- crypto: add randomFill and randomFillSync
- meta: Added new collaborators
- add lucamaraschi to collaborators
- add DavidCai1993 to collaborators
- add jkrems to collaborators
- add AnnaMag to collaborators
- process: fix crash when Promise rejection is a Symbol
- url: make WHATWG URL more spec compliant
- v8:
- fix stack overflow in recursive method
- fix build errors with g++ 7
2017-03-28, Version 7.8.0
buffer:
- do not segfault on out-of-range index
crypto:
- Fix memory leak if certificate is revoked
deps:
- upgrade npm to 4.2.0
- fix async await desugaring in V8
readline:
- add option to stop duplicates in history
2017-03-21, Version 7.7.4
- deps: Add node-inspect 1.10.6
- inspector: proper WS URLs when bound to 0.0.0.0
- tls: fix segfault on destroy after partial read.
- module: The module loading global fallback to the Node executable's
directory now works correctly on Windows.
- net: Socket.prototype.connect now once again functions without
a callback.
- url: URL.prototype.origin now properly specified an opaque return
of 'null' for file:// URLs.
Notable changes
- doc: add Daijiro Wachi to collaborators
- tty: add ref() so process.stdin.ref() etc. work
- util: fix inspecting symbol key in string
- Node.js 7.7.0 contains a bug that will prevent all native modules
from building, this patch should fix the issue. Apologies to everyone
who was affected by 7.7.0.
- child_process: spawnSync() exit code now is null when the child is
killed via signal
- http: new functions to access the headers for an outgoing HTTP message
- lib: deprecate node --debug at runtime
- tls: new tls.TLSSocket() supports sec ctx options
- url: adding URL.prototype.toJSON support
- doc: items in the API documentation may now have changelogs
- crypto: adding support for OPENSSL_CONF again
- src: adding support for trace-event tracing
Notable changes
- crypto:
- ability to select cert store at runtime
- Use system CAs instead of using bundled ones
- deps:
- upgrade npm to 4.1.2
- upgrade openssl sources to 1.0.2k
- doc: add basic documentation for WHATWG URL API
- process: add NODE_NO_WARNINGS environment variable
- url: allow use of URL with http.request and https.request
Notable changes
- buffer:
- Improve performance of Buffer allocation by ~11%.
- Improve performance of Buffer.from() by ~50%.
- events: Improve performance of EventEmitter.once() by ~27%.
- fs: Allow passing Uint8Array to fs methods where Buffers are supported.
- http: Improve performance of http server by ~7%.
- npm: Upgrade to v4.0.5
Notable changes
buffer:
- buffer.fill() now works properly for the UCS2 encoding on
Big-Endian machines.
cluster:
- disconnect() now returns a reference to the disconnected worker.
crypto:
- The built-in list of Well-Known CAs (Certificate Authorities) can
now be extended via a NODE_EXTRA_CA_CERTS environment variable.
http:
- Remove stale timeout listeners in order to prevent a memory leak
when using keep alive.
tls:
- Allow obvious key/passphrase combinations.
url:
- Including base argument in URL.originFor() to meet specification
compliance.
- Improve URLSearchParams to meet specification compliance.
- buffer:
- Reverted the runtime deprecation of calling Buffer() without new.
- Fixed buffer.transcode() for single-byte character encodings to UCS2.
- promise: --trace-warnings now produces useful stacktraces for Promise
warnings.
- repl: Fixed a bug preventing correct parsing of generator functions.
- V8: Fixed a significant instanceof performance regression.
- crypto: The Decipher methods setAuthTag() and setAAD now return this.
- dns: Implemented {ttl: true} for resolve4() and resolve6().
- libuv: Upgrade to v1.10.1
- Fixed a potential buffer overflow when writing data to console on
Windows 10.
- process: Added a new external property to the data returned by
memoryUsage().
- tls: Fixed a memory leak when writes were queued on TLS connection that
was destroyed during handshake.
- V8 (dep): Upgrade to v5.4.500.43
- v8: The data returned by getHeapStatistics() now includes three new
fields: malloced_memory, peak_malloced_memory, and does_zap_garbage.
- buffer: add buffer.transcode to transcode a buffer's content from one
encoding to another primarily using ICU
- child_process: add public API for IPC channel
- icu:
- Upgraded to ICU 58 - small icu
- Add cldr, tz, and unicode to process.versions
- lib: make String(global) === '\[object global\]'
- libuv: Upgraded to 1.10.0
- readline: use icu based string width calculation
- src:
- add NODE_PRESERVE_SYMLINKS environment variable that has the same effect
as the --preserve-symlinks flag
- Fix String#toLocaleUpperCase() and String#toLocaleLowerCase()
This new major version of Node.js includes: V8 5.4 which brings along with
98% coverage of ES6 language features, improved reliability and performance,
and a new experimental URL parser based on the WHATWG URL standard.
As an odd numbered release, in accordance with our Long Term Support plan,
Node.js v7 will be supported only until about June, 2017, with Node.js v8
currently scheduled for release in April, 2017.
Notable changes
Buffer
- Passing invalid input to Buffer.byteLength will now throw an error #8946.
- Calling Buffer without new is now deprecated and will emit a process
warning #8169.
- Passing a negative number to allocUnsafe will now throw an error #7079.
Child Process
- The fork and execFile methods now have stronger argument validation #7399.
Cluster
- The worker.suicide method is deprecated and will emit a process warning
#3747.
Deps
- V8 has been updated to 5.4.500.36 #8317, #8852, #9253.
- NODE_MODULE_VERSION has been updated to 51 #8808.
File System
- A process warning is emitted if a callback is not passed to async file
system methods #7897.
Intl
- Intl.v8BreakIterator constructor has been deprecated and will emit a
process warning #8908.
Promises
- Unhandled Promise rejections have been deprecated and will emit a process
warning #8217.
Punycode
- The punycode module has been deprecated #7941.
URL
- An Experimental WHATWG URL Parser has been introduced #7448.
- crypto: Don't automatically attempt to load an OpenSSL
configuration file, from the OPENSSL_CONF environment variable
or from the default location for the current platform. Always
triggering a configuration file load attempt may allow an attacker
to load compromised OpenSSL configuration into a Node.js process
if they are able to place a file in a default location.
- node: Introduce the process.release.lts property, set to "Boron".
This value is "Argon" for v4 LTS releases and undefined for all
other releases.
- V8: Backport fix for CVE-2016-5172, an arbitrary memory read.
- v8_inspector: Generate a UUID for each execution of the
inspector. This provides additional security to prevent
unauthorized clients from connecting to the Node.js process via
the v8_inspector port when running with --inspect.
Notable changes
- fs:
- SyncWriteStream now inherits from Stream.Writable.
- fs.existsSync() has been undeprecated. fs.exists() remains
deprecated.
- http: http.request() now accepts a timeout option.
- module: The module loader now maintains its own realpath cache.
- npm: Upgraded to 3.10.8
- stream: Duplex streams now show proper instanceof Stream.Writable.
- timers: Improved setTimeout/Interval performance by up to 22%.
- openssl: Remove support for loading dynamic third-party engine
modules. An attacker may be able to hide malicious code to be
inserted into Node.js at runtime by masquerading as one of the
dynamic engine modules.
- http: CVE-2016-5325 - Properly validate for allowable characters
in the reason argument in ServerResponse#writeHead().
- buffer: Zero-fill excess bytes in new Buffer objects created
with Buffer.concat() while providing a totalLength parameter
that exceeds the total length of the original Buffer objects
being concatenated.
- src: Fix regression where passing an empty password and/or salt
to crypto.pbkdf2() would cause a fatal error
- tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid
wildcard certificate for its hostname due to improper validation
of *. in the wildcard string.
- v8: Fix regression where a regex on a frozen object was broken
Notable changes
- crypto: Added crypto.timingSafeEqual().
- events: Made the "max event listeners" memory leak warning more
accessible.
- promises: Unhandled rejections now emit a process warning after
the first tick.
- repl: Added auto alignment for .editor mode.
- util: Some functionality has been added to util.inspect():
- Returning this from a custom inspect function now works.
- Added support for Symbol-based custom inspection methods.
- buffer: Fix regression introduced in v6.4.0 that prevented
.write() at buffer end
- deps: update V8 to 5.1.281.75
- inspector:
- fix inspector hang while disconnecting
- add support for uncaught exception
- repl: Fix saving editor mode text in .save
- Revert "repl,util: insert carriage returns in output"
Notable changes
- build: zlib symbols and additional OpenSSL symbols are now
exposed on Windows platforms.
- child_process, cluster: Forked child processes and cluster
workers now support stdio configuration.
- child_process: argv[0] can now be set to arbitrary values in
spawned processes.
- fs: fs.ReadStream now exposes the number of bytes it has read so
far.
- repl: The REPL now supports editor mode.
- util: inspect() can now be configured globally using
util.inspect.defaultOptions.
6.3.1.
Notable changes
- buffer:
- Improve performance of Buffer.from(str, 'hex') and
Buffer#write(str, 'hex').
- Fix creating from zero-length ArrayBuffer.
- deps:
- Upgrade to V8 5.0.71.57.
- Backport V8 instanceof bugfix
- repl: Fix issue with function redeclaration.
- util: Fix inspecting of boxed symbols.
6.3.0
Notable changes
- buffer: Added buffer.swap64() to complement swap16() & swap32().
- build: New configure options have been added for building
Node.js as a shared library.
- crypto: Root certificates have been updated.
- debugger: The server address is now configurable via
--debug=<address>:<port>.
- npm: Upgraded npm to v3.10.3
- readline: Added the prompt option to the readline constructor.
- repl / vm: sigint/ctrl+c will now break out of infinite loops
without stopping the Node.js instance.
- src:
- Added a node::FreeEnvironment public C++ API.
- Refactored require('constants'), constants are now available
directly from their respective modules.
- stream: Improved readable.read() performance by up to 70%.
- timers: setImmediate() is now up to 150% faster in some
situations.
- util: Added a breakLength option to util.inspect() to control
how objects are formatted across lines.
- v8-inspector: Experimental support has been added for debugging
Node.js over the inspector protocol.
- http:
- req.read(0) could cause incoming connections to stall and time out
under certain conditions. (Fedor Indutny) #7211
- When freeing the socket to be reused in keep-alive Agent wait for
both prefinish and end events. Otherwise the next request may be
written before the previous one has finished sending the body,
leading to parser errors. (Fedor Indutny) #7149
- npm: upgrade npm to 3.9.5 (Kat Marchan) #7139
Notable changes
- buffer: Ignore negative lengths in calls to Buffer() and
Buffer.allocUnsafe().
- npm: Upgrade npm to 3.9.3
- tty: Default to blocking mode for stdio on OS X.
- V8: Upgrade to V8 5.0.71.52.
See full changelog:
https://github.com/nodejs/node/blob/v6.2.1/doc/changelogs/CHANGELOG_V6.md
I tried and failed to reverse engineer the build framework to add
the rpath in the right place.
Give up for now and force it with WRAP_EXTRA_ARGS.CXX.
At least it makes the package build again.
- assert: deep{Strict}Equal() now works correctly with circular
references.
- debugger: Arrays are now formatted correctly in the debugger repl.
- deps: Upgrade OpenSSL sources to 1.0.2h
- net: Introduced a Socket#connecting property.
- process: Introduced process.cpuUsage().
- stream: Writable#setDefaultEncoding() now returns this.
- util: Two new additions to util.inspect():
- Added a maxArrayLength option to truncate the formatting of
Arrays.
- Added a showProxy option for formatting proxy intercepting
handlers.
This release will become the new LTS later in 2016.
The following significant changes have been made since the
previous Node.js v5.0.0 release.
Buffer
- New Buffer constructors have been added #4682 and #5833.
- Existing Buffer() and SlowBuffer() constructors have been
deprecated in docs #4682 and #5833.
- Previously deprecated Buffer APIs are removed #5048, #4594.
- Improved error handling #4514.
- The Buffer.prototype.lastIndexOf() method has been added #4846.
Cluster
- Worker emitted as first argument in 'message' event #5361.
- The worker.exitedAfterDisconnect property replaces
worker.suicide #3743.
Console
- Calling console.timeEnd() with an unknown label now emits a
process warning rather than throwing #5901.
Crypto
- Improved error handling #3100, #5611.
- Simplified Certificate class bindings #5382.
- Improved control over FIPS mode #5181.
- pbkdf2 digest overloading is deprecated #4047.
Dependencies
- Reintroduce shared c-ares build support #5775.
- V8 updated to 5.0.71.35 #6372.
DNS
- Add dns.resolvePtr() API to query plain DNS PTR records #4921.
Domains
- Clear stack when no error handler #4659.
Events
- The EventEmitter.prototype._events object no longer inherits
from Object.prototype #6092.
- The EventEmitter.prototype.prependListener() and
EventEmitter.prototype.prependOnceListener() methods have been
added #6032.
File System
- The fs.realpath() and fs.realpathSync() methods have been
updated to use a more efficient libuv-based implementation. This
change includes the removal of the cache argument and the method
can throw new errors #3594.
- FS apis can now accept and return paths as Buffers #5616.
- Error handling and type checking improvements #5616, #5590,
#4518, #3917.
- fs.read's string interface is deprecated #4525.
HTTP
- 'clientError' can now be used to return custom errors from an
HTTP server #4557.
Buffer:
- Buffer.prototype.compare can now compare sub-ranges of two
Buffers.
deps:
- update to http-parser 2.7.0
- update ESLint to 2.7.0
net:
- adds support for passing DNS lookup hints to createConnection()
node:
- Make the builtin libraries available for the --eval and --print
CLI options
npm:
- upgrade npm to 3.8.6
repl:
- Pressing enter in the repl will repeat the last command by default
if no input has been received. This behaviour was in node
previously and was not removed intentionally.
src:
- add SIGINFO to supported signals
streams:
- Fix a regression that caused by net streams requesting multiple
chunks synchronously when combined with cork/uncork
zlib:
- The flushing flag is now configurable allowing for decompression
of partial data
- http: Enclose IPv6 Host header in square brackets. This will
enable proper seperation of the host adress from any port
reference
- path: Make win32.isAbsolute more consistent
5.10.0
* buffer:
- make byteLength work with ArrayBuffer & DataView
- backport --zero-fill-buffers command line option
- backport new buffer constructor APIs
- add swap16() and swap32() methods
* fs: add the fs.mkdtemp() function.
* net: emit host in lookup event
* node: --no-browser-globals configure flag
* npm: Upgrade to v3.8.3. Fixes a security flaw in the use of
authentication tokens in HTTP requests that would allow an
attacker to set up a server that could collect tokens from
users of the command-line interface. Authentication tokens
have previously been sent with every request made by the CLI
for logged-in users, regardless of the destination of the
request. This update fixes this by only including those
tokens for requests made against the registry or registries
used for the current install.
* repl: support standalone blocks
* src: override v8 thread defaults using cli options
5.9.0
* contextify: Fixed a memory consumption issue related to heavy
use of vm.createContext and vm.runInNewContext.
* lib: copy arguments object instead of leaking it
* src: allow both -i and -e flags to be used at the same time
* timers: Internal Node.js timeouts now use the same logic path
as those created with setTimeout()
* v8: backport fb4ccae from v8 upstream: breakout events from v8
to offer better support for external debuggers
* zlib: add support for concatenated members
Changes since 5.7.1:
- child_process: send() now accepts an options parameter
- constants: ENGINE_METHOD_RSA is now correctly exposed
- Fixed two regressions which originated in v5.7.0:
- http: Errors inside of http client callbacks now propagate
correctly
- path: Fixed normalization of absolute paths
- repl: start() no longer requires an options parameter
- util: Improved format() performance 50-300%
