v6.13.1:
fix(fund): support funding string shorthand
should not publish tap-snapshot folder
Add preliminary WSL support for npm and npx
print quick audit report for human output
v6.13.0:
add fund command
delete ps1 files on package removal
update supported node list to remove v6.0, v6.1, v9.0 - v9.2
v6.12.1:
add node v13 as a supported version
Fix regression in lockfile repair for sub-deps
resolve circular dependency in pack.js
v6.12.0:
Now npm ci runs prepare scripts for git dependencies, and respects the --no-optional argument. Warnings for engine mismatches are printed again. Various other fixes and cleanups.
Version 8.16.2 'Carbon' (LTS):
Notable changes
deps: upgrade openssl sources to 1.0.2s
Version 8.16.1 'Carbon' (LTS):
Notable changes
This is a security release.
Node.js, as well as many other implementations of HTTP/2, have been found
vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.
Vulnerabilities fixed:
CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
CVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service.
Version 8.16.0 'Carbon' (LTS):
Notable Changes
n-api:
add API for asynchronous functions
mark thread-safe function as stable
Version 10.17.0 'Dubnium' (LTS):
Notable changes
crypto:
- add support for chacha20-poly1305 for AEAD
- increase maxmem range from 32 to 53 bits
deps:
- update npm to 6.11.3
- upgrade openssl sources to 1.1.1d
dns: remove dns.promises experimental warning
fs: remove experimental warning for fs.promises
http: makes response.writeHead return the response
http2: makes response.writeHead return the response
n-api:
- make func argument of napi_create_threadsafe_function optional
- mark version 5 N-APIs as stable
- implement date object
process: add --unhandled-rejections flag
stream:
- implement Readable.from async iterator utility
- make Symbol.asyncIterator support stable
3.5.1:
Pypy 3.3, 3.5, 3.6, and 3.6.9 support
Improve 3.0 decompilation
- no parse errors on stlib bytecode. However accurate translation in
- control-flow and and/or detection needs work
Remove extraneous iter() in "for" of list comprehension
"for" block without a POP_BLOCK and confusing JUMP_BACK for CONTINUE.
Fix unmarshal incompletness detected in Pypy 3.6
Miscellaneous bugs fixed
Potential Incompatibilities
Mnesia: Transactions with sticky locks could with async_asym transactions be committed in the wrong order, since asym transactions are spawned on the remote nodes. To fix this bug the communication protocol between mnesia nodes had to be updated, thus mnesia will no longer be able to connect to nodes earlier than mnesia-4.14 ,first realeased in OTP-19.0.
Stdlib: Debugging of time-outs in gen_statem has been improved. Starting a time-out is now logged in sys:log and sys:trace. Running time-outs are visible in server crash logs, and with sys:get_status. Due to this system events {start_timer, Action, State} and {insert_timout, Event, State} have been added, which may surprise tools that rely on the format of these events. New features: The EventContent of a running time-out can be updated with {TimeoutType, update, NewEventContent}. Running time-outs can be cancelled with {TimeoutType, cancel} which is more readable than using Time = infinity.{rel, Name, Vsn, RelApps, Opts}.
Highlights
Compiler:
erlc can now automatically use a compile server to avoid starting an Erlang system for each file to be compiled in a multi-file project. See the documentation for how to enable it.
Standard libraries:
SSL: Basic support for TLS 1.3 Client for experimental use. For more information see the Standards Compliance chapter of the User's Guide.
crypto: The Message Authentication Codes (MAC) CMAC, HMAC and Poly1305 are unified into common functions in the New Crypto API. See the manual for CRYPTO. cipher_info/1 functions returns maps with information about the hash or cipher in the argument.
QuickJS is a small and embeddable Javascript engine. It supports the
ES2020 specification including modules, asynchronous generators and
proxies. It optionally supports mathematical extensions such as big
integers (BigInt), big floating point numbers (BigFloat) and operator
overloading.
what is new for perl v5.30.1
Incompatible Changes
There are no changes intentionally incompatible with 5.30.1. If any
exist, they are bugs, and we request that you submit a report. See
"Reporting Bugs" below.
Modules and Pragmata
Updated Modules and Pragmata
o Module::CoreList has been upgraded from version 5.20190522 to
5.20191110.
Documentation
Changes to Existing Documentation
We have attempted to update the documentation to reflect the changes
listed in this document. If you find any we have missed, send email to
perlbug@perl.org <mailto:perlbug@perl.org>.
Additionally, documentation has been updated to reference GitHub as the
new canonical repository and to describe the new GitHub pull request
workflow.
Configuration and Compilation
o The "ECHO" macro is now defined. This is used in a "dtrace" rule
that was originally changed for FreeBSD, and the FreeBSD make
apparently predefines it. The Solaris make does not predefine
"ECHO" which broke this rule on Solaris.
Testing
Tests were added and changed to reflect the other additions and changes
in this release.
Platform Support
Platform-Specific Notes
Win32
The locale tests could crash on Win32 due to a Windows bug, and
separately due to the CRT throwing an exception if the locale name
wasn't validly encoded in the current code page.
For the second we now decode the locale name ourselves, and always
decode it as UTF-8.
Selected Bug Fixes
o Setting $) now properly sets supplementary group ids, if you have
the necessary privileges.
o "readline @foo" now evaluates @foo in scalar context. Previously,
it would be evaluated in list context, and since readline() pops
only one argument from the stack, the stack could underflow, or be
left with unexpected values on it.
o sv_gets() now recovers better if the target SV is modified by a
signal handler.
o Matching a non-"SVf_UTF8" string against a regular expression
containing Unicode literals could leak an SV on each match attempt.
o "sprintf("%.*a", -10000, $x)" would cause a buffer overflow due to
mishandling of the negative precision value.
o "scalar()" on a reference could cause an erroneous assertion
failure during compilation.
(Dropping FreeBSD version rather than blindly guessing which number it is,
if it's different we might hear a report of it.)
Fixes report by Louis Guillaume on tech-pkg.
Vala 0.46.3
===========
* Various improvements and bug fixes:
- codegen:
+ Accept children after generating type specific declarations
+ Preserve full access to delegate variables and its target/destroy cvalues
+ Initialize delegate temp-var which is assigned by property getter
+ Silence warning about copying if delegate doesn't carry its target
+ Use gtype-boxed API for structs with "g_boxed_free" attribute [#863]
- ccode: Implicitly register declaration for added CCodeFunction
- vala: Fix compatible/disposable check between structs and their subtypes
- vala: Don't issue a warning for non-public struct fields in bindings
- girparser: Add required copy/free attributes for gtype-boxed structs
and regenerate GIR-based bindings to pick up copy/free attributes [#863]
- docs: Mention requirement of autoconf-archive as build-dependency
- vapi: Perform syntax and semantic check for all bindings on "make check"
* Bindings:
- avahi-client: Fix "use of possibly unassigned parameter" warnings
- glib-2.0: Set default_value attribute for GLib.pointer
- gnutls: Fix "use of possibly unassigned parameter" warnings
- tokyocabinet: Fix deprecation warnings
- xcb: Fix "missing return statement at end of subroutine body" errors
Vala 0.46.2
===========
* Various improvements and bug fixes:
- vala:
+ Report dedicated error message for params-array parameter mismatch
+ Output "params" qualifier of parameters
+ Allow to override virtual interface implementations [#852]
+ Perform stricter compatibility check for delegates
- codegen: Directly use "memmove()" while g_memmove() is deprecated
- valadoc: Explicitly pass --pkg libgvc
- tests: Add more tests to increase coverage
* Bindings:
- gio-unix-2.0: Fix DesktopAppInfo.get_string(), UnixFDMessage.steal_fds()
- glib-2.0: DateTime.from_iso8601() can take a null TimeZone
- gobject-2.0: Some cherry-picking from GIR generated binding
- gstreamer: Update from 1.17.0+ git master
- gtk4: Update to 3.96.0+bcea9652
- gtk4: Constructors of Gtk.MediaFile needs to be static functions
- sqlite3: Fix use of possibly unassigned parameter `errmsg'
Vala 0.46.1
===========
* Regression and bug fixes:
- vala: Run FlowAnalyzer on all given source-files [#843]
- valadoc: Explicitly pass --pkg libvala@PACKAGE_SUFFIX@ as for doclets/tests
* Bindings:
- gio-unix-2.0: Add UnixMountEntry.get_root_path() since 2.60
- gstreamer: Update from 1.17.0+ git master
- gtk4: Update to 3.96.0+97231ca2
- gtk+-3.0: Ownership mismatch of ColorButton.rgba property-accessor [#844]
- vapi: Update GIR-based bindings
Vala 0.46.0
===========
* Highlights:
- Add boolean CodeContext.keep_going and corresponding compiler option
* Various improvements and bug fixes:
- vala:
+ Move find_parent_type_symbol/get_this_type() to SemanticAnalyzer
+ Exclude nullable simple-type structs from gobject-property support
+ Reject unary operations on nullable integer/floating/boolean type [#772]
- codegen:
+ Don't append unreachable clean-up section of Block [#838]
+ Don't cause double-free due append_local_free() in uncaught-errors [#838]
+ Don't unconditionally add/return internal "result" variable [#838]
- codewriter: Write "weak" modifier for properties
- girparser: Improve evalution of instance-parameter information [#836]
(Regenerate GIR-based bindings to pick up out/ref instance-parameters)
- girparser/gidlparser: "value_owned = true" by default for property types
- libvaladoc: Don't traverse into close circles with parent [#829]
- genie: Creation methods should not be static
* Bindings:
- glib-2.0: Fix MutexLocker binding
- glib-2.0: Add missing "DestroysInstance" attributes to Mutex/Locker API
- glib-2.0: Use 'GStatBuf' as ctype for 'Stat'
- glib-2.0: Add new symbols from 2.62
- gio-2.0: Drop metadata for NativeSocketAddress
- gstreamer: Update from 1.17.0+ git master
- gtk4: Regenerate to pick up DestroyInstance attributes
- json-glib-1.0: Change abstract methods of Serializable to virtual [#840]
- libsoup-2.4: soup_auth_new is not a constructor but a factory method [#791]
- vapi: Update GIR-based bindings
Vala 0.45.91
============
* Various improvements and bug fixes:
- vala: Init formal_target_type of built ArrayCreationExpression from
InitializerList [#835]
- vala: Add missing closing brace/bracket in to_string() of
ArrayCreationExpression and InitializerList
* Bindings:
- cairo: Add 1.16 symbols
- linux: Add more Input and update UserspaceInput bindings [#830]
- sqlite3: Bind sqlite3_expanded_sql() and sqlite3_normalised_sql()
Vala 0.45.90
============
* Various improvements and bug fixes:
- vala:
+ Support static methods in error-domains [#829]
+ Fix mixup of target_glib_major/minor in set_target_glib_version() [#825]
+ Implicit GValue cast requires GOBJECT profile
+ NoAccessorMethod checks require GOBJECT profile
+ 'construct' is not supported in POSIX profile
- codegen:
+ Use G_TYPE_CHECK_INSTANCE_CAST for comparisons with interfaces
+ Append line-break after G_DEFINE_AUTOPTR_CLEANUP_FUNC
+ Move private type-struct to type-definition section
+ Include required type-definition when casting from generic pointer [#828]
- girparser: Handle "function-macro" by skipping them [gi#159]
- valadoc: Install icons and doclets to API dependent folders
* Bindings:
- glib-2.0: Add new symbols and deprecations from 2.62
- glib-2.0: Add MappedFile.from_fd constructor [#824]
- gstreamer: Update from 1.17.0+ git master
- posix: Fix return-value of mknod() and c-include for tcgetsid()
- posix: Add *at() calls and related constants [#823]
- webkit2gtk-4.0: Fix WebContext.initialize_notification_permissions()
- x11: Fix return type of XInternAtoms and XGetAtomNames bindings
- vapi: Update GIR-based bindings
Vala 0.45.3
===========
* Various improvements and bug fixes:
- vala: Add Symbol.is_extern and use/set is accordingly (#745)
- codegen:
+ Don't write declaration of extern symbols with given header (#745)
+ Real structs are allowed by simple generics and passed as reference (#819)
+ Assign GValue result of function calls to temp-var on copy_value (#819)
- build: Pass -no-undefined when linking libvalaccodegen (#820)
* Bindings:
- glib-2.0: Add binding for g_strv_equal() (since 2.60)
- glib-2.0: Bind strcmp0 as GLib.CompareFunc<string?> (#810)
- glib-2.0: Fix RecMutexLocker binding
- glib-2.0: Add new symbols from 2.62
- gstreamer: Update from 1.17.0+ git master
- gtk4: Update to 3.96.0+b05d1676
- xtst: Fix signature of XTest.fake_relative_motion_event()
- vapi: Update GIR-based bindings
Vala 0.45.2
===========
* Various improvements and bug fixes:
- Only warn about imcompatible type of external construct property [#803]
- codegen: Use array_length of collection variable instead of expression
- girparser: Skip 'attribute' elements
- girwriter: Report error on secondary top-level namespace [#805]
- genie: Drop unused "writeonly" token
- genie: Make 'self' match its TokenType name
- tests: Null-terminate arrays for compatibility test of uint8 / uchar [#809]
* Bindings:
- gmodule-2.0: Build from GIR
- glib-2.0: Add Unicode 12.0 symbols
- gstreamer: Update from 1.17.0+ git master
- gtk+-3.0: Update to 3.24.9~18177388
- gtk4: Update to 3.96.0+8cfdd6c5
- webkit2gtk-4.0: Update to 2.25.1
- vapi: Update GIR-based bindings
Vala 0.45.1
===========
* Highlights:
- Require and target GLib >= 2.48 [#671]
- Add support for --target-glib=auto [#761]
- Report error for public creation methods of abstract classes [#766]
- Report error for yield statements without async context
- Write "Source" attribute in fast-vapi mode
- No-accessor struct properties in GLib.Object class must be owned
- Support GObject properties with nullable GType-based struct type [#792]
- Always use G_TYPE_CHECK_INSTANCE_TYPE for external symbols
- valadoc: Drop obsolete "Driver" API
* Various improvements and bug fixes:
- parser: Multiple corrections for source-location of code-nodes
- build: Pass some useful G_LOG_DOMAIN definitions
- girwriter: Mention that this file is generated and not meant to be modified
- girwriter: Properly resolve GLib.TypeInterface instead of hardcoding it
- girwriter: Multiple improvements and fixes for e.g. GType classes
- girparser: Add support for string "ctype" metadata [#793]
- codegen: Move GObject property validity checks to SemanticAnalyzer
- When freeing local variables don't stop at "switch" on "continue" [#799]
- compiler: Add OptionFlags.NO_ARG to deprecated "--thread" option
* Bindings:
- Remove vte, vte-2.90 bindings [#584]
- Rename graphene-1.0 to graphene-gobject-1.0
- glib-2.0: Don't annotate dedicated GLib.assert_*() functions with [Assert]
[#769]
- clutter-1.0: Bind Margin, PaintVolume, Point, Rect and Size as struct [#795]
- cogl-1.0: Fix out-params in Cogl.get_modelview_matrix/projection_matrix/
bitmasks [#794]
- gstreamer: Update from 1.17.0+ git master
- gtk4: Update to 3.96.0+322507f2
- vapi: Update GIR-based bindings
1.13.0
- Add `six.moves.dbm_ndbm`.
- Add `six.moves.collections_abc`, which aliases the `collections`
module on Python 2-3.2 and the `collections.abc` on Python 3.3 and greater.
- Re-add distutils fallback in `setup.py`.
- On Python 3.7, `with_metaclass` supports classes using PEP
560 features.
Packages defined the variable BROKEN inconsistently. Some added quotes,
like they are required in PKG_FAIL_REASON, some omitted them.
Now all packages behave the same, and pkglint will flag future mistakes.
In the previous version, pkglint would want to indent the continuation
line with a tab. To prevent this, the variable assignment is now printed
in its canonical format.
Just like humans, pkglint does not read the "do not edit" notice at the
top of the file. Maybe it should.