v19.2.0 proposal

.eslintrc.js

@@ -117,17 +117,16 @@ module.exports = {
     // https://eslint.org/docs/rules/
     'accessor-pairs': 'error',
     'array-callback-return': 'error',
-    'arrow-parens': ['error', 'always'],
-    'arrow-spacing': ['error', { before: true, after: true }],
+    'arrow-parens': 'error',
+    'arrow-spacing': 'error',
     'block-scoped-var': 'error',
     'block-spacing': 'error',
     'brace-style': ['error', '1tbs', { allowSingleLine: true }],
     'capitalized-comments': ['error', 'always', {
       line: {
         // Ignore all lines that have less characters than 20 and all lines that
         // start with something that looks like a variable name or code.
-        // eslint-disable-next-line max-len
-        ignorePattern: '.{0,20}$|[a-z]+ ?[0-9A-Z_.(/=:[#-]|std|http|ssh|ftp|(let|var|const) [a-z_A-Z0-9]+ =|[b-z] |[a-z]*[0-9].* ',
+        ignorePattern: '.{0,20}$|[a-z]+ ?[0-9A-Z_.(/=:[#-]|std|http|ssh|ftp',
         ignoreInlineComments: true,
         ignoreConsecutiveComments: true,
       },
@@ -162,9 +161,9 @@ module.exports = {
       ObjectExpression: 'first',
       SwitchCase: 1,
     }],
-    'key-spacing': ['error', { mode: 'strict' }],
+    'key-spacing': 'error',
     'keyword-spacing': 'error',
-    'linebreak-style': ['error', 'unix'],
+    'linebreak-style': 'error',
     'max-len': ['error', {
       code: 120,
       ignorePattern: '^// Flags:',
@@ -178,7 +177,7 @@ module.exports = {
     'no-constant-condition': ['error', { checkLoops: false }],
     'no-constructor-return': 'error',
     'no-duplicate-imports': 'error',
-    'no-else-return': ['error', { allowElseIf: true }],
+    'no-else-return': 'error',
     'no-extra-parens': ['error', 'functions'],
     'no-lonely-if': 'error',
     'no-mixed-requires': 'error',
@@ -285,7 +284,7 @@ module.exports = {
       named: 'never',
       asyncArrow: 'always',
     }],
-    'space-in-parens': ['error', 'never'],
+    'space-in-parens': 'error',
     'space-infix-ops': 'error',
     'space-unary-ops': 'error',
     'spaced-comment': ['error', 'always', {
@@ -311,7 +310,6 @@ module.exports = {
     'jsdoc/require-param': 'off',
     'jsdoc/check-tag-names': 'off',
     'jsdoc/require-returns': 'off',
-    'jsdoc/require-property-description': 'off',
 
     // Custom rules from eslint-plugin-node-core
     'node-core/no-unescaped-regexp-dot': 'error',

.github/workflows/commit-queue.yml

@@ -32,14 +32,24 @@ jobs:
     steps:
       - name: Get Pull Requests
         id: get_mergeable_prs
-        run: >
-          numbers=$(gh pr list \
+        run: |
+          prs=$(gh pr list \
+                  --repo ${{ github.repository }} \
+                  --base ${{ github.ref_name }} \
+                  --label 'commit-queue' \
+                  --json 'number' \
+                  --search "created:<=$(date --date="2 days ago"  +"%Y-%m-%dT%H:%M:%S%z")" \
+                  -t '{{ range . }}{{ .number }} {{ end }}' \
+                  --limit 100)
+          fast_track_prs=$(gh pr list \
                   --repo ${{ github.repository }} \
                   --base ${{ github.ref_name }} \
                   --label 'commit-queue' \
+                  --label 'fast-track' \
                   --json 'number' \
                   -t '{{ range . }}{{ .number }} {{ end }}' \
                   --limit 100)
+          numbers=$(echo $prs' '$fast_track_prs | jq -r -s 'unique | join(" ")')
           echo "numbers=$numbers" >> $GITHUB_OUTPUT
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/linters.yml

@@ -107,7 +107,7 @@ jobs:
       - name: Get release version numbers
         if: ${{ github.event.pull_request && github.event.pull_request.base.ref == github.event.pull_request.base.repo.default_branch }}
         id: get-released-versions
-        run: ./tools/lint-md/list-released-versions-from-changelogs.mjs
+        run: ./tools/lint-md/list-released-versions-from-changelogs.mjs >> $GITHUB_OUTPUT
       - name: Lint markdown files
         run: |
           echo "::add-matcher::.github/workflows/remark-lint-problem-matcher.json"

.github/workflows/test-asan.yml

@@ -39,7 +39,7 @@ permissions:
 jobs:
   test-asan:
     if: github.event.pull_request.draft == false
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-20.04
     env:
       CC: clang
       CXX: clang++

.github/workflows/test-macos.yml

@@ -58,6 +58,6 @@ jobs:
       - name: tools/doc/node_modules workaround
         run: make tools/doc/node_modules
       - name: Build
-        run: make build-ci -j3 V=1 CONFIG_FLAGS="--error-on-warn"
+        run: make build-ci -j$(getconf _NPROCESSORS_ONLN) V=1 CONFIG_FLAGS="--error-on-warn"
       - name: Test
-        run: make run-ci -j3 V=1 TEST_CI_ARGS="-p actions --measure-flakiness 9"
+        run: make run-ci -j$(getconf _NPROCESSORS_ONLN) V=1 TEST_CI_ARGS="-p actions --measure-flakiness 9"

.github/workflows/timezone-update.yml

@@ -36,6 +36,9 @@ jobs:
 
       - run: ./tools/update-timezone.mjs
 
+      - name: Update the expected timezone version in test
+        run: echo "${{ env.new_version }}" > test/fixtures/tz-version.txt
+
       - name: Open Pull Request
         uses: gr2m/create-or-update-pull-request-action@dc1726cbf4dd3ce766af4ec29cfb660e0125e8ee  # Create a PR or update the Action's existing PR
         env:

.github/workflows/tools.yml

@@ -109,6 +109,22 @@ jobs:
                 echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_ENV
                 ./tools/update-acorn-walk.sh
               fi
+          - id: libuv
+            subsystem: deps
+            label: dependencies
+            run: |
+              NEW_VERSION=$(gh api repos/libuv/libuv/releases/latest -q '.tag_name|ltrimstr("v")')
+              VERSION_H="./deps/uv/include/uv/version.h"
+              CURRENT_MAJOR_VERSION=$(grep "#define UV_VERSION_MAJOR" $VERSION_H | sed -n "s/^.*MAJOR \(.*\)/\1/p")
+              CURRENT_MINOR_VERSION=$(grep "#define UV_VERSION_MINOR" $VERSION_H | sed -n "s/^.*MINOR \(.*\)/\1/p")
+              CURRENT_PATCH_VERSION=$(grep "#define UV_VERSION_PATCH" $VERSION_H | sed -n "s/^.*PATCH \(.*\)/\1/p")
+              CURRENT_SUFFIX_VERSION=$(grep "#define UV_VERSION_SUFFIX" $VERSION_H | sed -n "s/^.*SUFFIX \"\(.*\)\"/\1/p")
+              SUFFIX_STRING=$([[ -z "$CURRENT_SUFFIX_VERSION" ]] && echo "" || echo "-$CURRENT_SUFFIX_VERSION")
+              CURRENT_VERSION="$CURRENT_MAJOR_VERSION.$CURRENT_MINOR_VERSION.$CURRENT_PATCH_VERSION$SUFFIX_STRING"
+              if [ "$NEW_VERSION" != "$CURRENT_VERSION" ]; then
+                echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_ENV
+                ./tools/dep_updaters/update-libuv.sh "$NEW_VERSION"
+              fi
     steps:
       - uses: actions/checkout@v3
         with:

.mailmap

@@ -103,6 +103,7 @@ Christian Clauss <cclauss@me.com> <cclauss@bluewin.ch>
 Christophe Naud-Dulude <christophe.naud.dulude@gmail.com>
 Christopher Lenz <cmlenz@gmail.com> <chris@lamech.local>
 Claudio Rodriguez <cjrodr@yahoo.com> <cr@fansworld.tv>
+Claudio Wunder <cwunder@gnome.org> <cwunder@hubspot.com>
 Clemens Backes <post@clemens-backes.de> <clemensb@chromium.org>
 Colin Ihrig <cjihrig@gmail.com>
 Corey Martin <coreymartin496@gmail.com>

AUTHORS

@@ -3567,5 +3567,13 @@ Tim Shilov <tim@shilov.dev>
 Obiwac <obiwac@gmail.com>
 Yu Gu <guyu2876@gmail.com>
 andreysoktoev <andrey.soktoev@gmail.com>
+Pavel Horal <pavel.horal@orchitech.cz>
+Konv <82451257+kovsu@users.noreply.github.com>
+Aidan Temple <15520814+aidant@users.noreply.github.com>
+Emanuel Hoogeveen <emanuel@medweb.nl>
+Takuro Sato <79583855+takuro-sato@users.noreply.github.com>
+Carter Snook <cartersnook04@gmail.com>
+Nathanael Ruf <104262550+nathanael-ruf@users.noreply.github.com>
+Vasili Skurydzin <vasili.skurydzin@protonmail.com>
 
 # Generated by tools/update-authors.mjs

CHANGELOG.md

@@ -35,7 +35,9 @@ release.
 </tr>
 <tr>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V19.md#19.0.1">19.0.1</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V19.md#19.2.0">19.2.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V19.md#19.1.0">19.1.0</a><br/>
+<a href="doc/changelogs/CHANGELOG_V19.md#19.0.1">19.0.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V19.md#19.0.0">19.0.0</a><br/>
   </td>
   <td valign="top">

LICENSE

@@ -107,6 +107,18 @@ The externally maintained libraries used by Node.js are:
     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
   """
 
+- ittapi, located at deps/v8/third_party/ittapi, is licensed as follows:
+  """
+    Copyright (c) 2019 Intel Corporation. All rights reserved.
+
+    Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+    1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+    2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+    3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
+    THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+  """
+
 - ICU, located at deps/icu-small, is licensed as follows:
   """
     UNICODE, INC. LICENSE AGREEMENT - DATA FILES AND SOFTWARE
@@ -1040,9 +1052,9 @@ The externally maintained libraries used by Node.js are:
 - zlib, located at deps/zlib, is licensed as follows:
   """
     zlib.h -- interface of the 'zlib' general purpose compression library
-    version 1.2.11, January 15th, 2017
+    version 1.2.13, October 13th, 2022
 
-    Copyright (C) 1995-2017 Jean-loup Gailly and Mark Adler
+    Copyright (C) 1995-2022 Jean-loup Gailly and Mark Adler
 
     This software is provided 'as-is', without any express or implied
     warranty.  In no event will the authors be held liable for any damages

README.md

@@ -444,7 +444,7 @@ For information about the governance of the Node.js project, see
   **Rich Trott** <<rtrott@gmail.com>> (he/him)
 * [vdeturckheim](https://github.com/vdeturckheim) -
   **Vladimir de Turckheim** <<vlad2t@hotmail.com>> (he/him)
-* [VoltrexMaster](https://github.com/VoltrexMaster) -
+* [VoltrexKeyva](https://github.com/VoltrexKeyva) -
   **Mohammed Keyvanzadeh** <<mohammadkeyvanzade94@gmail.com>> (he/him)
 * [watilde](https://github.com/watilde) -
   **Daijiro Wachi** <<daijiro.wachi@gmail.com>> (he/him)
@@ -690,7 +690,7 @@ maintaining the Node.js project.
   **Pooja Durgad** <<Pooja.D.P@ibm.com>>
 * [RaisinTen](https://github.com/RaisinTen) -
   **Darshan Sen** <<raisinten@gmail.com>>
-* [VoltrexMaster](https://github.com/VoltrexMaster) -
+* [VoltrexKeyva](https://github.com/VoltrexKeyva) -
   **Mohammed Keyvanzadeh** <<mohammadkeyvanzade94@gmail.com>> (he/him)
 
 Triagers follow the [Triage Guide](./doc/contributing/issues.md#triaging-a-bug-report) when

SECURITY.md

@@ -55,6 +55,132 @@ Here is the security disclosure policy for Node.js
   the release process above to ensure that the disclosure is handled in a
   consistent manner.
 
+## The Node.js threat model
+
+In the Node.js threat model, there are trusted elements such as the
+underlying operating system. Vulnerabilities that require the compromise
+of these trusted elements are outside the scope of the Node.js threat
+model.
+
+For a vulnerability to be eligible for a bug bounty, it must be a
+vulnerability in the context of the Node.js threat model. In other
+words, it cannot assume that a trusted element (such as the operating
+system) has been compromised.
+
+Being able to cause the following through control of the elements that Node.js
+does not trust is considered a vulnerability:
+
+* Disclosure or loss of integrity or confidentiality of data protected through
+  the correct use of Node.js APIs.
+* The unavailability of the runtime, including the unbounded degradation of its
+  performance.
+
+If Node.js loads configuration files or runs code by default (without a
+specific request from the user), and this is not documented, it is considered a
+vulnerability.
+Vulnerabilities related to this case may be fixed by a documentation update.
+
+**Node.js does NOT trust**:
+
+1. The data from network connections that are created through the use of Node.js
+   APIs and which is transformed/validated by Node.js before being passed to the
+   application. This includes:
+   * HTTP APIs (all flavors) client and server APIs.
+   * DNS APIs.
+2. Consumers of data protected through the use of Node.js APIs (for example
+   people who have access to data encrypted through the Node.js crypto APIs).
+3. The file content or other I/O that is opened for reading or writing by the
+   use of Node.js APIs (ex: stdin, stdout, stderr).
+
+In other words, if the data passing through Node.js to/from the application
+can trigger actions other than those documented for the APIs, there is likely
+a security vulnerability. Examples of unwanted actions are polluting globals,
+causing an unrecoverable crash, or any other unexpected side effects that can
+lead to a loss of confidentiality, integrity, or availability.
+
+**Node.js trusts everything else**. As some examples this includes:
+
+1. The developers and infrastructure that runs it.
+2. The operating system that Node.js is running under and its configuration,
+   along with anything under control of the operating system.
+3. The code it is asked to run including JavaScript and native code, even if
+   said code is dynamically loaded, e.g. all dependencies installed from the
+   npm registry.
+   The code run inherits all the privileges of the execution user.
+4. Inputs provided to it by the code it is asked to run, as it is the
+   responsibility of the application to perform the required input validations.
+5. Any connection used for inspector (debugger protocol) regardless of being
+   opened by command line options or Node.js APIs, and regardless of the remote
+   end being on the local machine or remote.
+6. The file system when requiring a module.
+   See <https://nodejs.org/api/modules.html#all-together>.
+
+Any unexpected behavior from the data manipulation from Node.js Internal
+functions are considered a vulnerability.
+
+In addition to addressing vulnerabilities based on the above, the project works
+to avoid APIs and internal implementations that make it "easy" for application
+code to use the APIs incorrectly in a way that results in vulnerabilities within
+the application code itself. While we don’t consider those vulnerabilities in
+Node.js itself and will not necessarily issue a CVE we do want them to be
+reported privately to Node.js first.
+We often choose to work to improve our APIs based on those reports and issue
+fixes either in regular or security releases depending on how much of a risk to
+the community they pose.
+
+### Examples of vulneratibities
+
+#### Improper Certificate Validation (CWE-295)
+
+* Node.js provides APIs to validate handling of Subject Alternative Names (SANs)
+  in certficates used to connect to a TLS/SSL endpoint. If certificates can be
+  crafted which result in incorrect validation by the Node.js APIs that is
+  considered a vulnerability.
+
+#### Inconsistent Interpretation of HTTP Requests (CWE-444)
+
+* Node.js provides APIs to accept http connections. Those APIs parse the
+  headers received for a connection and pass them on to the application.
+  Bugs in parsing those headers which can result in request smuggling are
+  considered vulnerabilities.
+
+#### Missing Cryptographic Step (CWE-325)
+
+* Node.js provides APIs to encrypt data. Bugs that would allow an attacker
+  to get the original data without requiring the decryption key are
+  considered vulnerabilities.
+
+#### External Control of System or Configuration Setting (CWE-15)
+
+* If Node.js automatically loads a configuration file which is not documented
+  and modification of that configuration can affect the confidentiality of
+  data protected using the Node.js APIs this is considered a vulnerability.
+
+### Examples of non-vulneratibities
+
+#### Malicious Third-Party Modules (CWE-1357)
+
+* Code is trusted by Node.js, therefore any scenario that requires a malicious
+  third-party module cannot result in a vulnerability in Node.js.
+
+#### Prototype Pollution Attacks (CWE-1321)
+
+* Node.js trusts the inputs provided to it by application code.
+  It is up to the application to sanitize appropriately, therefore any scenario
+  that requires control over user input is not considered a vulnerability.
+
+#### Uncontrolled Search Path Element (CWE-427)
+
+* Node.js trusts the file system in the environment accessible to it.
+  Therefore, it is not a vulnerability if it accesses/loads files from any path
+  that is accessible to it.
+
+#### External Control of System or Configuration Setting (CWE-15)
+
+* If Node.js automatically loads a configuration file which is documented
+  no scenario that requires modification of that configuration file is
+  considered a vulnerability.
+
 ## Receiving security updates
 
 Security notifications will be distributed via the following methods.

benchmark/blob/file.js

@@ -0,0 +1,34 @@
+'use strict';
+const common = require('../common.js');
+const { File } = require('buffer');
+
+const bench = common.createBenchmark(main, {
+  bytes: [128, 1024, 1024 ** 2],
+  n: [1e6],
+  operation: ['text', 'arrayBuffer']
+});
+
+const options = {
+  lastModified: Date.now() - 1e6,
+};
+
+async function run(n, bytes, operation) {
+  const buff = Buffer.allocUnsafe(bytes);
+  const source = new File(buff, 'dummy.txt', options);
+  bench.start();
+  for (let i = 0; i < n; i++) {
+    switch (operation) {
+      case 'text':
+        await source.text();
+        break;
+      case 'arrayBuffer':
+        await source.arrayBuffer();
+        break;
+    }
+  }
+  bench.end(n);
+}
+
+function main(conf) {
+  run(conf.n, conf.bytes, conf.operation).catch(console.log);
+}