Ruby 3.0.2 has been released.
This release includes security fixes. Please check the topics below
for details.
* CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
* CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
* CVE-2021-31799: A command injection vulnerability in RDoc
See the commit logs for details:
<https://github.com/ruby/ruby/compare/v3_0_1...v3_0_2>.
Ruby 2.7.4 has been released.
This release includes security fixes. Please check the topics below
for details.
* CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
* CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
* CVE-2021-31799: A command injection vulnerability in RDoc
See the commit logs for details:
<https://github.com/ruby/ruby/compare/v2_7_3...v2_7_4>.
Ruby 2.6.8 has been released.
This release includes security fixes. Please check the topics below
for details.
* CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
* CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
* CVE-2021-31799: A command injection vulnerability in RDoc
We ordinally do not fix Ruby 2.6 except security fixes, but this
release also includes some regressed bugs and build problem fixes.
See the commit logs for details.
Ruby 2.6 is now under the state of the security maintenance phase,
until the end of March of 2022. After that date, maintenance of Ruby
2.6 will be ended. We recommend you start planning the migration to
newer versions of Ruby, such as 3.0 or 2.7.
Version 14.17.3 'Fermium' (LTS)
Notable Changes
Node.js 14.17.2 introduced a regression in the Windows installer on non-English locales that is being fixed in this release. There is no need to download this release if you are not using the Windows installer.
Version 14.17.2 'Fermium' (LTS)
This is a security release.
Notable Changes
Vulnerabilities fixed:
CVE-2021-22918: libuv upgrade - Out of bounds read (Medium)
Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918
CVE-2021-22921: Windows installer - Node Installer Local Privilege Escalation (Medium)
Node.js is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22921
Version 12.22.3 'Erbium' (LTS)
Notable Changes
Node.js 12.22.2 introduced a regression in the Windows installer on non-English locales that is being fixed in this release. There is no need to download this release if you are not using the Windows installer.
Version 12.22.2 'Erbium' (LTS)
This is a security release.
Notable Changes
Vulnerabilities fixed:
CVE-2021-22918: libuv upgrade - Out of bounds read (Medium)
Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918
CVE-2021-22921: Windows installer - Node Installer Local Privilege Escalation (Medium)
Node.js is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22921
CVE-2021-27290: npm upgrade - ssri Regular Expression Denial of Service (ReDoS) (High)
This is a vulnerability in the ssri npm mudule which may be vulnerable to denial of service attacks. You can read more about it in https://github.com/advisories/GHSA-vx3p-948g-6vhq
CVE-2021-23362: npm upgrade - hosted-git-info Regular Expression Denial of Service (ReDoS) (Medium)
This is a vulnerability in the hosted-git-info npm mudule which may be vulnerable to denial of service attacks. You can read more about it in https://nvd.nist.gov/vuln/detail/CVE-2021-23362
Ruby on Rails 6.0.4 (2021-06-15), including security fixes.
Active Support
* Fixed issue in ActiveSupport::Cache::RedisCacheStore not passing
options to read_multi causing fetch_multi to not work properly.
(Rajesh Sharma)
* with_options copies its options hash again to avoid leaking mutations.
Fixes#39343. (Eugene Kenny)
Active Record
* Only warn about negative enums if a positive form that would cause
conflicts exists. Fixes#39065. (Alex Ghiculescu)
* Allow the inverse of a has_one association that was previously
autosaved to be loaded. Fixes#34255. (Steven Weber)
* Reset statement cache for association if table_name is changed.
Fixes#36453. (Ryuta Kamizono)
* Type cast extra select for eager loading. (Ryuta Kamizono)
* Prevent collection associations from being autosaved multiple times.
Fixes#39173. (Eugene Kenny)
* Resolve issue with insert_all unique_by option when used with
expression index.
When the :unique_by option of ActiveRecord::Persistence.insert_all
and ActiveRecord::Persistence.upsert_all was used with the name of
an expression index, an error was raised. Adding a guard around the
formatting behavior for the :unique_by corrects this.
Usage:
create_table :books, id: :integer, force: true do |t|
t.column :name, :string
t.index "lower(name)", unique: true
end
Book.insert_all [{ name: "MyTest" }], unique_by: :index_books_on_lower_name
Fixes#39516. (Austen Madden)
* Fix preloading for polymorphic association with custom scope.
(Ryuta Kamizono)
* Allow relations with different SQL comments in the or method.
(Takumi Shotoku)
* Resolve conflict between counter cache and optimistic locking.
Bump an Active Record instance's lock version after updating its
counter cache. This avoids raising an unnecessary
ActiveRecord::StaleObjectError upon subsequent transactions by
maintaining parity with the corresponding database record's
lock_version column. Fixes#16449. (Aaron Lipman)
* Fix through association with source/through scope which has joins.
(Ryuta Kamizono)
* Fix through association to respect source scope for includes/preload.
(Ryuta Kamizono)
* Fix eager load with Arel joins to maintain the original joins order.
(Ryuta Kamizono)
* Fix group by count with eager loading + order + limit/offset.
(Ryuta Kamizono)
* Fix left joins order when merging multiple left joins from different
associations. (Ryuta Kamizono)
* Fix index creation to preserve index comment in bulk change table on
MySQL. (Ryuta Kamizono)
* Change remove_foreign_key to not check :validate option if database
doesn't support the feature. (Ryuta Kamizono)
* Fix the result of aggregations to maintain duplicated "group by"
fields. (Ryuta Kamizono)
* Do not return duplicated records when using preload. (Bogdan Gusiev)
Action View
* SanitizeHelper.sanitized_allowed_attributes and
SanitizeHelper.sanitized_allowed_tags call safe_list_sanitizer's
class method. Fixes#39586. (Taufiq Muhammadi)
Action Pack
* Accept base64_urlsafe CSRF tokens to make forward compatible.
* Base64 strict-encoded CSRF tokens are not inherently websafe, which
makes them difficult to deal with. For example, the common practice
of sending the CSRF token to a browser in a client-readable cookie
does not work properly out of the box: the value has to be
url-encoded and decoded to survive transport.
In Rails 6.1, we generate Base64 urlsafe-encoded CSRF tokens, which
are inherently safe to transport. Validation accepts both urlsafe
tokens, and strict-encoded tokens for backwards compatibility.
In Rails 5.2.5, the CSRF token format is accidentally changed to
urlsafe-encoded. If you upgrade apps from 5.2.5, set the config
urlsafe_csrf_tokens = true.
Rails.application.config.action_controller.urlsafe_csrf_tokens = true
(Scott Blum, Étienne Barrié)
* Signed and encrypted cookies can now store false as their value when
action_dispatch.use_cookies_with_metadata is enabled. (Rolandas
Barysas)
Active Storage
* The Poppler PDF previewer renders a preview image using the original
document's crop box rather than its media box, hiding print
margins. This matches the behavior of the MuPDF previewer. (Vincent
Robert)
Railties
* Allow relative paths with trailing slashes to be passed to rails
test. (Eugene Kenny)
* Return a 405 Method Not Allowed response when a request uses an
unknown HTTP method. Fixes#38998. (Loren Norman)
Ruby on Rails 5.2.6 (2021-05-05)
There are changes in www/ruby-actionpack52 only, including security fix.
Action Pack
* Accept base64_urlsafe CSRF tokens to make forward compatible.
Base64 strict-encoded CSRF tokens are not inherently websafe, which
makes them difficult to deal with. For example, the common practice
of sending the CSRF token to a browser in a client-readable cookie
does not work properly out of the box: the value has to be
url-encoded and decoded to survive transport.
In this version, we generate Base64 urlsafe-encoded CSRF tokens,
which are inherently safe to transport. Validation accepts both
urlsafe tokens, and strict-encoded tokens for backwards
compatibility.
How the tokes are encoded is controllr by the
action_controller.urlsafe_csrf_tokens config.
In Rails 5.2.5, the CSRF token format was accidentally changed to
urlsafe-encoded.
Atention: If you already upgraded your application to 5.2.5, set the
config urlsafe_csrf_tokens to true, otherwise your form submission
will start to fail during the deploy of this new version.
Rails.application.config.action_controller.urlsafe_csrf_tokens = true
If you are upgrading from 5.2.4.x, you don't need to change this
configuration.
Scott Blum, Étienne Barrié
Although 8 doesn't seem to use kqueue by default the class is
still compiled so it's a good idea to have the correct values.
Bump PKGREVISION for this and recent changes.
Python 3.9.6 final
Security
bpo-44022: mod:http.client now avoids infinitely reading potential HTTP headers after a 100 Continue status response from the server.
Core and Builtins
bpo-44409: Fix error location information for tokenizer errors raised on initialization of the tokenizer. Patch by Pablo Galindo.
bpo-43667: Improve Unicode support in non-UTF locales on Oracle Solaris. This issue does not affect other Solaris systems.
bpo-44168: Fix error message in the parser involving keyword arguments with invalid expressions. Patch by Pablo Galindo
bpo-44114: Fix incorrect dictkeys_reversed and dictitems_reversed function signatures in C code, which broke webassembly builds.
bpo-44070: No longer eagerly makes import filenames absolute, except for extension modules, which was introduced in 3.9.5.
bpo-28146: Fix a confusing error message in str.format().
bpo-11105: When compiling ast.AST objects with recursive references through compile(), the interpreter doesn’t crash anymore instead it raises a RecursionError.
Library
bpo-44516: Update vendored pip to 21.1.3
bpo-44482: Fix very unlikely resource leak in glob in alternate Python implementations.
bpo-44439: Fix in bz2.BZ2File.write() / lzma.LZMAFile.write() methods, when the input data is an object that supports the buffer protocol, the file length may be wrong.
bpo-44434: _thread.start_new_thread() no longer calls PyThread_exit_thread() explicitly at the thread exit, the call was redundant. On Linux with the glibc, pthread_exit() aborts the whole process if dlopen() fails to open libgcc_s.so file (ex: EMFILE error). Patch by Victor Stinner.
bpo-44422: The threading.enumerate() function now uses a reentrant lock to prevent a hang on reentrant call. Patch by Victor Stinner.
bpo-44395: Fix as_string() to pass unixfrom properly. Patch by Dong-hee Na.
bpo-44342: [Enum] Be more robust in searching for pickle support before making an enum class unpicklable.
bpo-44356: [Enum] Allow multiple data-type mixins if they are all the same.
bpo-44254: On Mac, give turtledemo button text a color that works on both light or dark background. Programmers cannot control the latter.
bpo-44145: hmac computations were not releasing the GIL while calling the OpenSSL HMAC_Update C API (a new feature in 3.9). This unintentionally prevented parallel computation as other hashlib algorithms support.
bpo-37788: Fix a reference leak when a Thread object is never joined.
bpo-44061: Fix regression in previous release when calling pkgutil.iter_modules() with a list of pathlib.Path objects
bpo-36515: The hashlib module no longer does unaligned memory accesses when compiled for ARM platforms.
bpo-44018: random.seed() no longer mutates bytearray inputs.
bpo-38352: Add IO, BinaryIO, TextIO, Match, and Pattern to typing.__all__. Patch by Jelle Zijlstra.
bpo-43972: When http.server.SimpleHTTPRequestHandler sends a 301 (Moved Permanently) for a directory path not ending with /, add a Content-Length: 0 header. This improves the behavior for certain clients.
bpo-28528: Fix a bug in pdb where checkline() raises AttributeError if it is called after reset().
bpo-43776: When subprocess.Popen args are provided as a string or as pathlib.Path, the Popen instance repr now shows the right thing.
bpo-43666: AIX: Lib/_aix_support.get_platform() may fail in an AIX WPAR. The fileset bos.rte appears to have a builddate in both LPAR and WPAR so this fileset is queried rather than bos.mp64. To prevent a similiar situation (no builddate in ODM) a value (9988) sufficient for completing a build is provided. Patch by M Felt.
bpo-43650: Fix MemoryError in shutil.unpack_archive() which fails inside shutil._unpack_zipfile() on large files. Patch by Igor Bolshakov.
bpo-43318: Fix a bug where pdb does not always echo cleared breakpoints.
bpo-43295: datetime.datetime.strptime() now raises ValueError instead of IndexError when matching 'z' with the %z format specifier.
bpo-37022: pdb now displays exceptions from repr() with its p and pp commands.
Documentation
bpo-40620: Convert examples in tutorial controlflow.rst section 4.3 to be interpreter-demo style.
bpo-13814: In the Design FAQ, answer “Why don’t generators support the with statement?”
bpo-44392: Added a new section in the C API documentation for types used in type hinting. Documented Py_GenericAlias and Py_GenericAliasType.
bpo-38291: Mark typing.io and typing.re as deprecated since Python 3.8 in the documentation. They were never properly supported by type checkers.
bpo-44322: Document that SyntaxError args have a details tuple and that details are adjusted for errors in f-string field replacement expressions.
bpo-44195: Corrected references to TraversableResources in docs. There is no TraversableReader.
bpo-41963: Document that ConfigParser strips off comments when reading configuration files.
bpo-44072: Correct where in the numeric ABC hierarchy ** support is added, i.e., in numbers.Complex, not numbers.Integral.
bpo-43558: Add the remark to dataclasses documentation that the __init__() of any base class has to be called in __post_init__(), along with a code example.
bpo-41621: Document that collections.defaultdict parameter default_factory defaults to None and is positional-only.
Tests
bpo-44287: Fix asyncio test_popen() of test_windows_utils by using a longer timeout. Use military grade battle-tested test.support.SHORT_TIMEOUT timeout rather than a hardcoded timeout of 10 seconds: it’s 30 seconds by default, but it is made longer on slow buildbots. Patch by Victor Stinner.
bpo-44363: Account for address sanitizer in test_capi. test_capi now passes when run GCC address sanitizer.
Build
bpo-44381: The Windows build now accepts EnableControlFlowGuard set to guard to enable CFG.
Windows
bpo-41299: Fix 16ms jitter when using timeouts in threading, such as with threading.Lock.acquire() or threading.Condition.wait().
macOS
bpo-43568: Relax unnecessarily restrictive MACOSX_DEPLOYMENT_TARGET check when building extension modules for macOS. Patch by Joshua Root.
bpo-43109: Allow –with-lto configure option to work with Apple-supplied Xcode or Command Line Tools.
IDLE
bpo-40128: Mostly fix completions on macOS when not using tcl/tk 8.6.11 (as with 3.9). The added update_idletask call should be harmless and possibly helpful otherwise.
bpo-33962: Move the indent space setting from the Font tab to the new Windows tab. Patch by Mark Roseman and Terry Jan Reedy.
bpo-40468: Split the settings dialog General tab into Windows and Shell/ED tabs. Move help sources, which extend the Help menu, to the Extensions tab. Make space for new options and shorten the dialog. The latter makes the dialog better fit small screens.
bpo-41611: Avoid uncaught exceptions in AutoCompleteWindow.winconfig_event().
bpo-41611: Fix IDLE sometimes freezing upon tab-completion on macOS.
Tools/Demos
bpo-44074: Make patchcheck automatically detect the correct base branch name (previously it was hardcoded to ‘master’)
C API
bpo-44441: Py_RunMain() now resets PyImport_Inittab to its initial value at exit. It must be possible to call PyImport_AppendInittab() or PyImport_ExtendInittab() at each Python initialization. Patch by Victor Stinner.
bpo-42083: Fix crash in PyStructSequence_NewType() when passed NULL in the documentation string slot.
Python 3.8.11 final
Security
bpo-44022: mod:http.client now avoids infinitely reading potential HTTP headers after a 100 Continue status response from the server.
bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks.
Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such attacks.
bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame, and generator code/frame attribute access.
Core and Builtins
bpo-44070: No longer eagerly makes import filenames absolute, except for extension modules, which was introduced in 3.8.10.
Library
bpo-44061: Fix regression in previous release when calling pkgutil.iter_modules() with a list of pathlib.Path objects
Python 3.7.11 final
Security
bpo-44022: mod:http.client now avoids infinitely reading potential HTTP headers after a 100 Continue status response from the server.
bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks.
Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such attacks.
bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.
bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network.
Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.
bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.
Core and Builtins
bpo-43660: Fix crash that happens when replacing sys.stderr with a callable that can remove the object while an exception is being printed. Patch by Pablo Galindo.
Tests
bpo-41561: Add workaround for Ubuntu’s custom OpenSSL security level policy.
Python 3.6.14 final
Security
bpo-44022: mod:http.client now avoids infinitely reading potential HTTP headers after a 100 Continue status response from the server.
bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks.
Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such attacks.
bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.
bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network.
Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.
bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.
It seems that os_bsd.cpp:Semaphore::~Semaphore() is sometimes called
twice, causing a crash in the call path
vm_direct_exit() -> exit() -> __cxa_finalize () -> sem_destroy().
This patch works around the crash but may obscure some deeper problem.
LLVM versions >= 12 cannot currently correctly compile gcc stage 1 because
GCC assumes references to certain symbols like "ix86_isa_flags" will be
optimized away.
Details: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=255760
Mypy 0.910 released
22 Jun 2021: Mypy 0.910 was released. This release includes the --non-interactive command-line option to install stubs without user interaction, plus other fixes and improvements. Python 3.5 is now deprecated. Read the blog post for the details.
Mypy 0.901 released
8 Jun 2021: Mypy 0.901 was released. This release moves third-party library stubs to stub packages, allowing newer stubs to be easily used without updating mypy. Mypy now supports pyproject.toml and type guards, and ships wheels for Apple Silicon. Plus, there are many other features and bug fixes. Read the blog post for the details.
Version 14.17.1 'Fermium' (LTS)
Notable Changes
- deps: update ICU to 69.1 (Michaël Zasso)
- errors: align source-map stacks with spec (Benjamin Coe)
Commits
- assert: refactor to use more primordials (Antoine du Hamel)
- assert: refactor to avoid unsafe array iteration (Antoine du Hamel)
- async_hooks: refactor to avoid unsafe array iteration (Antoine du Hamel)
- async_hooks,doc: replace process.stdout.fd with 1 (Darshan Sen)
- benchmark: avoid using console.log() (Antoine du Hamel)
- benchmark: use process.hrtime.bigint() (Antoine du Hamel)
- buffer: remove TODOs in atob / btoa (Khaidi Chu)
- buffer: remove unreachable code (Rongjian Zhang)
- buffer: make FastBuffer safe to construct (Antoine du Hamel)
- buffer: refactor to use primordials instead of Array#reduce (Antoine du Hamel)
- buffer: refactor to use more primordials (Antoine du Hamel)
- build: work around bug in MSBuild v16.10.0 (Michaël Zasso)
- build: add workaround for V8 builds (Richard Lau)
- build: remove dependency on distutils.spawn (Richard Lau)
- build: fix make test-npm (Ruy Adorno)
- child_process: reduce abort handler code duplication (Rich Trott)
- child_process: treat already-aborted controller as aborting (Rich Trott)
- child_process: refactor to use more primordials (Antoine du Hamel)
- deps: update to cjs-module-lexer@1.2.1 (Guy Bedford)
- deps: update ICU to 69.1 (Michaël Zasso)
- deps: V8: cherry-pick 035c305ce776 (Michaël Zasso)
- deps: V8: cherry-pick dfcdf7837e23 (Benjamin Coe)
- deps: V8: cherry-pick 86991d0587a1 (Benjamin Coe)
- deps: V8: cherry-pick 530080c44af2 (Milad Fa)
- dgram: extract cluster lazy loading method to make it testable (Rongjian Zhang)
- dgram: refactor to use more primordials (Antoine du Hamel)
- dns: refactor to use more primordials (Antoine du Hamel)
- doc: cleanup events.md structure (James M Snell)
- doc: fix JS flavor selection (Antoine du Hamel)
- doc: use HEAD instead of master for links (Antoine du Hamel)
- doc: remove import.meta.resolve parent URL type (Kevin Locke)
- doc: document buffer.kStringMaxLength (Tobias Nießen)
- doc: clarify synchronous blocking of Worker stdio (James M Snell)
- doc: update contact info (Gabriel Schulhof)
- doc: change color of doctag on night mode (Qingyu Deng)
- doc: clarify DiffieHellmanGroup class docs (Nitzan Uziely)
- doc: use AIX instead of Aix in fs.md (Rich Trott)
- doc: remove extraneous dash from flag prefix (Rodolfo Carvalho)
- doc: document 'secureConnect' event limitation (James M Snell)
- doc: mark querystring api as legacy (James M Snell)
- doc: add arguments for stream event of Http2Server and Http2SecureServer (Qingyu Deng)
- doc: indicate that abort tests do not generate core files (Rich Trott)
- doc: add try/catch in http2 respondWithFile example (Matteo Collina)
- doc: note the system requirements for V8 tests (DeeDeeG)
- doc: minor clarification to pathObject (James M Snell)
- doc: document new TCP_KEEPCNT and TCP_KEEPINTVL socket option defaults (Arnold Zokas)
- doc: do not mention TCP in the allowHalfOpen option description (Luigi Pinca)
- doc: update message to match actual output (Rich Trott)
- doc: request default snap track be updated for LTS (Rod Vagg)
- doc: mark process.hrtime() as legacy (Antoine du Hamel)
- doc: fix version history for "exports" patterns (Antoine du Hamel)
- doc: fix package.json "imports" field history (Antoine du Hamel)
- doc: fix typo in buffer.md (divlo)
- doc: add nodejs-sec email template (Daniel Bevenius)
- doc: update TSC members list with three new members (Rich Trott)
- doc: use foo.prototype.bar notation in buffer.md (Voltrex)
- doc: internal/test/binding for testing (Bradley Meck)
- doc: add missing events.on metadata (Anna Henningsen)
- doc: fix wording in outgoingMessage.write (Tobias Nießen)
- doc: fix grammar errors in http document (Qingyu Deng)
- doc: add document for http.OutgoingMessage (Qingyu Deng)
- doc: remove generated from dsaEncoding description (Marko Kaznovac)
- doc: document how to register external bindings for snapshot (Joyee Cheung)
- doc: document the NO_COLOR and FORCE_COLOR env vars (James M Snell)
- doc: clarify event.isTrusted text (Rich Trott)
- doc: expand openssl instructions (Michael Dawson)
- doc: document ABORT_ERR code (Benjamin Gruenbaum)
- doc: document changes for */promises alias modules (ExE Boss)
- errors: align source-map stacks with spec (Benjamin Coe)
- errors: refactor to use more primordials (Antoine du Hamel)
- errors: display original symbol name (Benjamin Coe)
- errors: refactor to use more primordials (Antoine du Hamel)
- errors: refactor to use more primordials (Antoine du Hamel)
- events: refactor to use optional chaining (ZiJian Liu)
- events: refactor to use more primordials (Antoine du Hamel)
- fs: fix error when writing buffers > INT32_MAX (Zach Bjornson)
- Revert "http: make HEAD method to work with keep-alive" (Michaël Zasso)
- http2: treat non-EOF empty frames like other invalid frames (Anna Henningsen)
- http2: fix setting options before handle exists (Anna Henningsen)
- http2: add support for TypedArray to getUnpackedSettings (Antoine du Hamel)
- https: refactor to use more primordials (Antoine du Hamel)
- inspector: remove redundant method for connection check (Yash Ladha)
- inspector: refactor to use more primordials (Antoine du Hamel)
- lib: revert primordials in a hot path (Antoine du Hamel)
- lib: make IterableWeakMap safe to iterate (Antoine du Hamel)
- lib: fix and improve os typings (Akhil Marsonya)
- lib: add URI handling functions to primordials (Antoine du Hamel)
- lib: fix WebIDL object and dictionary type conversion (ExE Boss)
- lib: refactor to use optional chaining in internal/options.js (raisinten)
- lib: support returning Safe collections from C++ (ExE Boss)
- lib: expose primordials object (Antoine du Hamel)
- lib: refactor source_map to use more primordials (Antoine du Hamel)
- lib: refactor source_map to avoid unsafe array iteration (Antoine du Hamel)
- lib: simplify primordials.uncurryThis (ExE Boss)
- lib: remove v8_prof_polyfill from eslint ignore list (Antoine du Hamel)
- lib: remove unused code (Brian White)
- lib: refactor to use more primordials in internal/encoding.js (raisinten)
- lib: refactor to use primordials in internal/priority_queue.js (ZiJian Liu)
- lib: add primordials.SafeStringIterator (Antoine du Hamel)
- lib: make safe primordials safe to construct (Antoine du Hamel)
- lib: make safe primordials safe to iterate (Antoine du Hamel)
- lib: refactor to use more primordials in internal/histogram.js (raisinten)
- lib: add uncurried accessor properties to primordials (ExE Boss)
- lib: refactor primordials.uncurryThis (Antoine du Hamel)
- lib: refactor to use more primordials (Antoine du Hamel)
- lib: add %TypedArray% abstract constructor to primordials (ExE Boss)
- lib: use Object static properties from primordials (Michaël Zasso)
- lib,tools: enforce access to prototype from primordials (Antoine du Hamel)
- meta: add v8 team (Jiawen Geng)
- meta: post comment when pr labeled fast-track (James M Snell)
- module: clarify CJS global-like variables not defined error message (Antoine du Hamel)
- module: refactor NativeModule to avoid unsafe array iteration (Antoine du Hamel)
- module: simplify tryStatSync with throwIfNoEntry option (Antoine du Hamel)
- module: refactor to use more primordials (Antoine du Hamel)
- module: refactor to use more primordials (Antoine du Hamel)
- module: refactor to use iterable-weak-map (Benjamin Coe)
- net: refactor to use more primordials (Antoine du Hamel)
- node-api: faster threadsafe_function (Fedor Indutny)
- node-api: fix shutdown crashes (Michael Dawson)
- node-api: make reference weak parameter an indirect link to references (Chengzhong Wu)
- os: refactor to use more primordials (Antoine du Hamel)
- path: inline conditions (Voltrex)
- path: refactor to use more primordials (Akhil Marsonya)
- path: refactor to use more primordials (Antoine du Hamel)
- perf_hooks: throw ERR_INVALID_ARG_VALUE if histogram.percentile param is NaN (ZiJian Liu)
- perf_hooks: refactor to avoid unsafe array iteration (Antoine du Hamel)
- perf_hooks: refactor to use more primordials (Antoine du Hamel)
- policy: refactor to use more primordials (Antoine du Hamel)
- querystring: refactor to use more primordials (Antoine du Hamel)
- readline: refactor to use more primordials (Antoine du Hamel)
- repl: document top level await limitation with const/let (James M Snell)
- repl: display prompt once after error callback (Anna Henningsen)
- src: fix multiple AddLinkedBinding() calls (Anna Henningsen)
- src: update cares_wrap OpenBSD defines (Anna Henningsen)
- src: remove extra semi after member fn (Shelley Vohr)
- src: make workers messaging more resilient (Juan José Arboleda)
- src: fix validation of negative offset to avoid abort (James M Snell)
- src: use %progbits instead of @progbits (Stephen Gallagher)
- src: fix setting Converter sub char length (James M Snell)
- src: avoid deferred gc/cleanup for Buffer.from (James M Snell)
- src: indent long help text properly (David Glasser)
- src: fix ETW_WRITE_EMPTY_EVENT macro (Michaël Zasso)
- src: disable unfixable MSVC warnings (Michaël Zasso)
- src: avoid implicit type conversions (take 2) (Michaël Zasso)
- src: fix compiler warnings in node_buffer.cc (Darshan Sen)
- src: fix compiler warning in env.cc (Anna Henningsen)
- src: add check against non-weak BaseObjects at process exit (Anna Henningsen)
- src: use transferred consistently (Daniel Bevenius)
- src: fix label indentation (Rich Trott)
- stream: fix multiple Writable.destroy() calls (Robert Nagy)
- stream: the position of _read() is wrong (helloyou2012)
- stream: only use legacy close listeners if not willEmitClose (Robert Nagy)
- stream: fix legacy pipe error handling (Robert Nagy)
- string_decoder: throw ERR_STRING_TOO_LONG for UTF-8 (Michaël Zasso)
- string_decoder: refactor to use more primordials (Antoine du Hamel)
- test: improve coverage of lib/_http_client.js (Rongjian Zhang)
- test: improve coverage of lib/os.js (Rongjian Zhang)
- test: call functions internally (Voltrex)
- test: complete coverage of querystring (Rongjian Zhang)
- test: increase coverage for AbortController (ZiJian Liu)
- test: run message and pseudo-tty tests in parallel (Richard Lau)
- test: move test-net-connect-econnrefused from pummel to sequential (Rich Trott)
- test: fix common.mustCall length and name properties (Antoine du Hamel)
- test: address deprecation warning (Rich Trott)
- test: move abort test from pummel to abort directory (Rich Trott)
- test: skip some pummel tests on slower machines (Rich Trott)
- test: add ancestor package.json checks for tmpdir (Richard Lau)
- test: replace function with arrow function and remove unused argument (Andres)
- test: use .test domain for not found address (Richard Lau)
- test: increase fs promise coverage (Emil Sivervik)
- test: increase timeout on ASAN Action (Antoine du Hamel)
- test: improve coverage of SourceTextModule getters (Juan José Arboleda)
- test: improve coverage for Module getters (Juan José Arboleda)
- test: improve coverage on worker threads (Juan José Arboleda)
- test: improve coverage at lib/internal/vm/module.js (Juan José Arboleda)
- test: guard large string decoder allocation (Michaël Zasso)
- test: add already-aborted-controller test for spawn() (Rich Trott)
- test: add test for reused AbortController with execfile() (Rich Trott)
- test: add Actions annotation output (Mary Marchini)
- test: use .then(common.mustCall()) for all async IIFEs (Anna Henningsen)
- test,doc,lib: adjust object literal newlines for lint rule (Rich Trott)
- test,readline: improve tab completion coverage (Antoine du Hamel)
- timers: fix unsafe array iteration (Darshan Sen)
- timers: reject with AbortError on cancellation (Benjamin Gruenbaum)
- timers: refactor to use more primordials (Antoine du Hamel)
- timers: cleanup abort listener on awaitable timers (James M Snell)
- tls: validate ticket keys buffer (Antoine du Hamel)
- tls: fix session and keylog add listener segfault (Nitzan Uziely)
- tools: refloat 7 Node.js patches to cpplint.py (Rich Trott)
- tools: bump cpplint to 1.5.4 (Rich Trott)
- tools: refloat 7 Node.js patches to cpplint.py (Rich Trott)
- tools: bump cpplint to 1.5.3 (Rich Trott)
- tools: refloat 7 Node.js patches to cpplint.py (Rich Trott)
- tools: bump cpplint.py to 1.5.2 (Rich Trott)
- tools: update ESLint to 7.27.0 (Luigi Pinca)
- tools: update ESLint to 7.26.0 (Colin Ihrig)
- tools: update ESLint to 7.25.0 (Colin Ihrig)
- tools: update ESLint to 7.24.0 (Colin Ihrig)
- tools: update ESLint to 7.23.0 (Luigi Pinca)
- tools: update ESLint to 7.22.0 (Colin Ihrig)
- tools: make update-eslint.sh work with npm@7 (Luigi Pinca)
- tools: add support for mjs and cjs JS snippet linting (Antoine du Hamel)
- tools: update eslint-plugin-markdown configuration (Colin Ihrig)
- tools: enable object-curly-newline in ESLint rules (Rich Trott)
- tools: make GH Actions workflows work if default branch is not master (Antoine du Hamel)
- tools: use mktemp to create the workspace directory (Luigi Pinca)
- tools: use a shallow clone of the npm/cli repository (Luigi Pinca)
- tools: remove fixer for non-ascii-character ESLint custom rule (Rich Trott)
- tools: fix doc generation when version info is not available (Antoine du Hamel)
- tools: add _depot_tools to PATH (for V8 tests) (DeeDeeG)
- tools: fix type mismatch in test runner (Richard Lau)
- tools: simplify eslint comma-dangle configuration (tools) (Rich Trott)
- tools: simplify eslint comma-dangle configuration (Rich Trott)
- tools: run doctool tests on GitHub Actions CI (Antoine du Hamel)
- tools: refactor prefer-primordials (Antoine du Hamel)
- tools: update ESLint to 7.21.0 (Luigi Pinca)
- tools: update ESLint to 7.20.0 (Colin Ihrig)
- tools: update ESLint to 7.19.0 (Colin Ihrig)
- tools: update ESLint to 7.18.0 (Colin Ihrig)
- tools: update gyp-next to v0.7.0 (Michaël Zasso)
- tools: update ESLint to 7.17.0 (Colin Ihrig)
- tools: update ESLint to 7.16.0 (Yongsheng Zhang)
- tools: enable no-unsafe-optional-chaining lint rule (Colin Ihrig)
- tools: update ESLint to 7.15.0 (Colin Ihrig)
- tools: enable no-unused-expressions lint rule (Michaël Zasso)
- tools: enable no-nonoctal-decimal-escape lint rule (Colin Ihrig)
- tools: update ESLint to 7.14.0 (Colin Ihrig)
- tools: add linting rule for async IIFEs (Anna Henningsen)
- tools: update ESLint to 7.13.0 (Luigi Pinca)
- tools: update ESLint to 7.12.1 (Colin Ihrig)
- tools: update ESLint to 7.12.0 (Colin Ihrig)
- tools: update ESLint to 7.11.0 (Colin Ihrig)
- tools: add new ESLint rule: prefer-primordials (Leko)
- tools,doc: add support for several flavors of JS code snippets (Antoine du Hamel)
- tools,lib: recommend using safe primordials (Antoine du Hamel)
- tools,lib: tighten prefer-primordials rules for Error statics (Antoine du Hamel)
- tty: refactor to avoid unsafe array iteration (Antoine du Hamel)
- tty: refactor to use more primordials (Zijian Liu)
- typings: add JSDoc typings for util (Rohit Gohri)
- url: refactor to use more primordials (Antoine du Hamel)
- util: simplify constructor retrieval in inspect() (Rich Trott)
- v8: refactor to use more primordials (Antoine du Hamel)
- v8: refactor to use more primordials (Antoine du Hamel)
- vm: refactor to avoid unsafe array iteration (Antoine du Hamel)
- wasi: refactor to avoid unsafe array iteration (Antoine du Hamel)
- Revert "worker: remove ERR_CLOSED_MESSAGE_PORT" (Juan José Arboleda)
- worker: refactor to avoid unsafe array iteration (Antoine du Hamel)
- worker: refactor to use more primordials (Antoine du Hamel)
- zlib: fix brotli flush range (Khaidi Chu)
- zlib: refactor to avoid unsafe array iteration (Antoine du Hamel)
- zlib: refactor to use primordial instead of <string>.startsWith (Rohan Chougule)
- zlib: refactor to use more primordials (Antoine du Hamel)
The NetBSD i386 Rust 1.50 builds introduced two different targets (i586
and i686), where previously there was only one (i686). Unfortunately,
the upstream mozjs78 configuration script that narrows to the
appropriate compiler target is confused by this, since it was receiving
"i486" from pkgsrc tooling and didn't know how to pick from more than
one potential approximate match. I'm addressing it this (kludgy) way
for now, as I don't have time to go through Mozilla's scripting and
make adjustments, and I would like this building in the 2021Q2 branch.
If someone else feels there's a better way, please have at it. With
this tweak in place, I'm able to build the xfce4 meta package for
NetBSD/i386 9.2.
Better patch for src/tools/rust-installer/install-template.sh
- remove one path component after share/doc/ as the original code does
- do not change spacing for HACK: section
Bump PKGREVISION.
# cpp11 0.2.7
* Fix a transient memory leak for functions that return values from
`cpp11::unwind_protect()` and `cpp11::safe` (#154)
# cpp11 0.2.6
* `cpp_register()` now uses symbols exclusively in the `.Call()`
interface. This allows it to be more robust in interactive use with
the pkgload package.
# cpp11 0.2.5
* `cpp_source()` gains a `cxx_std` argument to control which C++
standard is used. This allows you to use code from `C++14` and
later standards with cpp_source(). (#100)
* The cpp11 knitr engine now allows you to set the `cxx_std` chunk
option to control the C++ standard used.
* `cpp_source()` now has much more informative error messages when
compilation fails (#125, #139)
* `cpp_source()` now uses a unique name for the DLL, so works when run
multiple times on the same source file on Windows (#143)
* `writable::list_of<T>` now supports modification of vectors as
intended (#131).
* Errors when running
`tools::package_native_routine_registration_skeleton()` are no
longer swallowed (#134)
* `cpp_source()` can now accept a source file called `cpp11.cpp`
(#133)
* `named_arg` now explicitly protect their values, avoiding protection
issues when using large
inputs. [tidyverse/readr#1145](https://github.com/tidyverse/readr/issues/1145)
* `r_string(std::string)` now uses `Rf_mkCharLenCE()` instead of
`Rf_mkChar()`, which avoids the performance cost of checking the
string length.
* Writable vector classes now properly set their lengths as intended
when being copied to a read only class (#128).
Also, pull over the patched install.sh script from the main package,
for quite a lot faster installation, also for the benefit of the
upstream-delivered binaries. (Fix submitted upstream.)
Use the nb1 version suffix on the NetBSD binaries (one-time job for
1.52.1, to be removed on next go-around), but they still extract to
the non-nb1 work directory, so some adjustment needed for that.
Bump PKGREVISION.
