) (nodejs#41431)
- (SEMVER-MAJOR) process: runtime deprecate multipleResolves
  (Benjamin Gruenbaum) (nodejs#41896)
- (SEMVER-MAJOR) stream: remove thenable support (Robert Nagy)
  (nodejs#40773)
- (SEMVER-MAJOR) tls: move tls.parseCertString to end-of-life
  (Tobias Nießen) (nodejs#41479)

fetch (experimental):

An experimental fetch API is available on the global scope by default.
The implementation is based upon https://undici.nodejs.org/#/,
an HTTP/1.1 client written for Node.js by contributors to the project.

Through this addition, the following globals are made available: `fetch`
, `FormData`, `Headers`, `Request`, `Response`.

Disable this API with the `--no-experimental-fetch` command-line flag.

Contributed by Michaël Zasso in nodejs#41811.

HTTP Timeouts:

`server.headersTimeout`, which limits the amount of time the parser will
wait to receive the complete HTTP headers, is now set to `60000` (60
seconds) by default.

`server.requestTimeout`, which sets the timeout value in milliseconds
for receiving the entire request from the client, is now set to `300000`
(5 minutes) by default.

If these timeouts expire, the server responds with status 408 without
forwarding the request to the request listener and then closes the
connection.

Both timeouts must be set to a non-zero value to protect against
potential Denial-of-Service attacks in case the server is deployed
without a reverse proxy in front.

Contributed by Paolo Insogna in nodejs#41263.

Test Runner module (experimental):

The `node:test` module facilitates the creation of JavaScript tests that
report results in TAP format. This module is only available under the
`node:` scheme.

Contributed by Colin Ihrig in nodejs#42325.

Toolchain and Compiler Upgrades:

- Prebuilt binaries for Linux are now built on Red Hat Enterprise Linux
  (RHEL) 8 and are compatible with Linux distributions based on glibc
  2.28 or later, for example, Debian 10, RHEL 8, Ubuntu 20.04.
- Prebuilt binaries for macOS now require macOS 10.15 or later.
- For AIX the minimum supported architecture has been raised from Power
  7 to Power 8.

Prebuilt binaries for 32-bit Windows will initially not be available due
to issues building the V8 dependency in Node.js. We hope to restore
32-bit Windows binaries for Node.js 18 with a future V8 update.

Node.js does not support running on operating systems that are no longer
supported by their vendor. For operating systems where their vendor has
planned to end support earlier than April 2025, such as Windows 8.1
(January 2023) and Windows Server 2012 R2 (October 2023), support for
Node.js 18 will end at the earlier date.

Full details about the supported toolchains and compilers are documented
in the Node.js `BUILDING.md` file.

Contributed by Richard Lau in nodejs#42292,
nodejs#42604 and nodejs#42659
, and Michaël Zasso in nodejs#42105 and
nodejs#42666.

V8 10.1:

The V8 engine is updated to version 10.1, which is part of Chromium 101.
Compared to the version included in Node.js 17.9.0, the following new
features are included:

- The `findLast` and `findLastIndex` array methods.
- Improvements to the `Intl.Locale` API.
- The `Intl.supportedValuesOf` function.
- Improved performance of class fields and private class methods (the
  initialization of them is now as fast as ordinary property stores).

The data format returned by the serialization API (`v8.serialize(value)`)
has changed, and cannot be deserialized by earlier versions of Node.js.
On the other hand, it is still possible to deserialize the previous
format, as the API is backwards-compatible.

Contributed by Michaël Zasso in nodejs#42657.

Web Streams API (experimental):

Node.js now exposes the experimental implementation of the Web Streams
API on the global scope. This means the following APIs are now globally
available:

- `ReadableStream`, `ReadableStreamDefaultReader`,
`ReadableStreamBYOBReader`, `ReadableStreamBYOBRequest`,
`ReadableByteStreamController`, `ReadableStreamDefaultController`,
`TransformStream`, `TransformStreamDefaultController`, `WritableStream`,
`WritableStreamDefaultWriter`, `WritableStreamDefaultController`,
`ByteLengthQueuingStrategy`, `CountQueuingStrategy`, `TextEncoderStream`,
`TextDecoderStream`, `CompressionStream`, `DecompressionStream`.

Contributed James Snell in nodejs#39062,
and Antoine du Hamel in nodejs#42225.

Other Notable Changes:

- (SEMVER-MAJOR) buffer: expose Blob as a global
  (James M Snell) (nodejs#41270)
- (SEMVER-MAJOR) child\_process: improve argument validation
  (Rich Trott) (nodejs#41305)
- doc: add RafaelGSS to collaborators
  (RafaelGSS) (nodejs#42718)
- (SEMVER-MAJOR) http: make TCP noDelay enabled by default
  (Paolo Insogna) (nodejs#42163)
- (SEMVER-MAJOR) net: make `server.address()` return an integer for
  `family`
  (Antoine du Hamel) (nodejs#41431)
- (SEMVER-MAJOR) worker: expose BroadcastChannel as a global
  (James M Snell) (nodejs#41271)
- (SEMVER-MAJOR) worker: graduate BroadcastChannel to supported
  (James M Snell) (nodejs#41271)

Semver-Major Commits:

- (SEMVER-MAJOR) assert,util: compare RegExp.lastIndex while using deep
  equal checks
  (Ruben Bridgewater) (nodejs#41020)
- (SEMVER-MAJOR) buffer: refactor `byteLength` to remove outdated
  optimizations
  (Rongjian Zhang) (nodejs#38545)
- (SEMVER-MAJOR) buffer: expose Blob as a global
  (James M Snell) (nodejs#41270)
- (SEMVER-MAJOR) buffer: graduate Blob from experimental
  (James M Snell) (nodejs#41270)
- (SEMVER-MAJOR) build: make x86 Windows support temporarily
  experimental
  (Michaël Zasso) (nodejs#42666)
- (SEMVER-MAJOR) build: bump macOS deployment target to 10.15
  (Richard Lau) (nodejs#42292)
- (SEMVER-MAJOR) build: downgrade Windows 8.1 and server 2012 R2 to
  experimental
  (Michaël Zasso) (nodejs#42105)
- (SEMVER-MAJOR) child\_process: improve argument validation
  (Rich Trott) (nodejs#41305)
- (SEMVER-MAJOR) cluster: make `kill` to be just `process.kill`
  (Bar Admoni) (nodejs#34312)
- (SEMVER-MAJOR) crypto: cleanup validation
  (Mohammed Keyvanzadeh) (nodejs#39841)
- (SEMVER-MAJOR) crypto: prettify othername in PrintGeneralName
  (Tobias Nießen) (nodejs#42123)
- (SEMVER-MAJOR) crypto: fix X509Certificate toLegacyObject
  (Tobias Nießen) (nodejs#42124)
- (SEMVER-MAJOR) crypto: use RFC2253 format in PrintGeneralName
  (Tobias Nießen) (nodejs#42002)
- (SEMVER-MAJOR) crypto: change default check(Host|Email) behavior
  (Tobias Nießen) (nodejs#41600)
- (SEMVER-MAJOR) deps: V8: cherry-pick semver-major commits from 10.2
  (Michaël Zasso) (nodejs#42657)
- (SEMVER-MAJOR) deps: update V8 to 10.1.124.6
  (Michaël Zasso) (nodejs#42657)
- (SEMVER-MAJOR) deps: update V8 to 9.8.177.9
  (Michaël Zasso) (nodejs#41610)
- (SEMVER-MAJOR) deps: update V8 to 9.7.106.18
  (Michaël Zasso) (nodejs#40907)
- (SEMVER-MAJOR) dns: remove `dns.lookup` and `dnsPromises.lookup`
  options type coercion
  (Antoine du Hamel) (nodejs#41431)
- (SEMVER-MAJOR) doc: update minimum glibc requirements for Linux
  (Richard Lau) (nodejs#42659)
- (SEMVER-MAJOR) doc: update AIX minimum supported arch
  (Richard Lau) (nodejs#42604)
- (SEMVER-MAJOR) fs: runtime deprecate string coercion in `fs.write`,
  `fs.writeFileSync`
  (Livia Medeiros) (nodejs#42607)
- (SEMVER-MAJOR) http: refactor headersTimeout and requestTimeout logic
  (Paolo Insogna) (nodejs#41263)
- (SEMVER-MAJOR) http: make TCP noDelay enabled by default
  (Paolo Insogna) (nodejs#42163)
- (SEMVER-MAJOR) lib: enable fetch by default
  (Michaël Zasso) (nodejs#41811)
- (SEMVER-MAJOR) lib: replace validator and error
  (Mohammed Keyvanzadeh) (nodejs#41678)
- (SEMVER-MAJOR) module,repl: support 'node:'-only core modules
  (Colin Ihrig) (nodejs#42325)
- (SEMVER-MAJOR) net: make `server.address()` return an integer for
  `family`
  (Antoine du Hamel) (nodejs#41431)
- (SEMVER-MAJOR) process: disallow some uses of Object.defineProperty()
  on process.env
  (Himself65) (nodejs#28006)
- (SEMVER-MAJOR) process: runtime deprecate multipleResolves
  (Benjamin Gruenbaum) (nodejs#41896)
- (SEMVER-MAJOR) readline: fix question still called after closed
  (Xuguang Mei) (nodejs#42464)
- (SEMVER-MAJOR) stream: remove thenable support
  (Robert Nagy) (nodejs#40773)
- (SEMVER-MAJOR) stream: expose web streams globals, remove runtime
  experimental warning
  (Antoine du Hamel) (nodejs#42225)
- (SEMVER-MAJOR) stream: need to cleanup event listeners if last stream
  is readable
  (Xuguang Mei) (nodejs#41954)
- (SEMVER-MAJOR) stream: revert revert `map` spec compliance
  (Benjamin Gruenbaum) (nodejs#41933)
- (SEMVER-MAJOR) stream: throw invalid arg type from End Of Stream
  (Jithil P Ponnan) (nodejs#41766)
- (SEMVER-MAJOR) stream: don't emit finish after destroy
  (Robert Nagy) (nodejs#40852)
- (SEMVER-MAJOR) stream: add errored and closed props
  (Robert Nagy) (nodejs#40696)
- (SEMVER-MAJOR) test: add initial test module
  (Colin Ihrig) (nodejs#42325)
- (SEMVER-MAJOR) timers: refactor internal classes to ES2015 syntax
  (Rabbit) (nodejs#37408)
- (SEMVER-MAJOR) tls: represent registeredID numerically always
  (Tobias Nießen) (nodejs#41561)
- (SEMVER-MAJOR) tls: move tls.parseCertString to end-of-life
  (Tobias Nießen) (nodejs#41479)
- (SEMVER-MAJOR) url: throw on NULL in IPv6 hostname
  (Rich Trott) (nodejs#42313)
- (SEMVER-MAJOR) v8: make v8.writeHeapSnapshot() error codes consistent
  (Darshan Sen) (nodejs#42577)
- (SEMVER-MAJOR) v8: make writeHeapSnapshot throw if fopen fails
  (Antonio Román) (nodejs#41373)
- (SEMVER-MAJOR) worker: expose BroadcastChannel as a global
  (James M Snell) (nodejs#41271)
- (SEMVER-MAJOR) worker: graduate BroadcastChannel to supported
  (James M Snell) (nodejs#41271)

PR-URL: nodejs#42262
codebytere added a commit to electron/electron that referenced this pull request Oct 12, 2022
codebytere added a commit to electron/electron that referenced this pull request Oct 17, 2022
codebytere added a commit to electron/electron that referenced this pull request Oct 19, 2022
codebytere added a commit to electron/electron that referenced this pull request Oct 19, 2022
codebytere added a commit to electron/electron that referenced this pull request Oct 24, 2022
codebytere added a commit to electron/electron that referenced this pull request Nov 8, 2022
codebytere added a commit to electron/electron that referenced this pull request Nov 8, 2022
codebytere added a commit to electron/electron that referenced this pull request Nov 10, 2022
* chore: update to Node.js v18

* child_process: improve argument validation

nodejs/node#41305

* bootstrap: support configure-time user-land snapshot

nodejs/node#42466

* chore: update GN patch

* src: disambiguate terms used to refer to builtins and addons

nodejs/node#44135

* src: use a typed array internally for process._exiting

nodejs/node#43883

* chore: lib/internal/bootstrap -> lib/internal/process

* src: disambiguate terms used to refer to builtins and addons

nodejs/node#44135

* chore: remove redudant browserGlobals patch

* chore: update BoringSSL patch

* src: allow embedder-provided PageAllocator in NodePlatform

nodejs/node#38362

* chore: fixup Node.js crypto tests

- nodejs/node#44171
- nodejs/node#41600

* lib: add Promise methods to avoid-prototype-pollution lint rule

nodejs/node#43849

* deps: update V8 to 10.1

nodejs/node#42657

* src: add kNoBrowserGlobals flag for Environment

nodejs/node#40532

* chore: consolidate asar initialization patches

* deps: update V8 to 10.1

nodejs/node#42657

* deps: update V8 to 9.8

nodejs/node#41610

* src,crypto: remove AllocatedBuffers from crypto_spkac

nodejs/node#40752

* build: enable V8's shared read-only heap

nodejs/node#42809

* src: fix ssize_t error from nghttp2.h

nodejs/node#44393

* chore: fixup ESM patch

* chore: fixup patch indices

* src: merge NativeModuleEnv into NativeModuleLoader

nodejs/node#43824

* [API] Pass OOMDetails to OOMErrorCallback

https://chromium-review.googlesource.com/c/v8/v8/+/3647827

* src: iwyu in cleanup_queue.cc

* src: return Maybe from a couple of functions

nodejs/node#39603

* src: clean up embedder API

nodejs/node#35897

* src: refactor DH groups to delete crypto_groups.h

nodejs/node#43896

* deps,src: use SIMD for normal base64 encoding

nodejs/node#39775

* chore: remove deleted source file

* chore: update patches

* chore: remove deleted source file

* lib: add fetch

nodejs/node#41749

* chore: remove nonexistent node specs

* test: split report OOM tests

nodejs/node#44389

* src: trace fs async api

nodejs/node#44057

* http: trace http request / response

nodejs/node#44102

* test: split test-crypto-dh.js

nodejs/node#40451

* crypto: introduce X509Certificate API

nodejs/node#36804

* src: split property helpers from node::Environment

nodejs/node#44056

* nodejs/node#38905

bootstrap: implement run-time user-land snapshots via --build-snapshot and --snapshot-blob

* lib,src: implement WebAssembly Web API

nodejs/node#42701

* fixup! deps,src: use SIMD for normal base64 encoding

* fixup! src: refactor DH groups to delete crypto_groups.h

* chore: fixup base64 GN file

* fix: check that node::InitializeContext() returns true

* chore: delete _noBrowserGlobals usage

* chore: disable fetch in renderer procceses

* dns: default to verbatim=true in dns.lookup()

nodejs/node#39987

Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
khalwa pushed a commit to solarwindscloud/electron that referenced this pull request Feb 22, 2023
* chore: update to Node.js v18

* child_process: improve argument validation

nodejs/node#41305

* bootstrap: support configure-time user-land snapshot

nodejs/node#42466

* chore: update GN patch

* src: disambiguate terms used to refer to builtins and addons

nodejs/node#44135

* src: use a typed array internally for process._exiting

nodejs/node#43883

* chore: lib/internal/bootstrap -> lib/internal/process

* src: disambiguate terms used to refer to builtins and addons

nodejs/node#44135

* chore: remove redudant browserGlobals patch

* chore: update BoringSSL patch

* src: allow embedder-provided PageAllocator in NodePlatform

nodejs/node#38362

* chore: fixup Node.js crypto tests

- nodejs/node#44171
- nodejs/node#41600

* lib: add Promise methods to avoid-prototype-pollution lint rule

nodejs/node#43849

* deps: update V8 to 10.1

nodejs/node#42657

* src: add kNoBrowserGlobals flag for Environment

nodejs/node#40532

* chore: consolidate asar initialization patches

* deps: update V8 to 10.1

nodejs/node#42657

* deps: update V8 to 9.8

nodejs/node#41610

* src,crypto: remove AllocatedBuffers from crypto_spkac

nodejs/node#40752

* build: enable V8's shared read-only heap

nodejs/node#42809

* src: fix ssize_t error from nghttp2.h

nodejs/node#44393

* chore: fixup ESM patch

* chore: fixup patch indices

* src: merge NativeModuleEnv into NativeModuleLoader

nodejs/node#43824

* [API] Pass OOMDetails to OOMErrorCallback

https://chromium-review.googlesource.com/c/v8/v8/+/3647827

* src: iwyu in cleanup_queue.cc

* src: return Maybe from a couple of functions

nodejs/node#39603

* src: clean up embedder API

nodejs/node#35897

* src: refactor DH groups to delete crypto_groups.h

nodejs/node#43896

* deps,src: use SIMD for normal base64 encoding

nodejs/node#39775

* chore: remove deleted source file

* chore: update patches

* chore: remove deleted source file

* lib: add fetch

nodejs/node#41749

* chore: remove nonexistent node specs

* test: split report OOM tests

nodejs/node#44389

* src: trace fs async api

nodejs/node#44057

* http: trace http request / response

nodejs/node#44102

* test: split test-crypto-dh.js

nodejs/node#40451

* crypto: introduce X509Certificate API

nodejs/node#36804

* src: split property helpers from node::Environment

nodejs/node#44056

* nodejs/node#38905

bootstrap: implement run-time user-land snapshots via --build-snapshot and --snapshot-blob

* lib,src: implement WebAssembly Web API

nodejs/node#42701

* fixup! deps,src: use SIMD for normal base64 encoding

* fixup! src: refactor DH groups to delete crypto_groups.h

* chore: fixup base64 GN file

* fix: check that node::InitializeContext() returns true

* chore: delete _noBrowserGlobals usage

* chore: disable fetch in renderer procceses

* dns: default to verbatim=true in dns.lookup()

nodejs/node#39987

Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. semver-major PRs that contain breaking changes and should be released in the next major version. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants