This release addresses a recently supported security issue. This DoS
vulnerability in the crypto/elliptic implementations of the P-521 and P-384
elliptic curves may let an attacker craft inputs that consume excessive
amounts of CPU.
These inputs might be delivered via TLS handshakes, X.509 certificates, JWT
tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private
key is reused more than once, the attack can also lead to key recovery.
The issue is CVE-2019-6486 and Go issue golang.org/issue/29903.
See the Go issue for more details.
This release addresses a recently supported security issue. This DoS
vulnerability in the crypto/elliptic implementations of the P-521 and P-384
elliptic curves may let an attacker craft inputs that consume excessive
amounts of CPU.
These inputs might be delivered via TLS handshakes, X.509 certificates, JWT
tokens, ECDH shares or ECDSA signatures. In some cases, if an ECDH private
key is reused more than once, the attack can also lead to key recovery.
The issue is CVE-2019-6486 and Go issue golang.org/issue/29903.
See the Go issue for more details.
v6.7.0:
Hey y'all! This is a quick hotfix release that includes some important fixes to npm@6.6.0 related to the large rewrite/refactor. We're tagging it as a feature release because the changes involve some minor new features, and semver is semver, but there's nothing major here.
NEW FEATURES
Improve usage errors to npm org commands and add optional filtering to npm org ls subcommand.
BUGFIXES
Fix default usage printout for npm org so you actually see how it's supposed to be used.
fix default usage message for npm hook
DOCS
Add manpage for npm org command.
DEPENDENCY BUMPS
Fall back to "fullfat" packuments on ETARGET errors. This will make it so that, when a package is published but the corgi follower hasn't caught up, users can still install a freshly-published package.
Fixes auth error for username/password legacy authentication.
Fixes issue with "cannot run in wd" errors for run-scripts.
Fixes issues with leaking signal-exit instances and file descriptors.
v6.6.0
REFACTORING OUT npm-REGISTRY-CLIENT
Today is an auspicious day! This release marks the end of a massive internal refactor to npm that means we finally got rid of the legacy npm-registry-client in favor of the shiny, new, window.fetch-like npm-registry-fetch.
Now, the installer had already done most of this work with the release of npm@5, but it turns out every other command still used the legacy client. This release updates all of those commands to use the new client, and while we're at it, adds a few extra goodies:
All OTP-requiring commands will now prompt. --otp is no longer required for dist-tag, access, et al.
We're starting to integrate a new config system which will eventually get extracted into a standalone package.
We now use libnpm for the API functionality of a lot of our commands! That means you can install a library if you want to write your own tooling around them.
There's now an npm org command for managing users in your org.
pacote now consumes npm-style configurations, instead of its own naming for various config vars. This will make it easier to load npm configs using libnpm.config and hand them directly to pacote.
NEW FEATURES
Make npm dist-tags the same as npm dist-tag ls.
Add support for IBM i.
Update profile to support new npm-profile API.
BUGFIXES
Fix support for passing git binary path config with --git.
Check for npm.config's existence in error-handler.js to prevent weird errors when failures happen before config object is loaded.
Fix checking for optional dependencies.
Remove tink experiments.
Handle git branch references correctly.
Report any errors above 400 as potentially not supporting audit.
Set default homepage to an empty string.
Fix npm-prefix description.
DOCS
Fix typo in npm-token documentation.
Correct docs for fake-registry interface.
Linux/i386 and SunOS/amd64 are not tested.
Changelog:
By default, the JDK on Linux or Solaris uses GTK+ 2 if available;
if not, it uses GTK+ 3.
Security fixes:
CVE-2019-2540
CVE-2018-11212
CVE-2019-2426
CVE-2019-2449
CVE-2019-2422
---------------------------------------------------------------------
--- compiler-7.3.1 --------------------------------------------------
---------------------------------------------------------------------
The compiler-7.3.1 application can be applied independently of other
applications on a full OTP 21 installation.
--- Fixed Bugs and Malfunctions ---
OTP-15501 Application(s): compiler
Related Id(s): ERL-514, ERL-807, OTP-14808
An optimization that avoided allocation of a stack
frame for some case expressions was introduced in OTP
21. (ERL-504/OTP-14808) It turns out that in rare
circumstances, this optimization is not safe.
Therefore, this optimization has been disabled.
A similar optimization will be included in OTP 22 in a
safe way.
Full runtime dependencies of compiler-7.3.1: crypto-3.6, erts-9.0,
hipe-3.12, kernel-4.0, stdlib-2.5
---------------------------------------------------------------------
--- erts-10.2.2 -----------------------------------------------------
---------------------------------------------------------------------
Note! The erts-10.2.2 application can *not* be applied independently
of other applications on an arbitrary OTP 21 installation.
On a full OTP 21 installation, also the following runtime
dependencies have to be satisfied:
-- kernel-6.1 (first satisfied in OTP 21.1)
-- sasl-3.3 (first satisfied in OTP 21.2)
--- Fixed Bugs and Malfunctions ---
OTP-15495 Application(s): erts
Related Id(s): ERL-821
Fixed a crash when dangling files were closed after
init:restart/0.
OTP-15509 Application(s): erts
Related Id(s): PR-2027, PR-2093
A bug that could cause dirty schedulers to become
unresponsive has been fixed.
Full runtime dependencies of erts-10.2.2: kernel-6.1, sasl-3.3,
stdlib-3.5
---------------------------------------------------------------------
--- ssl-9.1.2 -------------------------------------------------------
---------------------------------------------------------------------
The ssl-9.1.2 application can be applied independently of other
applications on a full OTP 21 installation.
--- Fixed Bugs and Malfunctions ---
OTP-15477 Application(s): ssl
Related Id(s): ERL-790
Fix encoding of the SRP extension length field in ssl.
The old encoding of the SRP extension length could
cause interoperability problems with third party SSL
implementations when SRP was used.
OTP-15504 Application(s): ssl
Related Id(s): ERL-371
Guarantee active once data delivery, handling TCP
stream properly.
OTP-15505 Application(s): ssl
Correct gen_statem returns for some error cases
Full runtime dependencies of ssl-9.1.2: crypto-4.2, erts-10.0,
inets-5.10.7, kernel-6.0, public_key-1.5, stdlib-3.5
---------------------------------------------------------------------
--- xmerl-1.3.19 ----------------------------------------------------
---------------------------------------------------------------------
The xmerl-1.3.19 application can be applied independently of other
applications on a full OTP 21 installation.
--- Fixed Bugs and Malfunctions ---
OTP-15492 Application(s): xmerl
Related Id(s): ERIERL-283
The charset detection parsing crash in some cases when
the XML directive is not syntactic correct.
Full runtime dependencies of xmerl-1.3.19: erts-6.0, kernel-3.0,
stdlib-2.5
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
0.660:
- Literal Types
- Quick Mode Removed
- Plugin Improvements
* Add documentation for plugin system
* Make name lookup available to all plugin hooks
* Add more information to FunctionContext and MethodContext
- Other Improvements and Notable Bugs Fixed
* Introduce an optional sqlite backed incremental cache, enabled with --sqlite-cache
* Fix a daemon crash when there is a decode error
* Allow setting python_executable from config file
* Short-circuit if expression for always true/always false variables and MYPY/TYPE_CHECKING
* Don't map actual kwargs to formal *args
* Disable cache when producing reports
* Fix issues with pointer arrays in the ctypes plugin
* Support kw_only=True in the attrs plugin
* Fix some daemon crash bugs
* Better error messages when __eq__ has unexpected signature
* Collect additional timing stats and allow reporting them from the daemon
* Fix dmypy run when bad options passed to mypy
* Improve error messages from multiple inheritance compatibility checks
* Fix an incremental mode crash that can occur in situations with import cycles and star imports
6.0.15 - 2018-10-31
Added
* (Go) Executables are uploaded to GitHub releases.
Fixed
* Fix bug where leading tabs prevented parser from identifying keywords (#512
[VjacheslavVytjagov])
* [JavaScript] Fix JavaScript build (#499 noisygerman)
6.0.13 - 2018-09-25
This major release aligns Gherkin with Example Mapping, a collaborative
technique for designing scenarios and discovering details about rules and
behaviour.
A new Rule keyword has been introduced, and acts as a grouping of one or more
Examples - a new synonym for Scenario. The Scenario Outline keyword can now
be interchanged with the Scenario keyword, which makes Gherkin a little less
confusing, especially to beginners. These are the first major change to the
Gherkin grammar in 8 years or so, and we're pretty excited about them. We
hope they will guide people towards thinking of scenarios as examples of
business rules rather than a series of form submissions and link clicking.
This rule-focused style engages product owners, and can act as amazing living
documentation of your product. It opens up for the true benefits of BDD - a
business-friendly format for describing and agreeing on software behaviour,
and a guide to development. Developers will code against this spec, and
produce better (simpler) software faster. The software will do what it says
on the tin.
The new Gherkin grammar is backwards compatible, meaning that existing Gherkin
documents are still valid.
The library API however is not backwards compatible. It is now a stream-like
API which produces a stream of messages (source, AST and pickle messages).
Internally, each library shells out to a go executable (embedded in the
library for all major OSes and processor architectures), and communicates via
STDIN/STDOUT using protocol buffers. The rationale behind this architectural
change is to reduce the maintenance burden (a single parser rather than a
dozen), but also to make it quicker and easier to implement a Gherkin library
in a new language. Just generate some protobuf classes/structs and write a
small program that shells out and communicates using those messages.
Our preliminary benchmarks suggest that performance is comparable to the
native implementations, or better. There is a small hit in startup cost, but
this is offset against a higher throughput of the parser.
At the time of this writing Gherkin 6 is nearly integrated in Cucumber-JVM and
Cucumber-Ruby. Integration with Cucumber.js has not started and we would
really welcome some help with that.
The message protocol will continue to evolve to represent runtime information
such as results, parameter types, cucumber expressions and other metadata.
This will make it easier for the community to build plugins for Cucumber. One
HTML Gherkin formatter to rule them all. Statistic plugins and more.
Added
* (TypeScript) - Added TypeScript definitions (.d.ts) for Gherkin.
* Added Rule keyword (#250 aslakhellesoy)
* Added Example as synonym for Scenario in English and many other
languages. This is to align Gherkin with BDD and Example Mapping
terminology. (aslakhellesoy)
* Added Ukoliko as an additional synonym for Given, in Croatian. (#480 banovotz)
Changed
* (JavaScript,Java,Ruby) The native parsers are removed. Parsing is done by
gherkin-go executables which are bundled with the published
libraries. (aslakhellesoy, [jaysonesmith])
* (JavaScript,Java,Ruby,Go) Scenario keyword (or Example keyword) can be used
to create Scenario Outline. (#353 aslakhellesoy)
Removed
* (Java) OSGi support has been removed. (#412 aslakhellesoy)
Fixed
* (JavaScript) Fix ability to pass language to parser. (#401 charlierudolph)
As per the comment in the file, this needs to have a PKGREVISION one
greater than the corresponding gcc48 package for preferential selection
by packaging tools.
PowerPC (at least, the variants used on hardware typically supported by
pkgsrc) does not offer the gamut of hardware-backed atomic instructions
that relatively recent versions of SpiderMonkey demand. Fall back to
using GCC's libatomic, so this builds and runs on that architecture.
v6.5.0:
NEW FEATURES
Backronym npm ci to npm clean-install.
Adds 'Homepage' to outdated --long output.
BUGFIXES
Fix sign-git-commit options. They were previously totally wrong.
Set lowercase headers for npm audit requests.
Fix npm edit handling of scoped packages.
Make summary output for npm ci go to stdout, not stderr.
Close the file descriptor during publish if exiting upload via an error. This will prevent strange error messages when the upload fails and make sure
cleanup happens correctly.
Version 10.15.0 'Dubnium' (LTS):
The 10.14.0 security release introduced some unexpected breakages on the 10.x release line. This is a special release to fix a regression in the HTTP binary upgrade response body and add a missing CLI flag to adjust the max header size of the http parser.
Notable Changes
cli:
add --max-http-header-size flag
http:
add maxHeaderSize property
A few patches to the configure script to recognise the combination of
NetBSD and aarch64, and a few changes to the Makefile to make sure we've
got the right combination of options for the PLIST. It now compiles on my
Pinebook.
header for NetBSD/powerpc, so that the macppc version builds.
Thanks to maya@ for the hint.
No revision bump, as this is only a build fix for NetBSD/powerpc.
1) bootstrap rustc adds -lgcc_s when linking
-> Dropped with a BUILDLINK_TRANSFORM
2) bootstrap rustc has shared linkage to libgcc_s.so.1
-> Until upstream changes this to static linkage, we look for
libgcc_s.so.1 in ${FILESDIR} where the user must place it manually.
3) newly built rustc adds -lstdc++ instead of -lc++ when linking llvm
-> fixed with patch-src_librustc__llvm_build.rs
4) newly built rustc adds -lgcc_s when linking
-> fixed with patch-src_libunwind_build.rs
uncompyle6 3.2.5:
- 3.7.2 Remove deprecation warning on regexp string that isn't raw
- main.main() parameter codes is not used - note that
- Improve Python 3.6+ control flow detection
- More complete fragment instruction annotation for imports
---------------------------------------------------------------------
--- erts-10.2.1 -----------------------------------------------------
---------------------------------------------------------------------
Note! The erts-10.2.1 application can *not* be applied independently
of other applications on an arbitrary OTP 21 installation.
On a full OTP 21 installation, also the following runtime
dependencies have to be satisfied:
-- kernel-6.1 (first satisfied in OTP 21.1)
-- sasl-3.3 (first satisfied in OTP 21.2)
--- Fixed Bugs and Malfunctions ---
OTP-15485 Application(s): erts
Fixed bug on big endian architectures when changing
file permissions or ownership with file:change_mode,
change_owner, change_group or write_file_info. Bug
exists since OTP-21.0.
OTP-15486 Application(s): erts
Related Id(s): PR-2061
Fixed bug in atomics with option {signed,false} when
returned values are (1 bsl 63) or larger. Could cause
heap corruption leading to VM crash or other unpleasant
symptoms. Bug exists since OTP-21.2 when module atomics
was introduced.
OTP-15487 Application(s): erts
Related Id(s): ERL-804
Fixed bug in operator band of two negative operands
causing erroneous result if the absolute value of one
of the operands have the lowest N*W bits as zero and
the other absolute value is not larger than N*W bits. N
is an integer of 1 or larger and W is 32 or 64
depending on word size.
Full runtime dependencies of erts-10.2.1: kernel-6.1, sasl-3.3,
stdlib-3.5
---------------------------------------------------------------------
--- ssl-9.1.1 -------------------------------------------------------
---------------------------------------------------------------------
The ssl-9.1.1 application can be applied independently of other
applications on a full OTP 21 installation.
--- Fixed Bugs and Malfunctions ---
OTP-15489 Application(s): ssl
Related Id(s): ERL-308
Fixed renegotiation bug. Client did not handle server
initiated renegotiation correctly after rewrite to two
connection processes, due to ERL-622 commit
d87ac1c55188f5ba5cdf72384125d94d42118c18. This could
manifest it self as a " bad_record_mac" alert.
Also included are some optimizations
Full runtime dependencies of ssl-9.1.1: crypto-4.2, erts-10.0,
inets-5.10.7, kernel-6.0, public_key-1.5, stdlib-3.5
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
--- ssh-4.7.3 -------------------------------------------------------
---------------------------------------------------------------------
The ssh-4.7.3 application can be applied independently of other
applications on a full OTP 21 installation.
--- Fixed Bugs and Malfunctions ---
OTP-15397 Application(s): ssh
Related Id(s): ERL-801
Fixed port leakage if a ssh:daemon call failed.
Full runtime dependencies of ssh-4.7.3: crypto-4.2, erts-6.0,
kernel-3.0, public_key-1.5.2, stdlib-3.3
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
