Notable Changes
- debugger:
* All properties of an array (aside from length) can now be printed
in the repl
- npm:
* Upgrade npm to 2.15.8
- stream:
* Fix for a bug that became more prevalent with the stream changes
that landed in v4.4.5.
- V8:
* Fix for a bug in crankshaft that was causing crashes on arm64
* Add missing classes to postmortem info such as JSMap and JSSet
buffer:
- Buffer no longer errors if you call lastIndexOf with a search
term longer than the buffer
contextify:
- Context objects are now properly garbage collected, this solves
a problem some individuals were experiencing with extreme memory
growth
deps:
- update npm to 2.15.5
http:
- Invalid status codes can no longer be sent. Limited to 3 digit
numbers between 100 - 999
- deps: Fix --gdbjit for embedders. Backported from v8 upstream.
- etw: Correctly display descriptors for ETW events 9 and 23 on
the windows platform.
- querystring: Restore throw when attempting to stringify bad
surrogate pair.
4.4.2
* https: Under certain conditions ssl sockets may have been
causing a memory leak when keepalive is enabled. This is no
longer the case.
* lib: The way that we were internally passing arguments was
causing a potential leak. By copying the arguments into an
array we can avoid this.
* npm: Upgrade to v2.15.1. Fixes a security flaw in the use of
authentication tokens in HTTP requests that would allow an
attacker to set up a server that could collect tokens from
users of the command-line interface. Authentication tokens
have previously been sent with every request made by the
CLI for logged-in users, regardless of the destination of
the request. This update fixes this by only including those
tokens for requests made against the registry or registries
used for the current install.
* repl: Previously if you were using the repl in strict mode
the column number would be wrong in a stack trace. This is
no longer an issue.
4.4.1
* build:
- Updated Logos for the OSX + Windows installers
- New option to select your VS Version in the Windows installer
- Support Visual C++ Build Tools 2015
* tools: Gyp now works on OSX without XCode
Notable changes
- deps: An update to v8 that introduces a new flag
--perf_basic_prof_only_functions
- http: A new feature in http(s) agent that catches errors on keep
alived connections
- src: Better support for Big-Endian systems
- tls: A new feature that allows you to pass common SSL options
to tls.createSecurePair
- tools: a new flag --prof-process which will execute the tick
processor on the provided isolate files
- build: Support python path that includes spaces. This should be
of particular interest to our Windows users who may have python
living in c:/Program Files
- https: A potential fix for #3692 HTTP/HTTPS client requests
throwing EPROTO
- installer: More readable profiling information from isolate
tick logs
- npm: upgrade to npm 2.14.20
- process: Add support for symbols in event emitters. Symbols
didn't exist when it was written
- querystring: querystring.parse() is now 13-22% faster!
- streams: performance improvements for moving small buffers that
shows a 5% throughput gain. IoT projects have been seen to be as
much as 10% faster with this change!
- tools: eslint has been updated to version 2.1.0
buffer
- make byteLength work with Buffer correctly (Jackson Tian)
debugger
- guard against call from non-node context (Ben Noordhuis)
- do not incept debug context (Myles Borins)
deps
- update to http-parser 2.5.2 (James Snell)
Note that this release includes a non-backward compatible change
to address a security issue. This change increases the version
of the LTS v4.x line to v4.3.0. There will be no further updates
to v4.2.x.
- http: fix defects in HTTP header parsing for requests and
responses that can allow request smuggling (CVE-2016-2086)
or response splitting (CVE-2016-2216). HTTP header parsing
now aligns more closely with the HTTP spec including
restricting the acceptable characters.
- http-parser: upgrade from 2.5.0 to 2.5.1
- openssl: upgrade from 1.0.2e to 1.0.2f. To mitigate against
the Logjam attack, TLS clients now reject Diffie-Hellman
handshakes with parameters shorter than 1024-bits, up from
the previous limit of 768-bits.
- introduce new --security-revert={cvenum} command line flag
for selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted
using --security-revert=CVE-2016-2216
Notable changes
- http: Fix a bug where an HTTP socket may no longer have a socket
but a pipelined request triggers a pause or resume, a potential
denial-of-service vector. (Fedor Indutny)
- openssl: Upgrade to 1.0.2e, containing fixes for:
- CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64",
an attack is considered feasible against a Node.js TLS server
using DHE key exchange. Details are available at
http://openssl.org/news/secadv/20151203.txt.
- CVE-2015-3194 "Certificate verify crash with missing PSS parameter",
a potential denial-of-service vector for Node.js TLS servers; TLS
clients are also impacted. Details are available at
http://openssl.org/news/secadv/20151203.txt. (Shigeki Ohtsu) #4134
- v8: Backport fixes for a bug in JSON.stringify() that can result in
out-of-bounds reads for arrays. (Ben Noordhuis)
