2017-03-28, Version 7.8.0
buffer:
- do not segfault on out-of-range index
crypto:
- Fix memory leak if certificate is revoked
deps:
- upgrade npm to 4.2.0
- fix async await desugaring in V8
readline:
- add option to stop duplicates in history
2017-03-21, Version 7.7.4
- deps: Add node-inspect 1.10.6
- inspector: proper WS URLs when bound to 0.0.0.0
- tls: fix segfault on destroy after partial read.
- module: The module loading global fallback to the Node executable's
directory now works correctly on Windows.
- net: Socket.prototype.connect now once again functions without
a callback.
- url: URL.prototype.origin now properly specified an opaque return
of 'null' for file:// URLs.
Notable changes
- doc: add Daijiro Wachi to collaborators
- tty: add ref() so process.stdin.ref() etc. work
- util: fix inspecting symbol key in string
- Node.js 7.7.0 contains a bug that will prevent all native modules
from building, this patch should fix the issue. Apologies to everyone
who was affected by 7.7.0.
- child_process: spawnSync() exit code now is null when the child is
killed via signal
- http: new functions to access the headers for an outgoing HTTP message
- lib: deprecate node --debug at runtime
- tls: new tls.TLSSocket() supports sec ctx options
- url: adding URL.prototype.toJSON support
- doc: items in the API documentation may now have changelogs
- crypto: adding support for OPENSSL_CONF again
- src: adding support for trace-event tracing
Notable changes
- crypto:
- ability to select cert store at runtime
- Use system CAs instead of using bundled ones
- deps:
- upgrade npm to 4.1.2
- upgrade openssl sources to 1.0.2k
- doc: add basic documentation for WHATWG URL API
- process: add NODE_NO_WARNINGS environment variable
- url: allow use of URL with http.request and https.request
Notable changes
- buffer:
- Improve performance of Buffer allocation by ~11%.
- Improve performance of Buffer.from() by ~50%.
- events: Improve performance of EventEmitter.once() by ~27%.
- fs: Allow passing Uint8Array to fs methods where Buffers are supported.
- http: Improve performance of http server by ~7%.
- npm: Upgrade to v4.0.5
Notable changes
buffer:
- buffer.fill() now works properly for the UCS2 encoding on
Big-Endian machines.
cluster:
- disconnect() now returns a reference to the disconnected worker.
crypto:
- The built-in list of Well-Known CAs (Certificate Authorities) can
now be extended via a NODE_EXTRA_CA_CERTS environment variable.
http:
- Remove stale timeout listeners in order to prevent a memory leak
when using keep alive.
tls:
- Allow obvious key/passphrase combinations.
url:
- Including base argument in URL.originFor() to meet specification
compliance.
- Improve URLSearchParams to meet specification compliance.
- buffer:
- Reverted the runtime deprecation of calling Buffer() without new.
- Fixed buffer.transcode() for single-byte character encodings to UCS2.
- promise: --trace-warnings now produces useful stacktraces for Promise
warnings.
- repl: Fixed a bug preventing correct parsing of generator functions.
- V8: Fixed a significant instanceof performance regression.
- crypto: The Decipher methods setAuthTag() and setAAD now return this.
- dns: Implemented {ttl: true} for resolve4() and resolve6().
- libuv: Upgrade to v1.10.1
- Fixed a potential buffer overflow when writing data to console on
Windows 10.
- process: Added a new external property to the data returned by
memoryUsage().
- tls: Fixed a memory leak when writes were queued on TLS connection that
was destroyed during handshake.
- V8 (dep): Upgrade to v5.4.500.43
- v8: The data returned by getHeapStatistics() now includes three new
fields: malloced_memory, peak_malloced_memory, and does_zap_garbage.
- buffer: add buffer.transcode to transcode a buffer's content from one
encoding to another primarily using ICU
- child_process: add public API for IPC channel
- icu:
- Upgraded to ICU 58 - small icu
- Add cldr, tz, and unicode to process.versions
- lib: make String(global) === '\[object global\]'
- libuv: Upgraded to 1.10.0
- readline: use icu based string width calculation
- src:
- add NODE_PRESERVE_SYMLINKS environment variable that has the same effect
as the --preserve-symlinks flag
- Fix String#toLocaleUpperCase() and String#toLocaleLowerCase()
This new major version of Node.js includes: V8 5.4 which brings along with
98% coverage of ES6 language features, improved reliability and performance,
and a new experimental URL parser based on the WHATWG URL standard.
As an odd numbered release, in accordance with our Long Term Support plan,
Node.js v7 will be supported only until about June, 2017, with Node.js v8
currently scheduled for release in April, 2017.
Notable changes
Buffer
- Passing invalid input to Buffer.byteLength will now throw an error #8946.
- Calling Buffer without new is now deprecated and will emit a process
warning #8169.
- Passing a negative number to allocUnsafe will now throw an error #7079.
Child Process
- The fork and execFile methods now have stronger argument validation #7399.
Cluster
- The worker.suicide method is deprecated and will emit a process warning
#3747.
Deps
- V8 has been updated to 5.4.500.36 #8317, #8852, #9253.
- NODE_MODULE_VERSION has been updated to 51 #8808.
File System
- A process warning is emitted if a callback is not passed to async file
system methods #7897.
Intl
- Intl.v8BreakIterator constructor has been deprecated and will emit a
process warning #8908.
Promises
- Unhandled Promise rejections have been deprecated and will emit a process
warning #8217.
Punycode
- The punycode module has been deprecated #7941.
URL
- An Experimental WHATWG URL Parser has been introduced #7448.
- crypto: Don't automatically attempt to load an OpenSSL
configuration file, from the OPENSSL_CONF environment variable
or from the default location for the current platform. Always
triggering a configuration file load attempt may allow an attacker
to load compromised OpenSSL configuration into a Node.js process
if they are able to place a file in a default location.
- node: Introduce the process.release.lts property, set to "Boron".
This value is "Argon" for v4 LTS releases and undefined for all
other releases.
- V8: Backport fix for CVE-2016-5172, an arbitrary memory read.
- v8_inspector: Generate a UUID for each execution of the
inspector. This provides additional security to prevent
unauthorized clients from connecting to the Node.js process via
the v8_inspector port when running with --inspect.
Notable changes
- fs:
- SyncWriteStream now inherits from Stream.Writable.
- fs.existsSync() has been undeprecated. fs.exists() remains
deprecated.
- http: http.request() now accepts a timeout option.
- module: The module loader now maintains its own realpath cache.
- npm: Upgraded to 3.10.8
- stream: Duplex streams now show proper instanceof Stream.Writable.
- timers: Improved setTimeout/Interval performance by up to 22%.
- openssl: Remove support for loading dynamic third-party engine
modules. An attacker may be able to hide malicious code to be
inserted into Node.js at runtime by masquerading as one of the
dynamic engine modules.
- http: CVE-2016-5325 - Properly validate for allowable characters
in the reason argument in ServerResponse#writeHead().
- buffer: Zero-fill excess bytes in new Buffer objects created
with Buffer.concat() while providing a totalLength parameter
that exceeds the total length of the original Buffer objects
being concatenated.
- src: Fix regression where passing an empty password and/or salt
to crypto.pbkdf2() would cause a fatal error
- tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
check whereby a TLS server may be able to serve an invalid
wildcard certificate for its hostname due to improper validation
of *. in the wildcard string.
- v8: Fix regression where a regex on a frozen object was broken
Notable changes
- crypto: Added crypto.timingSafeEqual().
- events: Made the "max event listeners" memory leak warning more
accessible.
- promises: Unhandled rejections now emit a process warning after
the first tick.
- repl: Added auto alignment for .editor mode.
- util: Some functionality has been added to util.inspect():
- Returning this from a custom inspect function now works.
- Added support for Symbol-based custom inspection methods.
- buffer: Fix regression introduced in v6.4.0 that prevented
.write() at buffer end
- deps: update V8 to 5.1.281.75
- inspector:
- fix inspector hang while disconnecting
- add support for uncaught exception
- repl: Fix saving editor mode text in .save
- Revert "repl,util: insert carriage returns in output"
Notable changes
- build: zlib symbols and additional OpenSSL symbols are now
exposed on Windows platforms.
- child_process, cluster: Forked child processes and cluster
workers now support stdio configuration.
- child_process: argv[0] can now be set to arbitrary values in
spawned processes.
- fs: fs.ReadStream now exposes the number of bytes it has read so
far.
- repl: The REPL now supports editor mode.
- util: inspect() can now be configured globally using
util.inspect.defaultOptions.
6.3.1.
Notable changes
- buffer:
- Improve performance of Buffer.from(str, 'hex') and
Buffer#write(str, 'hex').
- Fix creating from zero-length ArrayBuffer.
- deps:
- Upgrade to V8 5.0.71.57.
- Backport V8 instanceof bugfix
- repl: Fix issue with function redeclaration.
- util: Fix inspecting of boxed symbols.
6.3.0
Notable changes
- buffer: Added buffer.swap64() to complement swap16() & swap32().
- build: New configure options have been added for building
Node.js as a shared library.
- crypto: Root certificates have been updated.
- debugger: The server address is now configurable via
--debug=<address>:<port>.
- npm: Upgraded npm to v3.10.3
- readline: Added the prompt option to the readline constructor.
- repl / vm: sigint/ctrl+c will now break out of infinite loops
without stopping the Node.js instance.
- src:
- Added a node::FreeEnvironment public C++ API.
- Refactored require('constants'), constants are now available
directly from their respective modules.
- stream: Improved readable.read() performance by up to 70%.
- timers: setImmediate() is now up to 150% faster in some
situations.
- util: Added a breakLength option to util.inspect() to control
how objects are formatted across lines.
- v8-inspector: Experimental support has been added for debugging
Node.js over the inspector protocol.
- http:
- req.read(0) could cause incoming connections to stall and time out
under certain conditions. (Fedor Indutny) #7211
- When freeing the socket to be reused in keep-alive Agent wait for
both prefinish and end events. Otherwise the next request may be
written before the previous one has finished sending the body,
leading to parser errors. (Fedor Indutny) #7149
- npm: upgrade npm to 3.9.5 (Kat Marchan) #7139
Notable changes
- buffer: Ignore negative lengths in calls to Buffer() and
Buffer.allocUnsafe().
- npm: Upgrade npm to 3.9.3
- tty: Default to blocking mode for stdio on OS X.
- V8: Upgrade to V8 5.0.71.52.
See full changelog:
https://github.com/nodejs/node/blob/v6.2.1/doc/changelogs/CHANGELOG_V6.md
- assert: deep{Strict}Equal() now works correctly with circular
references.
- debugger: Arrays are now formatted correctly in the debugger repl.
- deps: Upgrade OpenSSL sources to 1.0.2h
- net: Introduced a Socket#connecting property.
- process: Introduced process.cpuUsage().
- stream: Writable#setDefaultEncoding() now returns this.
- util: Two new additions to util.inspect():
- Added a maxArrayLength option to truncate the formatting of
Arrays.
- Added a showProxy option for formatting proxy intercepting
handlers.
This release will become the new LTS later in 2016.
The following significant changes have been made since the
previous Node.js v5.0.0 release.
Buffer
- New Buffer constructors have been added #4682 and #5833.
- Existing Buffer() and SlowBuffer() constructors have been
deprecated in docs #4682 and #5833.
- Previously deprecated Buffer APIs are removed #5048, #4594.
- Improved error handling #4514.
- The Buffer.prototype.lastIndexOf() method has been added #4846.
Cluster
- Worker emitted as first argument in 'message' event #5361.
- The worker.exitedAfterDisconnect property replaces
worker.suicide #3743.
Console
- Calling console.timeEnd() with an unknown label now emits a
process warning rather than throwing #5901.
Crypto
- Improved error handling #3100, #5611.
- Simplified Certificate class bindings #5382.
- Improved control over FIPS mode #5181.
- pbkdf2 digest overloading is deprecated #4047.
Dependencies
- Reintroduce shared c-ares build support #5775.
- V8 updated to 5.0.71.35 #6372.
DNS
- Add dns.resolvePtr() API to query plain DNS PTR records #4921.
Domains
- Clear stack when no error handler #4659.
Events
- The EventEmitter.prototype._events object no longer inherits
from Object.prototype #6092.
- The EventEmitter.prototype.prependListener() and
EventEmitter.prototype.prependOnceListener() methods have been
added #6032.
File System
- The fs.realpath() and fs.realpathSync() methods have been
updated to use a more efficient libuv-based implementation. This
change includes the removal of the cache argument and the method
can throw new errors #3594.
- FS apis can now accept and return paths as Buffers #5616.
- Error handling and type checking improvements #5616, #5590,
#4518, #3917.
- fs.read's string interface is deprecated #4525.
HTTP
- 'clientError' can now be used to return custom errors from an
HTTP server #4557.
Buffer:
- Buffer.prototype.compare can now compare sub-ranges of two
Buffers.
deps:
- update to http-parser 2.7.0
- update ESLint to 2.7.0
net:
- adds support for passing DNS lookup hints to createConnection()
node:
- Make the builtin libraries available for the --eval and --print
CLI options
npm:
- upgrade npm to 3.8.6
repl:
- Pressing enter in the repl will repeat the last command by default
if no input has been received. This behaviour was in node
previously and was not removed intentionally.
src:
- add SIGINFO to supported signals
streams:
- Fix a regression that caused by net streams requesting multiple
chunks synchronously when combined with cork/uncork
zlib:
- The flushing flag is now configurable allowing for decompression
of partial data
- http: Enclose IPv6 Host header in square brackets. This will
enable proper seperation of the host adress from any port
reference
- path: Make win32.isAbsolute more consistent
5.10.0
* buffer:
- make byteLength work with ArrayBuffer & DataView
- backport --zero-fill-buffers command line option
- backport new buffer constructor APIs
- add swap16() and swap32() methods
* fs: add the fs.mkdtemp() function.
* net: emit host in lookup event
* node: --no-browser-globals configure flag
* npm: Upgrade to v3.8.3. Fixes a security flaw in the use of
authentication tokens in HTTP requests that would allow an
attacker to set up a server that could collect tokens from
users of the command-line interface. Authentication tokens
have previously been sent with every request made by the CLI
for logged-in users, regardless of the destination of the
request. This update fixes this by only including those
tokens for requests made against the registry or registries
used for the current install.
* repl: support standalone blocks
* src: override v8 thread defaults using cli options
5.9.0
* contextify: Fixed a memory consumption issue related to heavy
use of vm.createContext and vm.runInNewContext.
* lib: copy arguments object instead of leaking it
* src: allow both -i and -e flags to be used at the same time
* timers: Internal Node.js timeouts now use the same logic path
as those created with setTimeout()
* v8: backport fb4ccae from v8 upstream: breakout events from v8
to offer better support for external debuggers
* zlib: add support for concatenated members
Changes since 5.7.1:
- child_process: send() now accepts an options parameter
- constants: ENGINE_METHOD_RSA is now correctly exposed
- Fixed two regressions which originated in v5.7.0:
- http: Errors inside of http client callbacks now propagate
correctly
- path: Fixed normalization of absolute paths
- repl: start() no longer requires an options parameter
- util: Improved format() performance 50-300%
* path.relative():
- Output is no longer unnecessarily verbose
- Resolving UNC paths on Windows now works correctly
- Resolving paths with prefixes now works correctly from
the root directory
* url: Fixed an off-by-one error with parse()
* dgram: Now correctly handles a default address case when offset
and length are specified (Matteo Collina) #5407.
Irrelevant to (dynamically linked) lang/nodejs:
* openssl: Upgrade from 1.0.2f to 1.0.2g
* buffer:
- You can now supply an encoding argument when filling a Buffer
Buffer#fill(string[, start[, end]][, encoding]), supplying an
existing Buffer will also work with Buffer#fill(buffer[, start[,
end]]). See the API documentation for details on how this works.
- Buffer#indexOf() no longer requires a byteOffset argument if
you also wish to specify an encoding: Buffer#indexOf(val[,
byteOffset][, encoding]).
* child_process: spawn() and spawnSync() now support a 'shell'
option to allow for optional execution of the given command inside
a shell. If set to true, cmd.exe will be used on Windows and
/bin/sh elsewhere. A path to a custom shell can also be passed to
override these defaults. On Windows, this option allows .bat. and
.cmd files to be executed with spawn() and spawnSync().
* http_parser: Update to http-parser 2.6.2 to fix an unintentionally
strict limitation of allowable header characters
* dgram: socket.send() now supports accepts an array of Buffers or
Strings as the first argument. See the API docs for details on how
this works.
* http: Fix a bug where handling headers will mistakenly trigger an
'upgrade' event where the server is just advertising its protocols.
This bug can prevent HTTP clients from communicating with HTTP/2
enabled servers.
* net: Added a listening Boolean property to net and http servers to
indicate whether the server is listening for connections.
* node: The C++ node::MakeCallback() API is now reentrant and
calling it from inside another MakeCallback() call no longer causes
the nextTick queue or Promises microtask queue to be processed out
of order.
* tls: Add a new tlsSocket.getProtocol() method to get the negotiated
TLS protocol version of the current connection.
* vm: Introduce new 'produceCachedData' and 'cachedData' options to
new vm.Script() to interact with V8's code cache. When a new
vm.Script object is created with the 'produceCachedData' set to
true a Buffer with V8's code cache data will be produced and stored
in cachedData property of the returned object. This data in turn
may be supplied back to another vm.Script() object with a
'cachedData' option if the supplied source is the same. Successfully
executing a script from cached data can speed up instantiation time.
* performance: Improvements in:
- process.nextTick()
- path module
- querystring module
- streams module when processing small chunks
- http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
- http-parser: upgrade from 2.6.0 to 2.6.1
- npm: upgrade npm from 3.3.12 to 3.6.0 (Rebecca Turner) #4958
- openssl: upgrade from 1.0.2e to 1.0.2f. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes
with parameters shorter than 1024-bits, up from the previous
limit of 768-bits.
- Minor performance improvements:
- module: move unnecessary work for early return (Andres Suarez) #3579
- Various bug fixes
- Various doc fixes
- Various test improvements
http:
- A new status code was added: 451 - "Unavailable For Legal Reasons"
- Idle sockets that have been kept alive now handle errors
This release also includes several minor performance improvements:
- assert: deepEqual is now speedier when comparing TypedArrays
- lib: Use arrow functions instead of bind where possible
- node: Improved accessor perf of process.env
- node: Improved performance of process.hrtime()
- node: Improved GetActiveHandles performance
- util: Use faster iteration in util.format()
- buffer: Buffer.prototype.includes() has been added to keep parity
with TypedArrays.
- domains: Fix handling of uncaught exceptions.
- https: Added support for disabling session caching.
- repl: Allow third party modules to be imported using require().
This corrects a regression from 5.2.0.
- deps: Upgrade libuv to 1.8.0.
build:
- Add support for Intel's VTune JIT profiling when compiled with
--enable-vtune-profiling.
- Properly enable V8 snapshots by default. Due to a configuration
error, snapshots have been kept off by default when the intention
is for the feature to be enabled.
crypto:
- Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects
(created via crypto.createECDH(curve_name)) with private keys
that are not dynamically generated via generateKeys(). The
public key is now computed when explicitly setting a private
key. Added validity checks to reduce the possibility of
computing weak or invalid shared secrets. Also, deprecated
the setPublicKey() method for ECDH objects as its usage is
unnecessary and can lead to inconsistent state.
- Update root certificates from the current list stored
maintained by Mozilla NSS.
- Multiple CA certificates can now be passed with the ca option
to TLS methods as an array of strings or in a single new-line
separated string.
tools:
- Include a tick processor in core, exposed via the
--prof-process command-line argument which can be used to
process V8 profiling output files generated when using the
--prof command-line argument.
Notable changes
- http: Fix a bug where an HTTP socket may no longer have a socket
but a pipelined request triggers a pause or resume, a potential
denial-of-service vector. (Fedor Indutny)
- openssl: Upgrade to 1.0.2e, containing fixes for:
- CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64",
an attack is considered feasible against a Node.js TLS server
using DHE key exchange. Details are available at
http://openssl.org/news/secadv/20151203.txt.
- CVE-2015-3194 "Certificate verify crash with missing PSS parameter",
a potential denial-of-service vector for Node.js TLS servers; TLS
clients are also impacted. Details are available at
http://openssl.org/news/secadv/20151203.txt. (Shigeki Ohtsu) #4134
- v8: Backport fixes for a bug in JSON.stringify() that can result in
out-of-bounds reads for arrays. (Ben Noordhuis)
Notable changes:
* buffer: The noAssert option for many buffer functions will now
silently drop invalid write values rather than crashing
* child_process: child.send() now properly returns a boolean like
the docs suggest
* doc: All of the API docs have been re-ordered so as to read in
alphabetical order
* http_parser: update http-parser to 2.6.0 from 2.5.0
- Now supports the following HTTP methods: LINK, UNLINK, BIND,
REBIND, UNBIND.
- Also added ACL and IPv6 Zone ID support.
* npm: upgrade npm to 3.3.12 from v3.3.6
* repl: The REPL no longer crashes if the persistent history file
cannot be opened
* tls: The default sessionIdContext now uses SHA1 in FIPS mode
rather than MD5
* v8: Added some more useful post-mortem data
See full release notes:
https://nodejs.org/en/blog/release/v5.1.0/
Move most logic into Makefile.common that will be shared
by the LTS lang/nodejs4 package.
Notable Changes in 5.0.0:
* buffer: (Breaking) Removed both 'raw' and 'raws' encoding types
from Buffer, these have been deprecated for a long time
* console: (Breaking) Values reported by console.time() now have
3 decimals of accuracy added
* fs:
- fs.readFile*(), fs.writeFile*(), and fs.appendFile*() now also
accept a file descriptor as their first argument
- (Breaking) In fs.readFile(), if an encoding is specified and
the internal toString() fails the error is no longer thrown but is
passed to the callback
- (Breaking) In fs.read() (using the fs.read(fd, length, position,
encoding, callback) form), if the internal toString() fails the
error is no longer thrown but is passed to the callback
* http:
- Fixed a bug where pipelined http requests would stall
- (Breaking) When parsing HTTP, don't add duplicates of the
following headers: Retry-After, ETag, Last-Modified, Server, Age,
Expires.
- (Breaking) The callback argument to OutgoingMessage#setTimeout()
must be a function or a TypeError is thrown
- (Breaking) HTTP methods and header names must now conform to
the RFC 2616 "token" rule, a list of allowed characters that
excludes control characters and a number of separator characters.
* node:
- (Breaking) Deprecated the _linklist module
- (Breaking) Removed require.paths and require.registerExtension(),
both had been previously set to throw Error when accessed
* npm: Upgraded to version 3.3.6 from 2.14.7
* src: (Breaking) Bumped NODE_MODULE_VERSION to 47 from 46
* timers: Attempt to reuse the timer handle for setTimeout().unref().
* tls:
- Added ALPN Support
- TLS options can now be passed in an object to createSecurePair()
- (Breaking) The default minimum DH key size for tls.connect() is
now 1024 bits and a warning is shown when DH key size is less
than 2048 bits.
* util:
- (Breaking) util.p() was deprecated for years, and has now been
removed
- (Breaking) util.inherits() can now work with ES6 classes.
* v8: (Breaking) Upgraded to 4.6.85.25 from 4.5.103.35
- Implements the spread operator
- Implements new.target
* zlib: Decompression now throws on truncated input (e.g. unexpected
end of file)
See full release notes with more information at:
https://nodejs.org/en/blog/release/v5.0.0/
