Version 1.68.0
--------------
- Closed bugs and merge requests:
* 40.rc session crashes in gjs on unlocking (sometimes) [#387, !588, Marco
Trevisan]
* 40.rc: installed-tests installed despite explicitly disabled [#388, !589,
Philip Chimento]
Version 1.67.3
--------------
- Closed bugs and merge requests:
* System.exit() doesn't work inside signal handler [#19, !565, Evan Welsh]
* GdkEvent subtypes trigger assert in Gtk4 [#365, !566, Evan Welsh]
* Replace g_memdup [#375, !567, Philip Chimento]
* 1.67.2: build fails with gcc 11 [#376, !568, Philip Chimento]
* Warnings introspecting array of boxed type as signal argument. [#377, !569,
Carlos Garnacho]
* Add list command to debugger [!571, Nasah Kuma]
* Assertion failure in enqueuePromiseJob [#349, !572, Philip Chimento]
* in interpreter Ctrl-c should exit inner shell if stuck [#98, !574, Philip
Chimento]
* Compiler ambiguity in enum-utils.h on operator overloading [#368, !576,
Chun-wei Fan]
* Fix GJS_DISABLE_JIT not fully disabling JIT [!575, Ivan Molodetskikh]
* Error running gjs built with prefix: g_object_new_is_valid_property: object
class 'GjsContext' has no property named 'program-path' [#381, !577, Sonny
Piers]
* Various maintenance [!578, !586, Philip Chimento]
* Add some profiling labels [!579, Ivan Molodetskikh]
* Some installed tests (introspection) segfault when GTK isn't available
[#383, !580, Olivier Tilloy]
* Installed tests do not install the js/modules subdir [#384, !581, Olivier
Tilloy]
* Installed tests fail because expected path doesn't include project name
[#385, !582, Olivier Tilloy]
* 1.67.2: Regress test hangs / timeouts on i686 [#379, !583, Marco Trevisan]
* object: Do not call any function on disposed GObject pointers [!585, Marco
Trevisan]
Version 1.67.2
--------------
- New language features: Importing ES modules is now supported, both statically
with import statements and dynamically with the import() function. For more
information on how to use modules, see:
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/import
Four built-in modules exist: cairo, gettext, gi, and system. Except for gi,
they work similarly to the old-style modules imports.cairo, imports.gettext,
and imports.system. Consult the documentation in doc/Modules.md on how to use
them.
- The debugger now has a "list" command which works very similarly to its GDB
equivalent.
- New API: GObject.ParamSpec.jsobject() works like the other GObject.ParamSpec
types, and allows you to have a GObject property whose value is a JavaScript
object (plain object, Date, Array, etc.)
- New API: System.programPath is the name of the JS program that GJS is running,
or null if there isn't one (for example, in the interactive interpreter.)
- New API: System.programArgs is an array of arguments given to the JS program.
It is the same as ARGV but is consistently always present. (ARGV was not
defined in the interactive interpreter or when embedding GJS in a C program.)
- Closed bugs and merge requests:
* Support Native JSObject GType for Signals and Properties [!305, Marco
Trevisan, Philip Chimento]
* Add 'system.programPath' API. [!443, Evan Welsh]
* ESM: Enable static imports. (Part 3) [!450, Evan Welsh, Philip Chimento]
* Refactor ARGV handling and add `system.programArgs` [!455, Evan Welsh,
Philip Chimento]
* Function make the object more C++ friendly [!514, Marco Trevisan]
* ESM: Enable dynamic imports. [!525, Evan Welsh, Philip Chimento]
* Remove JSClass macros from Ns, GType, and Cairo types [!549, Philip
Chimento]
* various documentation improvements [!551, Sonny Piers]
* Replace remaining mentions of window with globalThis [!552, Sonny Piers]
* add .editorconfig file [!553, Sonny Piers]
* Display current line of source code when displaying current frame in
debugger [!554, Nasah Kuma]
* doc: add Clapper and Flatseal to thirty party applications written in GJS
[!555, Sonny Piers]
* Multiline template literals are missing newlines when entered at interactive
prompt [#371, !556, Ales Huzik]
* function: Remove JSClass macros [!558, Philip Chimento, Marco Trevisan]
* Missing classes on global. [#372, !559, Philip Chimento]
* arg: fix build failure with glib main branch [!560, Michael Catanzaro]
* Update to Jasmine 2.9.1 [!561, Evan Welsh]
* Various maintenance [!562, Philip Chimento]
* Add list command to debugger [!563, Nasah Kuma]
* Upgrade to Jasmine 3.6.0 [!564, Evan Welsh]
- Various refactors in preparation for BigInt support in gobject-introspection
[Marco Trevisan]
Version 1.67.1
--------------
- The debugger now has a "backtrace full" command which works very similarly to
its GDB equivalent.
- The GObject.ParamFlags.CONSTRUCT_ONLY flag is now correctly enforced, when
using it on GObject classes defined in JavaScript. This might break code that
was incorrectly trying to set a property that it had previously defined as
construct-only. The workaround is to remove the CONSTRUCT_ONLY flag.
- Fixed exception when calling GObject.Type().
- Several performance improvements.
- Progress on ES Modules.
- Closed bugs and merge requests:
* gobject: Handle CONSTRUCT_ONLY flag [!377, Florian Müllner]
* Add native module registry to global (Part 2) [!456, Evan Welsh]
* testGIMarshalling: Expand test coverage for flags [!479, Simon McVittie]
* Private Objects: Use native allocators and structs [!494, Marco Trevisan]
* Pass-by-reference GValue arguments do not work right [#74, !496, !507, Marco
Trevisan]
* Templated-data-only GjsAutoPointer (and use it more around) [!504, Marco
Trevisan]
* Error in function "_init()" in module "modules/overrides/GObject.js" [#238,
!508, Nina Pypchenko]
* fails to build on 32-bit [#357, !511, Michael Catanzaro]
* Revert "arg-cache: Save space by not caching GType" [!512, Jonas Dreßler]
* gi/wrapperutils: Move gjs_get_string_id() into resolve() implementations
[!513, Jonas Dreßler]
* updates on eslint configuration [!517, Nasah Kuma]
* Update CONTRIBUTING.md about the runner system failure [!518, Nasah Kuma]
* Switch to eslint-plugin-jsdoc and remove lint-condo [!520, #359, Evan Welsh,
Philip Chimento]
* gi: Check property before access [!521, Florian Müllner]
* testGIMarshalling: Actually run the GPtrArray utf8 tests [!522, Marco
Trevisan]
* Add more documents for "imports" and "imports.gi" [!526, wsgalaxy]
* overrides/Gtk: Set BuilderScope in class init [!527, Florian Müllner]
* gi/arg-cache: Only skip array length parameter once [!528, Florian Müllner]
* Copyright conformance with Reuse Software spec [!529, Philip Chimento, Evan
Welsh]
* Remove JSClass macros [!530, !533, !537, Philip Chimento]
* Avoid pulling from DockerHub in CI [!531, Philip Chimento, Marco Trevisan]
* Use GNOME-specific rules with cppcheck [!532, Philip Chimento]
* Fedora 33 CI images [!535, Philip Chimento]
* Fix IWYU bugs [!536, Philip Chimento]
* Reduce bandwidth usage in CI, and pick a more accurate base for diff checks
[!538, Philip Chimento]
* debugger: Make '$$' mean the last value [!539, Philip Chimento]
* Add codespell CI job [#362, !540, !541, !547, Björn Daase]
* Various maintenance [!542, !548, Philip Chimento]
* fix readline build on certain systems [!543, Jakub Kulík]
* build: Require gobject-introspection 1.66.0 [!546, Philip Chimento]
* Add backtrace full command to debugger [#208, !550, Nasah Kuma]
- Various refactors for type safety [Marco Trevisan]
- Various maintenance [Philip Chimento]
Version 1.66.2
--------------
- Performance improvements and crash fixes backported from the development
branch.
- Bug fixes enabling use of GTK 4.
- Closed bugs and merge requests:
* Error in function "_init()" in module "modules/overrides/GObject.js" [#238,
!508, Nina Pypchenko]
* Revert "arg-cache: Save space by not caching GType" [!512, Jonas Dreßler]
* gi/wrapperutils: Move gjs_get_string_id() into resolve() implementations
[!513, Jonas Dreßler]
* overrides/Gtk: Set BuilderScope in class init [!527, Florian Müllner]
* fix readline build on certain systems [!543, Jakub Kulík]
This appears to no longer be needed.
I could swear I had done a successful re-build before the previous commit,
so not sure how that happened.
Build fix, so no revision bump.
Changelog:
* Bugfixes.
Target Specific Changes
AArch64
A bug with the Random Number intrinsics in the arm_acle.h header
that resulted in an incorrect status result being returned has
been fixed.
GCC now supports the Fujitsu A64FX. The associated -mcpu and
-mtune options are -mcpu=a64fx and -mtune=a64fx respectively.
In particular, -mcpu=a64fx generates code for Armv8.2-A with
SVE and tunes the code for the A64FX. This includes tuning the
SVE code, although by default the code is still length-agnostic
and so works for all SVE implementations. Adding -msve-vector-bits=512
makes the code specific to 512-bit SVE.
The current i386 bootstrap is built for NetBSD 8.x, and so is linked
against libstdc++.so.8. NetBSD 9.x still requires compat80 for it to
run.
This isn't a complete workaround, as builds still fail in a sandboxed
environment that doesn't have compat80 installed outside it. Dealing
with that would require another workaround somewhat like the one used
for ghc*, but a little different.
Vala 0.52.1
===========
* Various improvements and bug fixes:
- codegen:
+ Improve handling of ellipsis parameter in get_ccode_name()
+ Fix default value of get_ccode_destroy_notify_pos()
+ Don't override valid target/destroy of previous lambda argument [#59]
+ Don't call *_instance_init() in compact class chainup
- vala: Mark tranformed static member-access as qualified [#270]
- parser: Stricter mode for chained member initializer with --keep-going [#1158]
- girwriter: namespace expects "c:symbol-prefixes" attribute [#1038]
- girwriter: Don't use instance-parameter inside callback [#1167]
- girparser,libvaladoc/girimporter: Don't guess length of xml header, iterate
forward to <repository>
- libvaladoc/girimporter: parse_constant() use "c:identifier" attribute first
* Bindings:
- gsl: Add BLAS module [#1149]
- rest-0.7: Fix OAuthProxyAuthCallback binding
- gtk+-3.0: Fix ModuleInitFunc binding
- gio-2.0: Fix TlsPassword.get_value() binding
- Fix several bindings which lead to invalid code by using them in:
javascriptcoregtk-4.0, libusb, libusb-1.0, pixman-1,
webkit2gtk-web-extension-4.0, x11, zlib,
Vala 0.52.0
===========
* Various improvements and bug fixes:
- codegen: Include "glib.h" for deprecated symbols (GOBJECT) [#1155]
- vala: Improve error for incompatible expressions in conditional expression
- vala: Check for unused attributes unconditionally
- girparser: Allow overriding of "Compact" attribute for classes
- girparser: Handle empty "<type/>" element and report an error
- girparser: Add support for NoWrapper metadata for methods
- build: Add --enable-test-asan configure option
* Bindings:
- gio-2.0: Add some missing NoWrapper and CCode.has_typedef attributes
- gnutls: Fix some binding errors
- gsl: Fix some binding errors
- gstreamer: Update from 1.19.0+ git master
- gtk4: Add Gtk.INVALID_LIST_POSITION [#1151]
- gtk4-unix-print: Switch to gir
- gtk4: Update to 4.1.2
- linux: Provide Input.Event.input_event_sec/input_event_usec fields [#1152]
- vapi: Fix a couple of attribute typos
- webkit2gtk-4.0: Update to 2.31.91
Vala 0.51.91
============
* Various improvements and bug fixes:
- codegen:
+ Error for missing type-arguments of HashTable (de)serialization [#1147]
+ Free intermediate temp-variables of postcondition expression [#80]
+ Use the one available source_reference for internal error [#436]
+ Fix access to captured generics in async method of interfaces [#537]
+ Don't ever create null-aware free macro for GenericType
+ Don't add generics arguments/parameters to async finish method
+ Drop inner casts before converting between generics and integers
- vala:
+ Add missing null-check in DataType.get_type_signature()
+ Check array type of declarations for errornous type-arguments
+ Check (optional) type-arguments of array creation expression
+ Replace all type parameter occurances in parameters for signal delegate
* Bindings:
- glib-2.0,gio-2.0: Add some missing type-arguments
- vapi: Update GIR-based bindings
Vala 0.51.90
============
* Various improvements and bug fixes:
- codegen:
+ More use of get_ccode_type_name()
+ "_first_array" parameter for params-array is variadic too
+ Inherit GType from base struct of SimpleType structs
- vala:
+ Report warning if --target-glib=auto was not evaluated successfully
+ Fix ownership inheritance of "unowned var" in foreach statement
+ Use pre-resolved symbol/type of SemanticAnalyzer if possible
- gdbus: Don't leak memory of deserialized arguments on error in wrapper method
- girparser: Reuse populated Node.gtype_struct_for instead of resolving again
- girparser: Evaluate "glib:type-struct" twice to pick up reparented structs
- testrunner: Include Gio-2.0/gio-2.0 for GIR tests too
* Bindings:
- gtk4: Update to 4.1.1+f8f90d85
Vala 0.51.3
===========
* Various improvements and bug fixes:
- codegen:
+ Don't use volatile modifier in glib API when targetting >= 2.68 [glib!1719]
+ CCodeBaseModule.get_type_id_expression () won't return null
+ Don't wrongly emit declaration for default-handler of signals
+ Include "string.h" for strcmp() (POSIX)
- vala:
+ Generics value holding struct pointer requires casting on access [#347]
+ Infer needle type for "in" expression on enum [#1138]
+ Don't allow "in" operation with different enum types [#1139]
+ Improve context check whether property is writeable on assignments
+ Include "stdlib.h" for Enum.to_string() (POSIX) [#1143]
+ Set proper source_reference for implicit "this" and "result" variables
+ Report error for invalid inner operand of unary expressions
- girwriter: Output default handler of signals
* Bindings:
- glib-2.0: Add new symbols from 2.68
- webkit2gtk-4.0: Update to 2.31.90
- vapi: Update GIR-based bindings
Vala 0.51.2
===========
* Various improvements and bug fixes:
- vala:
+ Check type-arguments in base-types/prerequisites of class/interface [#404]
+ Include type-checks in preconditions of methods for type narrowing [#894]
+ Capturing va_list parameters/variables is not allowed [#1136]
+ Properly parse and handle chained initialization of members [#1137]
- codewriter: Output valid vala syntax for LoopStatement and don't write
trailing ";" after body of WithStatement
* Bindings:
+ gstreamer: Update from 1.19.0+ git master
+ vapi: Update GIR-based bindings
Vala 0.51.1
===========
* Highlights:
- Support "binding" to bind GtkCallback to class of given property [#1093]
- Add support for type narrowing [#894]
- Support chain up to simple generics constructor [#342]
- Perform runtime version check of libvala [#88]
- girparser: Handle anonymous delegate not backed by virtual-method or signal
- Add support for 'opaque' compact classes [#1129]
- Add further support for params arrays in constructors [#128]
- Improve handling of "NoWrapper" attribute
- Improve support of SimpleType struct constructors
- Use __attribute__ instead of G_GNUC_* in POSIX profile
- Add SDL 2.x bindings [#1032] amd drop SDL 1.x
* Various improvements and bug fixes:
- codegen:
+ Improve GValueModule.visit_cast_expression()
+ Drop obsolete dedicated handling of property value-parameter
+ Apply CCodeModifiers.PRINTF to "string_printf" (POSIX)
+ Allow CCode.type_cname for classes and use get_ccode_type_name()
+ Always use G_TYPE_INSTANCE_GET_CLASS/INTERFACE for external symbols
+ Also check array type of variable argument for ref parameters
+ Don't leak array memory after it was implicitly copied
+ Use g_boxed_free in free-wrapper for heap-allocated GLib.Value
+ Don't leak GLib.Value when implicitly unboxing it
+ Don't leak memory moving heap-allocated struct to stack
+ Chain up to base struct destroy function
+ Use g_memdup2 if target glib >= 2.68 is set
+ Replace "g_memdup" with "_vala_memdup2" for target glib < 2.68
+ Correctly retrieve symbol_reference of nested cast expressions [#1134]
+ Strip all nested occurances of CCodeCastExpression [#1134]
- vala:
+ Improve detection of duplicate package source files
+ GtkChild fields/properties must be declared as unowned [#1121]
+ Don't allow assigning GtkChild fields/properties [#1121]
+ Apply stricter condition for lambda to delegate assignment
+ Don't allow disposable SimpleType structs
+ Rename Loop to LoopStatement and introduce a common base class
+ GLib.Value unboxing returns unowned value
+ Don't allow GLib.Value casting to nullable struct/simple types
+ Add Block.unreachable_exit and have it set by FlowAnalyzer [#838]
+ Convert Report.*() to real printf-like functions
+ Avoid taking extra reference of foreach collection for index iteration
+ Make sure parent_symbol for special async parameters is available
+ Require a valid DataType instance for every TargetValue
- girparser:
+ Minor improvement to field getter detection
+ Apply "delegate_target" metadata for methods and parameters
+ Apply "destroy_notify_cname" metadata for fields
+ Apply "type_get_function" metadata for classes and inferfaces
+ Set CCode.type_cname for classes if it doesn't match our default
- girwriter: Infer gir_namespace/version from target GIR filename [#606]
- girwriter: Write instance-parameter elements [#1128]
- libvaladoc/html: Don't sort struct fields to keep their original order
- libvaladoc: Correctly retrieve value for Api.Class.is_compact
- libvaladoc: Add wrapper for "agedge" of graphviz
- valadoc: Correctly set verbose flag on CodeContext
- valadoc: Replace png icons with elementary's svg version
* Bindings:
- Add enchant-2 bindings for Enchant 2.x
- Add gnu.vapi with binding for getopt_long() and some other GNU APIs
- Add libunwind-generic binding
- Fix several bindings which lead to invalid code by using them in:
cairo, gobject-2.0, pango, goocanvas-2.0, curses, alsa, bzlib, sqlite3,
libgvc, posix, gstreamer-1.0, gdk-3.0, gdk-x11-3.0, gtk+-3.0, gtk4,
fuse, libxml-2.0
- curses: Remove initial “w” from some Window method names for consistency
- gdk-pixbuf-2.0: Fix Pixbuf.save_to_streamv_async()
- gdk-pixbuf-2.0: Update to 2.42.3~
- gio-2.0: Fix binding of PollableOutputStream.write*_nonblocking()
- gio-2.0,gtk+-3.0,gtk4: Drop explicit c-type attributes of va_list parameters
- gio-2.0: Pick up missing invoker for some AppInfo/File.*() methods
- gio-2.0: Update to 2.67.3
- glib-2.0: Add GLib.[S]List.is_empty() convenience methods for non-null
- glib-2.0: Add new symbols from 2.68
- glib-2.0: Bind assert_cmp* functions [#395]
- glib-2.0: Improve type of OptionEntry.flags field
- glib-2.0: Make PtrArray a subclass of GenericArray
- gobject-2.0: Add new symbols from 2.68
- gstreamer-1.0: Set CCode.type_id of MiniObject to G_TYPE_BOXED [#1133]
- gstreamer: Update from 1.19.0+ git master
- gtk+-2.0,javascriptcoregtk-4.0: Wrong usage of CCode.type_cname attribute
- gtk+-3.0,gtk4: Fix some delegate return values and parameters
- gtk4: Update to 4.1.0+2712f536
- posix: Add POSIX, GNU and BSD Regex APIs
- webkit2gtk-4.0: Update to 2.31.1
Real changes are in devel/devel/ruby-activestorage61 only.
## Rails 6.1.3.1 (March 26, 2021) ##
* Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed
mime types data.
*George Claghorn*
Real changes are in devel/ruby-activestorage60 only.
## Rails 6.0.3.6 (March 26, 2021) ##
* Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed
mime types data.
*George Claghorn*
Real changes are in devel/ruby-activestorage52 only.
## Rails 5.2.5 (March 26, 2021) ##
* Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed
mime types data.
*George Claghorn*
* The Poppler PDF previewer renders a preview image using the original
document's crop box rather than its media box, hiding print margins. This
matches the behavior of the MuPDF previewer.
*Vincent Robert*
Ruby 3.0.1 Released (2021-04-05)
Ruby 3.0.1 has been released.
This release includes security fixes. Please check the topics below
for details.
* CVE-2021-28965: XML round-trip vulnerability in REXML
* CVE-2021-28966: Path traversal in Tempfile on Windows
See the commit logs for details.
Ruby 2.7.3 Released (2021-04-05)
This release includes security fixes. Please check the topics below for
details.
* CVE-2021-28965: XML round-trip vulnerability in REXML
* CVE-2021-28966: Path traversal in Tempfile on Windows
See the commit logs for details.
Ruby 2.6.7 Released (2021-04-05)
This release includes security fixes. Please check the topics below for
details.
* CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in
WEBrick
* CVE-2021-28965: XML round-trip vulnerability in REXML
See the commit logs for details.
By this release, we end the normal maintenance phase of Ruby 2.6, and Ruby
2.6 enters the security maintenance phase. This means that we will no
longer backport any bug fixes to Ruby 2.6 except security fixes. The term
of the security maintenance phase is scheduled for a year. Ruby 2.6 reaches
EOL and its official support ends by the end of the security maintenance
phase. Therefore, we recommend that you start to plan upgrade to Ruby 2.7
or 3.0.
This release introduces fixes for better support of Erlang/OTP 24+.
1. Enhancements
Elixir
[Kernel] Update formatting when printing warnings and errors from Erlang/OTP 24+
[Kernel] Support float-16 on bitstrings
Mix
[mix local.rebar] This task will now install rebar3 version 3.14.4, compiled with Erlang/OTP 21
Version 14.16.1 'Fermium' (LTS)
This is a security release.
Notable Changes
Vulnerabilities fixed:
CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
Impacts:
All versions of the 15.x, 14.x, 12.x and 10.x releases lines
CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
Impacts:
All versions of the 15.x, 14.x, 12.x and 10.x releases lines
CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh
Impacts:
All versions of the 14.x, 12.x and 10.x releases lines
Version 12.22.1 'Erbium' (LTS)
This is a security release.
Notable Changes
Vulnerabilities fixed:
CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
Impacts:
All versions of the 15.x, 14.x, 12.x and 10.x releases lines
CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
Impacts:
All versions of the 15.x, 14.x, 12.x and 10.x releases lines
CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh
Impacts:
All versions of the 14.x, 12.x and 10.x releases lines
Version 12.22.0 'Erbium' (LTS)
Notable changes
The legacy HTTP parser is runtime deprecated
The legacy HTTP parser, selected by the --http-parser=legacy command line option, is deprecated with the pending End-of-Life of Node.js 10.x (where it is the only HTTP parser implementation provided) at the end of April 2021. It will now warn on use but otherwise continue to function and may be removed in a future Node.js 12.x release.
The default HTTP parser based on llhttp is not affected. By default it is stricter than the now deprecated legacy HTTP parser. If interoperability with HTTP implementations that send invalid HTTP headers is required, the HTTP parser can be started in a less secure mode with the --insecure-http-parser command line option.
ES Modules
ES Modules are now considered stable.
node-api
Updated to node-api version 8 and added an experimental API to allow retrieval of the add-on file name.
New API's to control code coverage data collection
v8.stopCoverage() and v8.takeCoverage() have been added.
New API to monitor event loop utilization by Worker threads
worker.performance.eventLoopUtilization() has been added.
Version 10.24.1 'Dubnium' (LTS)
This is a security release.
Notable Changes
Vulerabilties fixed:
CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
Impacts:
All versions of the 15.x, 14.x, 12.x and 10.x releases lines
CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
Impacts:
All versions of the 15.x, 14.x, 12.x and 10.x releases lines
CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh
Impacts:
All versions of the 14.x, 12.x and 10.x releases lines
these were disabled in the pkgsrc infrastructure some time ago because
they cannot be built cleanly with older compilers while gcc6 can.
this all seems to be separate from the ada bits in gcc-5-aux which may
still be useful.
Python 3.9.4
Core and Builtins
bpo-43710: Reverted the fix for https://bugs.python.org/issue42500 as it changed the PyThreadState struct size and broke the 3.9.x ABI in the 3.9.3 release (visible on 32-bit platforms using binaries compiled using an earlier version of Python 3.9.x headers).
Library
bpo-26053: Fixed bug where the pdb interactive run command echoed the args from the shell command line, even if those have been overridden at the pdb prompt.
Key off BUILD_TARGET instead of whether we're cross-building,
as bootstrap kits *can* be built natively (yes, the former state
was my suggestion, but on second thought this is more correct).
Python 3.9.3 final
Security
bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.
bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network.
Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.
bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and gc.get_referents(). Patch by Pablo Galindo.
Core and Builtins
bpo-43660: Fix crash that happens when replacing sys.stderr with a callable that can remove the object while an exception is being printed. Patch by Pablo Galindo.
bpo-43555: Report the column offset for SyntaxError for invalid line continuation characters. Patch by Pablo Galindo.
bpo-43517: Fix misdetection of circular imports when using from pkg.mod import attr, which caused false positives in non-trivial multi-threaded code.
bpo-35883: Python no longer fails at startup with a fatal error if a command line argument contains an invalid Unicode character. The Py_DecodeLocale() function now escapes byte sequences which would be decoded as Unicode characters outside the [U+0000; U+10ffff] range.
bpo-43406: Fix a possible race condition where PyErr_CheckSignals tries to execute a non-Python signal handler.
bpo-42500: Improve handling of exceptions near recursion limit. Converts a number of Fatal Errors in RecursionErrors.
Library
bpo-43433: xmlrpc.client.ServerProxy no longer ignores query and fragment in the URL of the server.
bpo-35930: Raising an exception raised in a “future” instance will create reference cycles.
bpo-43577: Fix deadlock when using ssl.SSLContext debug callback with ssl.SSLContext.sni_callback().
bpo-43521: ast.unparse can now render NaNs and empty sets.
bpo-43423: subprocess.communicate() no longer raises an IndexError when there is an empty stdout or stderr IO buffer during a timeout on Windows.
bpo-27820: Fixed long-standing bug of smtplib.SMTP where doing AUTH LOGIN with initial_response_ok=False will fail.
The cause is that SMTP.auth_login _always_ returns a password if provided with a challenge string, thus non-compliant with the standard for AUTH LOGIN.
Also fixes bug with the test for smtpd.
bpo-43332: Improves the networking efficiency of http.client when using a proxy via set_tunnel(). Fewer small send calls are made during connection setup.
bpo-43399: Fix ElementTree.extend not working on iterators when using the Python implementation
bpo-43316: The python -m gzip command line application now properly fails when detecting an unsupported extension. It exits with a non-zero exit code and prints an error message to stderr.
bpo-43260: Fix TextIOWrapper can not flush internal buffer forever after very large text is written.
bpo-42782: Fail fast in shutil.move() to avoid creating destination directories on failure.
bpo-37193: Fixed memory leak in socketserver.ThreadingMixIn introduced in Python 3.7.
Documentation
bpo-43199: Answer “Why is there no goto?” in the Design and History FAQ.
bpo-43407: Clarified that a result from time.monotonic(), time.perf_counter(), time.process_time(), or time.thread_time() can be compared with the result from any following call to the same function - not just the next immediate call.
bpo-27646: Clarify that ‘yield from <expr>’ works with any iterable, not just iterators.
bpo-36346: Update some deprecated unicode APIs which are documented as “will be removed in 4.0” to “3.12”. See PEP 623 for detail.
Tests
bpo-37945: Fix test_getsetlocale_issue1813() of test_locale: skip the test if setlocale() fails. Patch by Victor Stinner.
bpo-41561: Add workaround for Ubuntu’s custom OpenSSL security level policy.
bpo-43288: Fix test_importlib to correctly skip Unicode file tests if the fileystem does not support them.
Build
bpo-43631: Update macOS, Windows, and CI to OpenSSL 1.1.1k.
bpo-43617: Improve configure.ac: Check for presence of autoconf-archive package and remove our copies of M4 macros.
macOS
bpo-41837: Update macOS installer build to use OpenSSL 1.1.1j.
IDLE
bpo-42225: Document that IDLE can fail on Unix either from misconfigured IP masquerage rules or failure displaying complex colored (non-ascii) characters.
bpo-43283: Document why printing to IDLE’s Shell is often slower than printing to a system terminal and that it can be made faster by pre-formatting a single string before printing.
