Version 10.14.2 'Dubnium' (LTS)
This LTS release comes with 374 commits. This includes 165 which are test or benchmark related, 77 which are doc related, 29 which are build / tool related and 15 commits which update dependencies.
Notable Changes
* deps:
- upgrade to c-ares v1.15.0
* Windows:
- A crashing process will now show the names of stack frames if the node.pdb file is available.
Version 10.14.0 'Dubnium' (LTS):
This is a security release. All Node.js users should consult the security release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)
Notable Changes
* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* http:
- Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina)
- A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with server.headersTimeout. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with server.setTimeout(), this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach (liebdich.com). (CVE-2018-12122 / Matteo Collina)
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs with url.parse() with the 'javascript:' protocol.
Version 10.13.0 'Dubnium' (LTS)
This release marks the transition of Node.js 10.x into Long Term Support (LTS) with the codename 'Dubnium'. The 10.x release line now moves in to "Active LTS" and will remain so until April 2020. After that time it will move in to "Maintenance" until end of life in April 2021.
Notable Changes
This release only includes minimal changes necessary to fix known regressions prior to LTS.
Version 10.12.0 (Current)
Notable changes
assert
* The diff output is now a tiny bit improved by sorting object properties when inspecting the values that are compared with each other.
cli
* The options parser now normalizes _ to - in all multi-word command-line flags, e.g. --no_warnings has the same effect as --no-warnings.
* Added bash completion for the node binary. To generate a bash completion script, run node --completion-bash. The output can be saved to a file which can be sourced to enable completion.
crypto
* Added support for PEM-level encryption.
* Added an API asymmetric key pair generation. The new methods crypto.generateKeyPair and crypto.generateKeyPairSync can be used to generate public and private key pairs. The API supports RSA, DSA and EC and a variety of key encodings (both PEM and DER).
fs
* Added a recursive option to fs.mkdir and fs.mkdirSync. If this option is set to true, non-existing parent folders will be automatically created.
http2
* Added a 'ping' event to Http2Session that is emitted whenever a non-ack PING is received.
* Added support for the ORIGIN frame.
* Updated nghttp2 to 1.34.0. This adds RFC 8441 extended connect protocol support to allow use of WebSockets over HTTP/2.
module
* Added module.createRequireFromPath(filename). This new method can be used to create a custom require function that will resolve modules relative to the filename path.
process
* Added a 'multipleResolves' process event that is emitted whenever a Promise is attempted to be resolved multiple times, e.g. if the resolve and reject functions are both called in a Promise executor.
url
* Added url.fileURLToPath(url) and url.pathToFileURL(path). These methods can be used to correctly convert between file: URLs and absolute paths.
util
* Added the sorted option to util.inspect(). If set to true, all properties of an object and Set and Map entries will be sorted in the returned string. If set to a function, it is used as a compare function.
The util.instpect.custom symbol is now defined in the global symbol registry as Symbol.for('nodejs.util.inspect.custom').
* Added support for BigInt numbers in util.format().
V8 API
* A number of V8 C++ APIs have been marked as deprecated since they have been removed in the upstream repository. Replacement APIs are added where necessary.
Windows
* The Windows msi installer now provides an option to automatically install the tools required to build native modules.
Workers
* Debugging support for Workers using the DevTools protocol has been implemented.
* The public inspector module is now enabled in Workers.
- child_process:
- `TypedArray` and `DataView` values are now accepted as input by
`execFileSync` and `spawnSync`.
- coverage:
- Native V8 code coverage information can now be output to disk by
setting the environment variable `NODE_V8_COVERAGE` to a directory.
- fs:
- The methods `fs.read`, `fs.readSync`, `fs.write`, `fs.writeSync`,
`fs.writeFile` and `fs.writeFileSync` now all accept `TypedArray`
and `DataView` objects.
- A new boolean option, `withFileTypes`, can be passed to to
`fs.readdir` and `fs.readdirSync`. If set to true, the methods
return an array of directory entries. These are objects that can
be used to determine the type of each entry and filter them based
on that without calling `fs.stat`.
- http2:
- The `http2` module is no longer experimental.
- os:
- Added two new methods: `os.getPriority` and `os.setPriority`,
allowing to manipulate the scheduling priority of processes.
- process:
- Added `process.allowedNodeEnvironmentFlags`. This object can be
used to programmatically validate and list flags that are allowed
in the `NODE_OPTIONS` environment variable.
- src:
- Deprecated option variables in public C++ API.
- Refactored options parsing.
- vm:
- Added `vm.compileFunction`, a method to create new JavaScript
functions from a source body, with options similar to those of
the other `vm` methods.
- buffer:
- Fix out-of-bounds (OOB) write in `Buffer.write()` for UCS-2
encoding (CVE-2018-12115)
- Fix unintentional exposure of uninitialized memory in
`Buffer.alloc()` (CVE-2018-7166)
- deps:
- Upgrade to OpenSSL 1.1.0i, fixing:
- Client DoS due to large DH parameter (CVE-2018-0732)
- ECDSA key extraction via local side-channel (CVE not assigned)
- Upgrade V8 from 6.7 to 6.8
- Memory reduction and performance improvements
- http: `http.get()` and `http.request()` (and `https` variants) can
now accept three arguments to allow for a `URL` _and_ an `options`
object
- console:
- The `console.timeLog()` method has been implemented.
- deps:
- Upgrade to libuv 1.22.0.
- Upgrade to ICU 62.1 (Unicode 11, CLDR 33.1).
- http:
- Added support for passing both `timeout` and `agent` options to
`http.request`.
- inspector:
- Expose the original console API in `require('inspector').console`.
- napi:
- Added experimental support for functions dealing with bigint
numbers.
- process:
- The `process.hrtime.bigint()` method has been implemented.
- Added the `--title` command line argument to set the process title
on startup.
- trace_events:
- Added process\_name metadata.
- dns: An experimental promisified version of the dns module is now
available. Give it a try with `require('dns').promises`.
- fs: `fs.lchown` has been undeprecated now that libuv supports it.
- lib: `Atomics.wake` is being renamed to `Atomics.notify` in the
ECMAScript specification. Since Node.js now has experimental support
for worker threads, we are being proactive and added a `notify` alias,
while emitting a warning if `wake` is used.
- n-api: Add API for asynchronous functions.
- util: `util.inspect` is now able to return a result instead of
throwing when the maximum call stack size is exceeded during
inspection.
- vm: Add `script.createCachedData()`. This API replaces the
`produceCachedData` option of the `Script` constructor that is now
deprecated.
- worker: Support for relative paths has been added to the `Worker`
constructor. Paths are interpreted relative to the current working
directory.
crypto:
- Support for crypto.scrypt() has been added.
fs:
- BigInt support has been added to fs.stat and fs.watchFile.
- APIs that take mode as arguments no longer throw on values larger
than 0o777.
- Fix crashes in closed event watchers.
Worker Threads:
- Support for multi-threading has been added behind the
--experimental-worker flag in the worker_threads module. This
feature is experimental and may receive breaking changes at any time.
- Fixes memory exhaustion DoS (CVE-2018-7164): Fixes a bug introduced
in 9.7.0 that increases the memory consumed when reading from the
network into JavaScript using the net.Socket object directly as a
stream.
- http2
- (CVE-2018-7161): Fixes Denial of Service vulnerability by updating
the http2 implementation to not crash under certain circumstances
during cleanup
- (CVE-2018-1000168): Fixes Denial of Service vulnerability by
upgrading nghttp2 to 1.32.0
- tls (CVE-2018-7162): Fixes Denial of Service vulnerability by
updating the TLS implementation to not crash upon receiving
- n-api: Prevent use-after-free in napi_delete_async_work
- fs: fix reads with pos > 4GB
- net: new option to allow IPC servers to be readable and writable
by all users
- stream: fix removeAllListeners() for Stream.Readable to work as
expected when no arguments are passed
- addons:
- Fixed a memory leak for users of `AsyncResource` and N-API.
- assert:
- The `error` parameter of `assert.throws()` can be an object
containing regular expressions now.
- crypto:
- The `authTagLength` option has been made more flexible.
- esm:
- Builtin modules (e.g. `fs`) now provide named exports in ES6
modules.
- http:
- Handling of `close` and `aborted` events has been made more
consistent.
- module:
- add --preserve-symlinks-main
- timers:
- `timeout.refresh()` has been added to the public API.
- Embedder support:
- Functions for creating V8 `Isolate` and `Context` objects with
Node.js-specific behaviour have been added to the API.
- Node.js `Environment`s clean up resources before exiting now.
- Support for multi-threaded embedding has been improved.
- console: make console.table() use colored inspect
- fs: move fs/promises to fs.promises
- http: added aborted property to request
- n-api: initialize a module via a special symbol
- src: add public API to expose the main V8 Platform
Use bundled OpenSSL until pkgsrc provides the required 1.1.x.
### Notable Changes
- Assert
- Calling `assert.fail()` with more than one argument is deprecated.
- Calling `assert.ok()` with no arguments will now throw.
- Calling `assert.ifError()` will now throw with any argument other
than `undefined` or `null`. Previously the method would throw with
any truthy value.
- The `assert.rejects()` and `assert.doesNotReject()` methods have
been added for working with async functions.
- Async_hooks
- Older experimental async_hooks APIs have been removed.
- Buffer
- Uses of `new Buffer()` and `Buffer()` outside of the
`node_modules` directory will now emit a runtime deprecation
warning.
- `Buffer.isEncoding()` now returns `undefined` for falsy values,
including an empty string.
- `Buffer.fill()` will throw if an attempt is made to fill with an
empty `Buffer`.
- Child Process
- Undefined properties of env are ignored.
- Console
- The `console.table()` method has been added.
- Crypto
- The `crypto.createCipher()` and `crypto.createDecipher()` methods
have been deprecated. Please use `crypto.createCipheriv()` and
`crypto.createDecipheriv()` instead.
- The `decipher.finaltol()` method has been deprecated.
- The `crypto.DEFAULT_ENCODING` property has been deprecated.
- The `ECDH.convertKey()` method has been added.
- The `crypto.fips` property has been deprecated.
- Dependencies
- V8 has been updated to 6.6.
- OpenSSL has been updated to 1.1.0h.
- EventEmitter
- The `EventEmitter.prototype.off()` method has been added as an
alias for `EventEmitter.prototype.removeListener()`.
- File System
- The `fs/promises` API provides experimental promisified versions
of the `fs` functions.
- Invalid path errors are now thrown synchronously.
- The `fs.readFile()` method now partitions reads to avoid thread
pool exhaustion.
- HTTP
- Processing of HTTP Status codes `100`, `102-199` has been
improved.
- Multi-byte characters in URL paths are now forbidden.
- N-API
- The n-api is no longer experimental.
- Net
- The `'close'` event will be emitted after `'end'`.
- Perf_hooks
- The `PerformanceObserver` class is now an `AsyncResource` and can
be monitored using `async_hooks`.
- Trace events are now emitted for performance events.
- The `performance` API has been simplified.
- Performance milestone marks will be emitted as trace events.
- Process
- Using non-string values for `process.env` is deprecated.
- The `process.assert()` method is deprecated.
- REPL
- REPL now experimentally supports top-level await when using the
`--experimental-repl-await` flag.
- The previously deprecated "magic mode" has been removed.
- The previously deprecated `NODE_REPL_HISTORY_FILE` environment
variable has been removed.
- Proxy objects are shown as Proxy objects when inspected.
- Streams
- The `'readable'` event is now always deferred with nextTick.
- A new `pipeline()` method has been provided for building
end-to-data stream pipelines.
- Experimental support for async for-await has been added to
`stream.Readable`.
- Timers
- The `enroll()` and `unenroll()` methods have been deprecated.
- TLS
- The `tls.convertNPNProtocols()` method has been deprecated.
- Support for NPN (next protocol negotiation) has been dropped.
- The `ecdhCurve` default is now `'auto'`.
- Trace Events
- A new `trace_events` top-level module allows trace event
categories to be enabled/disabled at runtime.
- URL
- The WHATWG URL API is now a global.
- Util
- `util.types.is[…]` type checks have been added.
- Support for bigint formatting has been added to `util.inspect()`.
#### Deprecations:
The following APIs have been deprecated in Node.js 10.0.0
- Passing more than one argument to `assert.fail()` will emit a
runtime deprecation warning.
- Previously deprecated legacy async_hooks APIs have reached
end-of-life and have been removed.
- Using `require()` to access several of Node.js' own internal
dependencies will emit a runtime deprecation.
- The `crypto.createCipher()` and `crypto.createDecipher()` methods
have been deprecated in documentation.
- Using the `Decipher.finaltol()` method will emit a runtime
deprecation warning.
- Using the `crypto.DEFAULT_ENCODING` property will emit a runtime
deprecation warning.
- Use by native addons of the `MakeCallback()` variant that passes a
`Domain` will emit a runtime deprecation warning.
- Previously deprecated internal getters/setters on `net.Server` has
reached end-of-life and have been removed.
- Use of non-string values for `process.env` has been deprecated in
documentation.
- Use of `process.assert()` will emit a runtime deprecation warning.
- Previously deprecated `NODE_REPL_HISTORY_FILE` environment variable
has reached end-of-life and has been removed.
- Use of the `timers.enroll()` and `timers.unenroll()` methods will
emit a runtime deprecation warning.
- Use of the `tls.convertNPNProtocols()` method will emit a runtime
deprecation warning. Support for NPN has been removed from Node.js.
- The `crypto.fips` property has been deprecated in documentation.
- deps: Updated ICU to 61.1
- fs: Emit 'ready' event for ReadStream and WriteStream
- n-api: Bump version of n-api supported
- net: Emit 'ready' event for Socket
- No code changes
nodejs 9.10.0
Fixes for the following CVEs are included in this release:
- CVE-2018-7158
- CVE-2018-7159
- CVE-2018-7160
Notable Changes
- Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A
malicious website could use a DNS rebinding attack to trick a web
browser to bypass same-origin-policy checks and allow HTTP connections
to localhost or to hosts on the local network, potentially to an open
inspector port as a debugger, therefore gaining full code execution
access. The inspector now only allows connections that have a browser
Host value of localhost or localhost6.
- Fix for 'path' module regular expression denial of service
(CVE-2018-7158): A regular expression used for parsing POSIX paths
could be used to cause a denial of service if an attacker were able to
have a specially crafted path string passed through one of the
impacted 'path' module functions.
- Reject spaces in HTTP Content-Length header values (CVE-2018-7159):
The Node.js HTTP parser allowed for spaces inside Content-Length
header values. Such values now lead to rejected connections in the
same way as non-numeric values.
- Update root certificates: 5 additional root certificates have been
added to the Node.js binary and 30 have been removed.
- cluster: Add support for NODE_OPTIONS="--inspect"
- crypto: Expose the public key of a certificate
- n-api: Add napi_fatal_exception to trigger an uncaughtException in
JavaScript
- path: Fix regression in posix.normalize
- stream: Improve stream creation performance
nodejs 9.9.0
assert:
- From now on all error messages produced by assert in strict mode will
produce a error diff.
- From now on it is possible to use a validation object in throws instead
of the other possibilities.
crypto:
- allow passing null as IV unless required
fs:
- support as and as+ flags in stringToFlags()
tls:
- expose Finished messages in TLSSocket
tty:
- Add getColorDepth function to determine if terminal supports colors.
util:
- add util.inspect compact option
- libuv: Updated to libuv 1.19.2
- src: Add initial support for Node.js-specific post-mortem
metadata
- timers: The return value of setImmediate() now has ref() and
unref() methods
- util: It is now possible to get the name for a numerical
platform-specific error code as a string
nodejs 9.6.1
events:
- events.usingDomains being set to false by default was removed in
9.6.0 which was a change in behavior compares to 9.5.0. This
behavior change has been reverted and the events object now has
usingDomains preset to false, which is the behavior in 9.x prior
to 9.6.0
nodejs 9.6.0
async_hooks:
- deprecate unsafe emit{Before,After}
- rename PromiseWrap.parentId to PromiseWrap.isChainedPromise
deps:
- update node-inspect to 1.11.3
- ICU 60.2 bump
- Introduce ScriptOrModule and HostDefinedOptions to V8
http:
- add options to http.createServer() for IncomingMessage and
ServerReponse
http2:
- add http fallback options to .createServer
https:
- Adds the remaining options from tls.createSecureContext() to the
string generated by Agent#getName(). This allows https.request() to
accept the options and generate unique sockets appropriately.
inspector:
- --inspect-brk for es modules
lib:
- allow process kill by signal number
module:
- enable dynamic import
- dynamic import is now supported
n-api:
- add methods to open/close callback scope
src:
- allow --perf-(basic-)?prof in NODE_OPTIONS
vm:
- add support for es modules
async_hooks:
- deprecate AsyncHooks Sensitive API and runInAsyncIdScope. Neither
API were documented.
deps:
- update nghttp2 to 1.29.0
- upgrade npm to 5.6.0
- cherry-pick 50f7455 from upstream V8
events:
- remove reaches into _events internals
http:
- add rawPacket in err of clientError event
http2:
- implement maxSessionMemory
- add initial support for originSet
- add altsvc support
- perf_hooks integration
- Refactoring and cleanup of Http2Session and Http2Stream destroy
net:
- remove Socket.prototype.write
- remove Socket.prototype.listen
repl:
- show lexically scoped vars in tab completion
stream:
- rm {writeable/readable}State.length
- add flow and buffer properties to streams
util:
- allow wildcards in NODE_DEBUG variable
zlib:
- add ArrayBuffer support
async_hooks:
- add trace events to async_hooks
- add provider types for net server
console:
- console.debug can now be used outside of the inspector
deps:
- upgrade libuv to 1.18.0
- patch V8 to 6.2.414.46
module:
- module.builtinModules will return a list of built in modules
n-api:
- add helper for addons to get the event loop
process:
- process.setUncaughtExceptionCaptureCallback can now be used to
customize behavior for --abort-on-uncaught-exception
- A signal handler is now able to receive the signal code that
triggered the handler.
src:
- embedders can now use Node::CreatePlatform to create an instance of
NodePlatform
stream:
- writable.writableHighWaterMark and readable.readableHighWaterMark
will return the values the stream object was instantiated with
crypto:
- Support building with both 1.1.0 and 1.0.2
fs:
- fs.realpathSync.native and fs.realpath.native are now exposed
process:
- expose process.ppid
CLI:
- NODE_OPTIONS now supports the --stack-trace-limit option. #16495
deps:
- OpenSSL is upgraded to 1.0.2m #16691
http:
- A 'connect' event handler leak has been fixed. #16725
- The 103 Early Hints status code is now supported. #16644
### Notable Changes
- Async hooks: Older experimental APIs have been removed.
- Improvements have been made to `buffer` module error messages.
- Child Processes: Errors are emitted on process nextTick.
- Domains: The long-deprecated `.dispose()` method has been removed.
- fs
- The `fs.ReadStream` and `fs.WriteStream` classes now use `destroy()`.
- `fs` module callbacks are now invoked with an undefined context.
- HTTP/1
- A 400 Bad Request response will now be sent when parsing fails.
- Socket timeout will be set when the socket connects.
- A bug causing the request `'error'` event to fire twice was fixed
- HTTP clients may now use generic `Duplex` streams in addition
to `net.Socket`.
- Intl
- The deprecated `Intl.v8BreakIterator` has been removed.
- OS
- The `os.EOL` property is now read-only
- Timers
- `setTimeout()` will emit a warning if the timeout is larger that
the maximum 32-bit unsigned integer.
Changes since nodejs 8.8.1:
- doc: add Gibson Fahnestock to Release team
- deps: update npm to 5.5.1
- http2: The exposed http2 socket is no longer manipulatable
- module: support custom paths to require.resolve()
- util: util.TextEncoder and util.TextDecoder are no longer experimental.
There will no longer be a warning when they are used
crypto:
- expose ECDH class
http2:
- http2 is now exposed by default without the need for a flag
- a new environment variable NODE_NO_HTTP2 has been added to allow
userland http2 to be required
- support has been added for generic Duplex streams
module:
- resolve and instantiate loader pipeline hooks have been added
to the ESM lifecycle
zlib:
- CVE-2017-14919 - In zlib v1.2.9, a change was made that causes
an error to be raised when a raw deflate stream is initialized
with windowBits set to 8. On some versions this crashes Node and
you cannot recover from it, while on some versions it throws an
exception. Node.js will now gracefully set windowBits to 9
replicating the legacy behavior to avoid a DOS vector.
deps:
- update npm to 5.4.2
- upgrade libuv to 1.15.0
- update V8 to 6.1.534.42
dgram:
- support for setting dgram socket buffer size
fs:
- add support O_DSYNC file open constant
util:
- deprecate obj.inspect for custom inspection
tools, build:
- there is a fancy new macOS installer
