This repository has been archived by the owner on Dec 26, 2023. It is now read-only.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
8.13.0
->8.17.0
Release Notes
nodejs/node
v8.17.0
: 2019-12-17, Version 8.17.0 'Carbon' (LTS), @MylesBorinsCompare Source
This is a security release.
For more details about the vulnerability please consult the npm blog:
https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
Notable changes
Commits
208b813e49
] - build,win: add test-ci-native and test-ci-js (João Reis) #30724369a23a670
] - deps: update npm to 6.13.4 (Audrey Eschright) #30904v8.16.2
: 2019-10-09, Version 8.16.2 'Carbon' (LTS), @BethGriggsCompare Source
Node.js 8 is due to go End-of-Life on 31st December 2019.
Notable changes
Commits
cc9d005628
] - crypto: update root certificates (Sam Roberts) #28808347fcd35e3
] - crypto: update root certificates (Sam Roberts) #27374b2a6b3254d
] - crypto: update root certificates (Sam Roberts) #251135682e50325
] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#18369663ae3546
] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#138987eee99466
] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#1389da99d3f972
] - deps: copy all openssl header files to include dir (Sam Roberts) #28230dc9d645ac4
] - deps: upgrade openssl sources to 1.0.2s (Sam Roberts) #2823037e24b19a0
] - deps: V8: backportd520ebb
(Michaël Zasso) #273581a5dc6a3e7
] - http: check for existance in resetHeadersTimeoutOnReqEnd (Matteo Collina) #26402e45b6a3b98
] - http2: do not start reading after write if new write is on wire (Anna Henningsen) #29399559a8e342b
] - http2: do not crash on stream listener removal w/ destroyed session (Anna Henningsen) #29459dd285968c4
] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) iojs/io.js#13893ee076f03d
] - stream: ensure writable.destroy() emits error once (Luigi Pinca) #26057a7e5fe1f06
] - test: unskip tests that now pass on AIX (Sam Roberts) #2905465e9b0f5a2
] - test: specialize OOM check for AIX (Sam Roberts) #288577aca9cb09b
] - test: fix pty test hangs on aix (Ben Noordhuis) #28600588b761fca
] - test: skip stringbytes-external-exceed-max on AIX (Sam Roberts) #28516930647d0fe
] - test: skip tests related to CI failures on AIX (Sam Roberts) #2846992a2f8bbe3
] - test,win: cleanup exec-timeout processes (João Reis) #28723d57f79726d
] - tls: partially backport pull request #26415 (Ben Noordhuis) #26415c582fef5cc
] - tools: update certdata.txt (Sam Roberts) #288084fbadf6a9e
] - tools: update certdata.txt (Sam Roberts) #27374529b2ad25f
] - tools: update certdata.txt (Sam Roberts) #25113v8.16.1
: 2019-08-15, Version 8.16.1 'Carbon' (LTS), @BethGriggsCompare Source
Notable changes
This is a security release.
Node.js, as well as many other implementations of HTTP/2, have been found
vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.
Vulnerabilities fixed:
Commits
6d427378c0
] - deps: update nghttp2 to 1.39.2 (Anna Henningsen) #2912233d4d916d5
] - deps: update nghttp2 to 1.39.1 (gengjiawen) #2844817fad97113
] - deps: update nghttp2 to 1.38.0 (gengjiawen) #272950b44733695
] - deps: update nghttp2 to 1.37.0 (gengjiawen) #269905afc77b044
] - deps: update nghttp2 to 1.34.0 (James M Snell) #23284073108c855
] - http2: allow security revert for Ping/Settings Flood (Anna Henningsen) #291226d687f7af8
] - http2: pause input processing if sending output (Anna Henningsen) #29122854dba649e
] - http2: stop reading from socket if writes are in progress (Anna Henningsen) #29122a3191689dd
] - http2: consider 0-length non-end DATA frames an error (Anna Henningsen) #29122156f2f35df
] - http2: shrink defaultvector::reserve()
allocations (Anna Henningsen) #2912210f05b65c4
] - http2: handle 0-length headers better (Anna Henningsen) #29122ac28a628a5
] - http2: limit number of invalid incoming frames (Anna Henningsen) #2912211b4e2c0db
] - http2: limit number of rejected stream openings (Anna Henningsen) #291227de642b6f9
] - http2: do not create ArrayBuffers when no DATA received (Anna Henningsen) #29122dd60d3561a
] - http2: only call into JS when necessary for session events (Anna Henningsen) #2912200f6846b73
] - http2: improve JS-side debug logging (Anna Henningsen) #29122b095e35f1f
] - http2: improve http2 code a bit (James M Snell) #23984cc282239c1
] - test: apply test-http2-max-session-memory-leak from v12.x (Anna Henningsen) #29122v8.16.0
: 2019-04-16, Version 8.16.0 'Carbon' (LTS), @MylesBorinsCompare Source
Notable Changes
Commits
705935d620
] - assert: fix backport regression (Ruben Bridgewater) #27202c07ba9681f
] - build: skip cctest on Windows shared lib build (Yihong Wang) #2122863522886ea
] - build: add loader path to rpath for cctest (Sam Ruby) #23168e9369073d9
] - build: set-blibpath:
for AIX (Richard Lau) #2544797cc0fc51d
] - deps: V8: cherry-pick3cc6919
(Farazmand) #25874a1aff28fba
] - deps: cherry-pick525b396
from V8 upstream (Peter Marshall) #250416b7cccc88a
] - doc: fix optional parameters in n-api.md (Lars-Magnus Skog) #22998b17819db3d
] - doc: update the http.request.setTimeout docs to be accurate (James Bunton) #25123ac9b8f7645
] - http: fix error check inExecute()
(Brian White) #247381d862610f8
] - http: attach reused parser to correct domain (Julien Gilli) #25459d3de1ed653
] - n-api: improve performance creating strings (Anthony Tuininga) #264392b2ad96ef2
] - n-api: finalize during second-pass callback (Gabriel Schulhof) #25992d6ffabc37f
] - (SEMVER-MINOR) n-api: mark thread-safe function as stable (Gabriel Schulhof) #2555644609d1274
] - n-api: restrict exports by version (Kyle Farnung) #19962fe4328252a
] - n-api: add missing handle scopes (Daniel Bevenius) #24011902b07959f
] - n-api: clean up thread-safe function (Gabriel Schulhof) #2225909b88aabb3
] - n-api: remove idle_running from TsFn (Lars-Magnus Skog) #22520367505940a
] - n-api: guard against cond null dereference (Gabriel Schulhof) #21871c5a11dc58e
] - n-api: fix compiler warning (cjihrig) #21597759a0180b5
] - (SEMVER-MINOR) n-api: add API for asynchronous functions (Gabriel Schulhof) #17887ea5628e77a
] - process: allow reading from stdout/stderr sockets (Anna Henningsen) #2305367b6e0d19c
] - src: fix may be uninitialized warning in n-api (Michael Dawson) #21898eaf474cc5d
] - test: shared lib build doesn't handle SIGPIPE (Yihong Wang) #192113128cb7da6
] - test: avoid running fsync on directory on AIX (John Barboza) #21298b4c5435a46
] - test: add process.stdin.end() TTY regression test (Matteo Collina) #23051c56f3edb10
] - test: add stdin writable regression test (Anna Henningsen) #23053f6ff8c51bc
] - test: fix module loading error for AIX 7.1 (Richard Lau) #25418d4b6643ac3
] - test: mark test-cli-node-options flaky on arm (Rich Trott) #2503260db455961
] - test: mark test_threadsafe_function/test as flaky (Gireesh Punathil) #24714fbafe8d311
] - test: fix test-repl-envvars (Anna Henningsen) #252267573b55a15
] - tls: fix legacy SecurePair clienthello race window (Ben Noordhuis) #2645291620b8bd6
] - tls: fix legacy SecurePair session resumption (Ben Noordhuis) #264521a9582b7a6
] - tools: allow input for TTY tests (Anna Henningsen) #23053v8.15.1
Compare Source
v8.15.0
: 2018-12-26, Version 8.15.0 'Carbon' (LTS), @MylesBorinsCompare Source
The 8.14.0 security release introduced some unexpected breakages on the 8.x release line.
This is a special release to fix a regression in the HTTP binary upgrade response body and add
a missing CLI flag to adjust the max header size of the http parser.
Notable Changes
Commits
693e362175
] - (SEMVER-MINOR) cli: add --max-http-header-size flag (cjihrig) #248114fb5a1be2f
] - (SEMVER-MINOR) deps: cherry-pick http_parser_set_max_header_size (cjihrig) #24811446f8b54e5
] - (SEMVER-MINOR) http: add maxHeaderSize property (cjihrig) #24860215ecfe4de
] - http: fix regression of binary upgrade response body (Matteo Collina) #25037e1fbc26c6a
] - test: move test-benchmark-path to sequential (Rich Trott) #21393aef71c05a2
] - test: mark test-http2-settings-flood as flaky on Windows (Rich Trott) #25048v8.14.1
: 2018-12-18, Version 8.14.1 'Carbon' (LTS), @MylesBorins prepared by @BethGriggsCompare Source
Notable changes
Commits
62fb5dbec5
] - assert: revert breaking change (Ruben Bridgewater) #24786a8402fe1c8
] - build: only check REPLACEME & DEP...X for releases (Rod Vagg) #2457526743369d3
] - build: improve Travis CI settings (Timothy Gu) #214591da04c208d
] - build: install markdown linter for travis (Richard Lau) #212157612024939
] - build: initial .travis.yml implementation (Anna Henningsen) #21059f70e79a7b2
] - build: allow for overwriting of use_openssl_def (Shelley Vohr) #2376315d1f67c60
] - build,doc: remove outdatedlint-md-build
(Michaël Zasso) #2299185a6daeaef
] - build,meta: switch to gcc-4.9 on travis (Refael Ackermann) #23778313ef6fa73
] - build,tools: tweak the travis config (Refael Ackermann) #2241722b41495ea
] - child_process: handle undefined/null for fork() args (Shobhit Chittora) #22416499605618b
] - crypto: add SET_INTEGER_CONSANT macro (Daniel Bevenius) #2368734d91296df
] - deps: icu: apply workaround patch (Steven R. Loomis) #2376450347297a1
] - deps: cherry-pickd2e0166
from V8 upstream (Vasili Skurydzin) #239589bedae5266
] - deps: cherry-pick6bc4bfe
from V8 upstream (Vasili Skurydzin) #239584f3c9e6aab
] - deps,v8: fix gyp build on Aix platform (Vasili Skurydzin) #2395874c1074d53
] - doc: add description for inspector-only console methods. (Benjamin Zaslavsky) #17004692223182c
] - doc: fix api documentation of http.createServer (Ari Autio) #248696d8c65e574
] - doc: update to adding listens on SIGUSR1 (willhayslett) #1970933b7c50036
] - doc: remove "if provided" for optional arguments (Rich Trott) #19690216e7da8c5
] - doc: do not identify string as "JavaScript string" (Rich Trott) #1968917e84217c7
] - doc: fix grammar error in process.md (Kenji Okamoto) #1964106daf5276f
] - doc: remove use of "random port" re dgram send (Thomas Hunter II) #19620bf95392e86
] - doc: improve assert legacy text (Rich Trott) #19622e48cc3c403
] - doc: remove confusing note about child process stdio (Anna Henningsen) #195529d249bf6d5
] - doc: add BethGriggs to collaborators (Beth Griggs) #19610c3ecf05b01
] - doc: documentmake docopen
(Ayush Gupta) #193218338700d05
] - doc: add directory structure in writing-tests.md (juggernaut451) #1880263d8632611
] - doc: add types for someprocess
properties (Vse Mozhet Byt) #19571b2fc3b556c
] - doc: fix n-api example string (Steven R. Loomis) #19205d79e7d6e89
] - doc: minor improvements to buffer.md (Rich Trott) #1954706491482f8
] - doc: update child_process.md (Ari Leo Frankel) #190754db289ca17
] - doc: move StackOverflow to unofficial section (josephleon) #19416f5683a9a6d
] - doc: correct async_hooks resource names (Gerhard Stoebich) #24684ffe1f8033c
] - doc: sort bottom-of-file markdown links (Sam Roberts) #2468278d9a5e6e4
] - doc: address bits of proof reading work (Jagannath Bhat) #23978d1eebb2e43
] - doc: revise COLLABORATOR_GUIDE.md (Rich Trott) #23990003eb0c8e1
] - doc: simplify CODE_OF_CONDUCT.md (Rich Trott) #23989c1723c8bca
] - doc: add branding to style guide (Rich Trott) #239678bb67a1fb9
] - doc: use Node.js instead of Node (Rich Trott) #2396773e0bb1f52
] - doc: fix typographical issues (Denis McDonald) #239706d76f852a9
] - doc: add documentation for http.IncomingMessage$complete (James M Snell) #239143025f351db
] - doc: remove mailing list (Rich Trott) #239322459e150bb
] - doc: add note about ABI compatibility (Myles Borins) #2223727b35833bd
] - doc: make example more clarified in cluster.md (ZYSzys) #239310d4de59967
] - doc: simplify valid security issue descriptions (Rich Trott) #238819afdc09f98
] - doc: simplify path.basename() on POSIX and Windows (ZYSzys) #238643f2a01688d
] - doc: add review suggestions to require() (erickwendel) #23605f037942fe7
] - doc: move @phillipj to emeriti (Phillip Johnsen) #23790e5f75cf82e
] - doc: add note about removeListener order (James M Snell) #237620ff88a3510
] - doc: document ACL limitation for fs.access on Windows (James M Snell) #2377232ae851710
] - doc: document that addMembership must be called once in a cluster (James M Snell) #23746e2d2ce6706
] - doc: remove reference to sslv3 in tls.md (James M Snell) #237454c24a82a65
] - http2: fix sequence of error/close events (Gerhard Stoebich) #247898afbd5ce41
] - lib: fix a typo in lib/timers "read through" (wangzengdi) #19666fa12532000
] - lib: remove useless cwd in posix.resolve (ZYSzys) #23902e8dbd09414
] - src: use "constants" string instead of creating new one (Ouyang Yadong) #23894394cb42962
] - test: verify order of error in h2 server stream (Myles Borins) #246855e09a3d4ed
] - test: test process.setuid for bad argument types (Divyanshu Singh) #19703970164f3a8
] - test: improve assert message (fatahn) #19629086570e4e1
] - test: remove third argument from call to assert.strictEqual() (Forrest Wolf) #19659a7b3274af4
] - test: fix flaky test-cluster-send-handle-twice (Rich Trott) #197001bda58289a
] - test: rename regression tests more expressively (Ujjwal Sharma) #19668bd9cc92e8d
] - test: remove 3rd argument from assert.strictEqual (Arian Santrach) #197073ca10faf00
] - test: use createReadStream instead of ReadStream (Daniel Bevenius) #196368a546e822d
] - test: removed default message from assert.strictEqual (jaspal-yupana) #19660a62df1b379
] - test: refactor test-net-dns-error (Luigi Pinca) #196408a0ecf4360
] - test: refactor test-http-expect-continue (Rich Trott) #196250cbe813e90
] - test: update link according to NIST bibliography (Tobias Nießen) #19593ea1fda6228
] - test: remove third param from assert.strictEqual (davis.okoth@kemsa.co.ke) #1953618c4e5e886
] - test: remove message from assert.strictEqual() (willhayslett) #19525146c488bf5
] - test: refactor parallel/test-tls-ca-concat.js (juggernaut451) #190928fa5bd3761
] - test: rename regression tests file names (Ujjwal Sharma) #19332d34ade8755
] - test: fix strictEqual arguments order (Esteban Sotillo) #239566ae07a9248
] - test: add property for RangeError in test-buffer-copy (mritunjaygoutam12) #23968b1e6de80c1
] - test: fix regression when compiled with FIPS (Adam Majer) #23871d0368b8245
] - test: fix strictEqual() argument order (Loic) #238293a864d716e
] - test: fix strictEqual() arguments order (Nolan Rigo) #23800e7a573a9e2
] - test: fix test-require-symlink on Windows (Bartosz Sosnowski) #23691ac91346776
] - test: fix strictEqual() argument order (Romain Lanz) #237680f98c4926a
] - test: fix strictEqual() arguments order (Thomas GENTILHOMME) #2377173d19b1516
] - test: ensure openssl version prints correctly (Sam Roberts) #23678544e64d68d
] - test: fix assertion arguments order (Elian Gutierrez) #23787e84c01d1f3
] - tools: update alternative docs versions (Richard Lau) #2398002209c5fa7
] - tools: clarify commit message linting (Rich Trott) #2374222043ccb84
] - tools: do not lint commit message if var undefined (Rich Trott) #237252a8a28c436
] - tools: make Travis commit linting more robust (Rich Trott) #23397c15d236545
] - tools: apply linting to first commit in PRs (Rich Trott) #22452v8.14.0
: 2018-11-27, Version 8.14.0 'Carbon' (LTS), @rvaggCompare Source
This is a security release. All Node.js users should consult the security release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
Notable Changes
server.headersTimeout
. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction withserver.setTimeout()
, this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach (liebdich.com). (CVE-2018-12122 / Matteo Collina)path
option in HTTP client requests. Paths containing characters outside of the range\u0021
-\u00ff
will now be rejected with aTypeError
. This behavior can be reverted if necessary by supplying the--security-revert=CVE-2018-12116
command line argument (this is not recommended). Reported as security concern for Node.js 6 and 8 by Arkadiy Tetelman (Lob), fixed by backporting a change by Benno Fünfstück applied to Node.js 10 and later. (CVE-2018-12116 / Matteo Collina)url.parse()
with the'javascript:'
protocol. Reported by Martin Bajanik (Kentico). (CVE-2018-12123 / Matteo Collina)Commits
add20f373c
] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/node#1836c4e382cce3
] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) nodejs/node#1389f1d1f12519
] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) nodejs/node#138969037ad5c4
] - deps: copy all openssl header files to include dir (Sam Roberts) #24530f5b34336bb
] - deps: upgrade openssl sources to 1.0.2q (Sam Roberts) #2453093dba83fb0
] - deps,http: http_parser set max header size to 8KB (Matteo Collina) nodejs-private/node-private#143576038fb61
] - (SEMVER-MINOR) http: add --security-revert for CVE-2018-12116 (Matteo Collina) nodejs-private/node-private#146513e9747a2
] - (SEMVER-MINOR) http: disallow two-byte characters in URL path (Benno Fünfstück) nodejs-private/node-private#146696f063c5e
] - (SEMVER-MINOR) http,https: protect against slow headers attack (Matteo Collina) nodejs-private/node-private#1517f362a11ee
] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) nodejs/node#138953a6e4eb20
] - url: avoid hostname spoofing w/ javascript protocol (Matteo Collina) nodejs-private/node-private#145Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.