Version 13.11.0
Notable Changes:
async_hooks: add sync enterWith to ALS
cli: allow --jitless V8 flag in NODE_OPTIONS
fs: return first folder made by mkdir recursive
n-api: define release 6
os: create a getter for kernel version
wasi: add returnOnExit option
Version 13.10.1 (Current):
In Node.js 13.9.0 deps/zlib was switched to the chromium maintained implementation. This change had the unforseen consequence of breaking building from the tarballs we release as we were too aggressively removing unneccessary files from the deps/zlib folder. This release includes a patch that ensures that individuals will once again be able to build Node.js from source.
Version 13.10.0 (Current):
Notable Changes
async_hooks
- introduce async-context API
stream
- support passing generator functions into pipeline()
tls
- expose SSL_export_keying_material
vm
- implement vm.measureMemory() for per-context memory measurement
Version 13.9.0 (Current)
async_hooks
* add executionAsyncResource
crypto
* add crypto.diffieHellman
* add DH support to generateKeyPair
* simplify DH groups
* add key type 'dh'
test
* skip keygen tests on arm systems
perf_hooks
* add property flags to GCPerformanceEntry
process
* report ArrayBuffer memory in memoryUsage()
readline
* make tab size configurable
report
* add support for Workers
worker
* add ability to take heap snapshot from parent thread
added new collaborators
* add ronag to collaborators
Version 13.8.0 (Current):
Notable Changes
This is a security release.
Vulnerabilities fixed:
CVE-2019-15606: HTTP header values do not have trailing OWS trimmed.
CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may cause problems in interoperability with some non-conformant HTTP implementations, it is possible to disable the strict checks with the --insecure-http-parser command line flag, or the insecureHTTPParser http option. Using the insecure HTTP parser should be avoided.
Version 13.3.0:
Notable Changes
fs:
Reworked experimental recursive rmdir()
The maxBusyTries option is renamed to maxRetries, and its default is set to 0. The emfileWait option has been removed, and EMFILE errors use the same retry logic as other errors. The retryDelay option is now supported. ENFILE errors are now retried.
http:
Make maximum header size configurable per-stream or per-server
http2:
Make maximum tolerated rejected streams configurable
Allow to configure maximum tolerated invalid frames
wasi:
Introduce initial WASI support
Version 10.17.0 'Dubnium' (LTS):
Notable changes
crypto:
- add support for chacha20-poly1305 for AEAD
- increase maxmem range from 32 to 53 bits
deps:
- update npm to 6.11.3
- upgrade openssl sources to 1.1.1d
dns: remove dns.promises experimental warning
fs: remove experimental warning for fs.promises
http: makes response.writeHead return the response
http2: makes response.writeHead return the response
n-api:
- make func argument of napi_create_threadsafe_function optional
- mark version 5 N-APIs as stable
- implement date object
process: add --unhandled-rejections flag
stream:
- implement Readable.from async iterator utility
- make Symbol.asyncIterator support stable
Version 10.16.3 'Dubnium' (LTS):
Notable changes
This is a security release.
Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information.
Vulnerabilities fixed:
CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
CVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service.
Version 10.16.2 'Dubnium' (LTS)
Notable changes
This release patches a regression in the OpenSSL upgrade to 1.1.1c that causes intermittent hangs in machines that have low entropy.
Version 10.16.1 'Dubnium' (LTS)
Notable changes
deps: upgrade openssl sources to 1.1.1c
stream: do not unconditionally call \_read() on resume()
worker: fix nullptr deref after MessagePort deser failure
Version 10.16.0 'Dubnium' (LTS)
Notable Changes
deps:
update ICU to 64.2
upgrade npm to 6.9.0
upgrade openssl sources to 1.1.1b
upgrade to libuv 1.28.0
events: add once method to use promises with EventEmitter
n-api: mark thread-safe function as stable
repl: support top-level for-await-of
zlib: add brotli support
Also apply similar ifdefs for NetBSD as FreeBSD and OpenBSD.
Now nodejs binary won't fail during lang/npm and www/firefox builds
on NetBSD/i386 8.0.
Bump PKGREVISION.
No particular comments on pkgsrc-bug@:
http://mail-index.netbsd.org/pkgsrc-bugs/2019/03/19/msg066102.html
Should close PR pkg/53497, PR pkg/53758, PR pkg/53792, and PR pkg/53794.
Version 10.15.2 'Dubnium' (LTS):
This is a security release. All Node.js users should consult the security release summary at:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
for details on patched vulnerabilities.
A fix for the following CVE is included in this release:
Node.js: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)
Notable Changes
http: Further prevention of "Slowloris" attacks on HTTP and HTTPS connections by consistently applying the receive timeout set by server.headersTimeout to connections in keep-alive mode.
Version 10.15.0 'Dubnium' (LTS):
The 10.14.0 security release introduced some unexpected breakages on the 10.x release line. This is a special release to fix a regression in the HTTP binary upgrade response body and add a missing CLI flag to adjust the max header size of the http parser.
Notable Changes
cli:
add --max-http-header-size flag
http:
add maxHeaderSize property
Version 10.14.2 'Dubnium' (LTS)
This LTS release comes with 374 commits. This includes 165 which are test or benchmark related, 77 which are doc related, 29 which are build / tool related and 15 commits which update dependencies.
Notable Changes
* deps:
- upgrade to c-ares v1.15.0
* Windows:
- A crashing process will now show the names of stack frames if the node.pdb file is available.
Version 10.14.0 'Dubnium' (LTS):
This is a security release. All Node.js users should consult the security release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)
Notable Changes
* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* http:
- Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina)
- A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with server.headersTimeout. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with server.setTimeout(), this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach (liebdich.com). (CVE-2018-12122 / Matteo Collina)
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs with url.parse() with the 'javascript:' protocol.
Version 10.13.0 'Dubnium' (LTS)
This release marks the transition of Node.js 10.x into Long Term Support (LTS) with the codename 'Dubnium'. The 10.x release line now moves in to "Active LTS" and will remain so until April 2020. After that time it will move in to "Maintenance" until end of life in April 2021.
Notable Changes
This release only includes minimal changes necessary to fix known regressions prior to LTS.
Version 10.12.0 (Current)
Notable changes
assert
* The diff output is now a tiny bit improved by sorting object properties when inspecting the values that are compared with each other.
cli
* The options parser now normalizes _ to - in all multi-word command-line flags, e.g. --no_warnings has the same effect as --no-warnings.
* Added bash completion for the node binary. To generate a bash completion script, run node --completion-bash. The output can be saved to a file which can be sourced to enable completion.
crypto
* Added support for PEM-level encryption.
* Added an API asymmetric key pair generation. The new methods crypto.generateKeyPair and crypto.generateKeyPairSync can be used to generate public and private key pairs. The API supports RSA, DSA and EC and a variety of key encodings (both PEM and DER).
fs
* Added a recursive option to fs.mkdir and fs.mkdirSync. If this option is set to true, non-existing parent folders will be automatically created.
http2
* Added a 'ping' event to Http2Session that is emitted whenever a non-ack PING is received.
* Added support for the ORIGIN frame.
* Updated nghttp2 to 1.34.0. This adds RFC 8441 extended connect protocol support to allow use of WebSockets over HTTP/2.
module
* Added module.createRequireFromPath(filename). This new method can be used to create a custom require function that will resolve modules relative to the filename path.
process
* Added a 'multipleResolves' process event that is emitted whenever a Promise is attempted to be resolved multiple times, e.g. if the resolve and reject functions are both called in a Promise executor.
url
* Added url.fileURLToPath(url) and url.pathToFileURL(path). These methods can be used to correctly convert between file: URLs and absolute paths.
util
* Added the sorted option to util.inspect(). If set to true, all properties of an object and Set and Map entries will be sorted in the returned string. If set to a function, it is used as a compare function.
The util.instpect.custom symbol is now defined in the global symbol registry as Symbol.for('nodejs.util.inspect.custom').
* Added support for BigInt numbers in util.format().
V8 API
* A number of V8 C++ APIs have been marked as deprecated since they have been removed in the upstream repository. Replacement APIs are added where necessary.
Windows
* The Windows msi installer now provides an option to automatically install the tools required to build native modules.
Workers
* Debugging support for Workers using the DevTools protocol has been implemented.
* The public inspector module is now enabled in Workers.
- child_process:
- `TypedArray` and `DataView` values are now accepted as input by
`execFileSync` and `spawnSync`.
- coverage:
- Native V8 code coverage information can now be output to disk by
setting the environment variable `NODE_V8_COVERAGE` to a directory.
- fs:
- The methods `fs.read`, `fs.readSync`, `fs.write`, `fs.writeSync`,
`fs.writeFile` and `fs.writeFileSync` now all accept `TypedArray`
and `DataView` objects.
- A new boolean option, `withFileTypes`, can be passed to to
`fs.readdir` and `fs.readdirSync`. If set to true, the methods
return an array of directory entries. These are objects that can
be used to determine the type of each entry and filter them based
on that without calling `fs.stat`.
- http2:
- The `http2` module is no longer experimental.
- os:
- Added two new methods: `os.getPriority` and `os.setPriority`,
allowing to manipulate the scheduling priority of processes.
- process:
- Added `process.allowedNodeEnvironmentFlags`. This object can be
used to programmatically validate and list flags that are allowed
in the `NODE_OPTIONS` environment variable.
- src:
- Deprecated option variables in public C++ API.
- Refactored options parsing.
- vm:
- Added `vm.compileFunction`, a method to create new JavaScript
functions from a source body, with options similar to those of
the other `vm` methods.
- buffer:
- Fix out-of-bounds (OOB) write in `Buffer.write()` for UCS-2
encoding (CVE-2018-12115)
- Fix unintentional exposure of uninitialized memory in
`Buffer.alloc()` (CVE-2018-7166)
- deps:
- Upgrade to OpenSSL 1.1.0i, fixing:
- Client DoS due to large DH parameter (CVE-2018-0732)
- ECDSA key extraction via local side-channel (CVE not assigned)
- Upgrade V8 from 6.7 to 6.8
- Memory reduction and performance improvements
- http: `http.get()` and `http.request()` (and `https` variants) can
now accept three arguments to allow for a `URL` _and_ an `options`
object
