Version 21.1.0 (Current)
Notable Changes
Automatically detect and run ESM syntax
The new flag --experimental-detect-module can be used to automatically run ES modules when their syntax can be detected. For “ambiguous” files, which are .js or extensionless files with no package.json with a type field, Node.js will parse the file to detect ES module syntax; if found, it will run the file as an ES module, otherwise it will run the file as a CommonJS module. The same applies to string input via --eval or STDIN.
We hope to make detection enabled by default in a future version of Node.js. Detection increases startup time, so we encourage everyone — especially package authors — to add a type field to package.json, even for the default "type": "commonjs". The presence of a type field, or explicit extensions such as .mjs or .cjs, will opt out of detection.
vm: fix V8 compilation cache support for vm.Script
Previously repeated compilation of the same source code using vm.Script stopped hitting the V8 compilation cache after v16.x when support for importModuleDynamically was added to vm.Script, resulting in a performance regression that blocked users (in particular Jest users) from upgrading from v16.x.
The recent fixes landed in v21.1.0 allow the compilation cache to be hit again for vm.Script when --experimental-vm-modules is not used even in the presence of the importModuleDynamically option, so that users affected by the performance regression can now upgrade. Ongoing work is also being done to enable compilation cache support for vm.CompileFunction.
Almost all uses, if not all of them, are wrong, according to the
semantics of BUILD_DEPENDS (packages built for target available for
use _by_ tools at build-time) and TOOL_DEPEPNDS (packages built for
host available for use _as_ tools at build-time).
No change to BUILD_DEPENDS as used correctly inside buildlink3.
As proposed on tech-pkg:
https://mail-index.netbsd.org/tech-pkg/2023/06/03/msg027632.html
Version 19.9.0 (Current)
Notable Changes
Tracing Channel in diagnostic_channel
New URL.canParse API
(SEMVER-MINOR) add getMaxListeners method (Khafra)
(SEMVER-MINOR) migrate to WiX4 (Stefan Stojanovic)
(SEMVER-MINOR) deprecate napi_module_register (Vladimir Morozov)
(SEMVER-MINOR) add setter & getter for default highWaterMark (Robert Nagy)
(SEMVER-MINOR) expose reporter for use in run api (Chemi Atlow)
Version 19.2.0 (Current)
Notable changes
Time zone update
Time zone data has been updated to 2022f. This includes changes to Daylight Savings Time (DST) for Fiji and Mexico. For more information, see https://mm.icann.org/pipermail/tz-announce/2022-October/000075.html.
Version 19.1.0 (Current)
Notable changes
Support function mocking on Node.js test runner
fs.watch recursive support on Linux
Version 19.0.1 (Current)
This is a security release.
Notable changes
The following CVEs are fixed in this release:
CVE-2022-3602: X.509 Email Address 4-byte Buffer Overflow (High)
CVE-2022-3786: X.509 Email Address Variable Length Buffer Overflow (High)
CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP address (Medium)
Version 19.0.0 (Current)
Node.js 19 is here! Highlights include the update of the V8 JavaScript engine to 10.7, HTTP(s)/1.1 KeepAlive enabled by default, and ESM Resolution adjusts.
Node.js 19 will replace Node.js 18 as our ‘Current’ release line when Node.js 18 enters long-term support (LTS) later this month. As per the release schedule, Node.js 19 will be ‘Current' release for the next 6 months, until April 2023.
Version 18.1.0 (Current)
Notable Changes
- doc: add @kuriyosh to collaborators (Yoshiki Kurihara)
- (SEMVER-MINOR) lib,src: implement WebAssembly Web API (Tobias Nießen)
- (SEMVER-MINOR) test_runner: add initial CLI runner (Colin Ihrig)
- (SEMVER-MINOR) worker: add hasRef() to MessagePort (Darshan Sen)
Version 18.0.0 (Current)
Node.js 18 is here! Highlights include the update of the V8 JavaScript engine to 10.1, global fetch enabled by default, and a core test runner module.
Initially, Node.js 18 will replace Node.js 17 as our ‘Current’ release line. As per the release schedule, Node.js 18 will be the ‘Current’ release for the next 6 months and then promoted to Long-term Support (LTS) in October 2022. Once promoted to long-term support the release will be designated the codename ‘Hydrogen’. Node.js 18 will be supported until April 2025.
Notable Changes
Deprecations and Removals
(SEMVER-MAJOR) fs: runtime deprecate string coercion in fs.write, fs.writeFileSync (Livia Medeiros)
(SEMVER-MAJOR) dns: remove dns.lookup and dnsPromises.lookup options type coercion (Antoine du Hamel)
(SEMVER-MAJOR) process: runtime deprecate multipleResolves (Benjamin Gruenbaum)
(SEMVER-MAJOR) stream: remove thenable support (Robert Nagy)
(SEMVER-MAJOR) tls: move tls.parseCertString to end-of-life (Tobias Nießen)
Version 14.17.6 'Fermium' (LTS)
This is a security release.
Notable Changes
These are vulnerabilities in the node-tar, arborist, and npm cli modules which are related to the initial reports and subsequent remediation of node-tar vulnerabilities CVE-2021-32803 and CVE-2021-32804. Subsequent internal security review of node-tar and additional external bounty reports have resulted in another 5 CVE being remediated in core npm CLI dependencies including node-tar, and npm arborist.
Version 14.17.5 'Fermium' (LTS)
This is a security release.
Notable Changes
CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
CVE-2021-22930: Use after free on close http2 on stream canceling (High)
Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as the issue was not completely resolved by the previous fix. You can read more about it at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930.
CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.
Version 14.17.1 'Fermium' (LTS)
Notable Changes
- deps: update ICU to 69.1 (Michaël Zasso)
- errors: align source-map stacks with spec (Benjamin Coe)
Commits
- assert: refactor to use more primordials (Antoine du Hamel)
- assert: refactor to avoid unsafe array iteration (Antoine du Hamel)
- async_hooks: refactor to avoid unsafe array iteration (Antoine du Hamel)
- async_hooks,doc: replace process.stdout.fd with 1 (Darshan Sen)
- benchmark: avoid using console.log() (Antoine du Hamel)
- benchmark: use process.hrtime.bigint() (Antoine du Hamel)
- buffer: remove TODOs in atob / btoa (Khaidi Chu)
- buffer: remove unreachable code (Rongjian Zhang)
- buffer: make FastBuffer safe to construct (Antoine du Hamel)
- buffer: refactor to use primordials instead of Array#reduce (Antoine du Hamel)
- buffer: refactor to use more primordials (Antoine du Hamel)
- build: work around bug in MSBuild v16.10.0 (Michaël Zasso)
- build: add workaround for V8 builds (Richard Lau)
- build: remove dependency on distutils.spawn (Richard Lau)
- build: fix make test-npm (Ruy Adorno)
- child_process: reduce abort handler code duplication (Rich Trott)
- child_process: treat already-aborted controller as aborting (Rich Trott)
- child_process: refactor to use more primordials (Antoine du Hamel)
- deps: update to cjs-module-lexer@1.2.1 (Guy Bedford)
- deps: update ICU to 69.1 (Michaël Zasso)
- deps: V8: cherry-pick 035c305ce776 (Michaël Zasso)
- deps: V8: cherry-pick dfcdf7837e23 (Benjamin Coe)
- deps: V8: cherry-pick 86991d0587a1 (Benjamin Coe)
- deps: V8: cherry-pick 530080c44af2 (Milad Fa)
- dgram: extract cluster lazy loading method to make it testable (Rongjian Zhang)
- dgram: refactor to use more primordials (Antoine du Hamel)
- dns: refactor to use more primordials (Antoine du Hamel)
- doc: cleanup events.md structure (James M Snell)
- doc: fix JS flavor selection (Antoine du Hamel)
- doc: use HEAD instead of master for links (Antoine du Hamel)
- doc: remove import.meta.resolve parent URL type (Kevin Locke)
- doc: document buffer.kStringMaxLength (Tobias Nießen)
- doc: clarify synchronous blocking of Worker stdio (James M Snell)
- doc: update contact info (Gabriel Schulhof)
- doc: change color of doctag on night mode (Qingyu Deng)
- doc: clarify DiffieHellmanGroup class docs (Nitzan Uziely)
- doc: use AIX instead of Aix in fs.md (Rich Trott)
- doc: remove extraneous dash from flag prefix (Rodolfo Carvalho)
- doc: document 'secureConnect' event limitation (James M Snell)
- doc: mark querystring api as legacy (James M Snell)
- doc: add arguments for stream event of Http2Server and Http2SecureServer (Qingyu Deng)
- doc: indicate that abort tests do not generate core files (Rich Trott)
- doc: add try/catch in http2 respondWithFile example (Matteo Collina)
- doc: note the system requirements for V8 tests (DeeDeeG)
- doc: minor clarification to pathObject (James M Snell)
- doc: document new TCP_KEEPCNT and TCP_KEEPINTVL socket option defaults (Arnold Zokas)
- doc: do not mention TCP in the allowHalfOpen option description (Luigi Pinca)
- doc: update message to match actual output (Rich Trott)
- doc: request default snap track be updated for LTS (Rod Vagg)
- doc: mark process.hrtime() as legacy (Antoine du Hamel)
- doc: fix version history for "exports" patterns (Antoine du Hamel)
- doc: fix package.json "imports" field history (Antoine du Hamel)
- doc: fix typo in buffer.md (divlo)
- doc: add nodejs-sec email template (Daniel Bevenius)
- doc: update TSC members list with three new members (Rich Trott)
- doc: use foo.prototype.bar notation in buffer.md (Voltrex)
- doc: internal/test/binding for testing (Bradley Meck)
- doc: add missing events.on metadata (Anna Henningsen)
- doc: fix wording in outgoingMessage.write (Tobias Nießen)
- doc: fix grammar errors in http document (Qingyu Deng)
- doc: add document for http.OutgoingMessage (Qingyu Deng)
- doc: remove generated from dsaEncoding description (Marko Kaznovac)
- doc: document how to register external bindings for snapshot (Joyee Cheung)
- doc: document the NO_COLOR and FORCE_COLOR env vars (James M Snell)
- doc: clarify event.isTrusted text (Rich Trott)
- doc: expand openssl instructions (Michael Dawson)
- doc: document ABORT_ERR code (Benjamin Gruenbaum)
- doc: document changes for */promises alias modules (ExE Boss)
- errors: align source-map stacks with spec (Benjamin Coe)
- errors: refactor to use more primordials (Antoine du Hamel)
- errors: display original symbol name (Benjamin Coe)
- errors: refactor to use more primordials (Antoine du Hamel)
- errors: refactor to use more primordials (Antoine du Hamel)
- events: refactor to use optional chaining (ZiJian Liu)
- events: refactor to use more primordials (Antoine du Hamel)
- fs: fix error when writing buffers > INT32_MAX (Zach Bjornson)
- Revert "http: make HEAD method to work with keep-alive" (Michaël Zasso)
- http2: treat non-EOF empty frames like other invalid frames (Anna Henningsen)
- http2: fix setting options before handle exists (Anna Henningsen)
- http2: add support for TypedArray to getUnpackedSettings (Antoine du Hamel)
- https: refactor to use more primordials (Antoine du Hamel)
- inspector: remove redundant method for connection check (Yash Ladha)
- inspector: refactor to use more primordials (Antoine du Hamel)
- lib: revert primordials in a hot path (Antoine du Hamel)
- lib: make IterableWeakMap safe to iterate (Antoine du Hamel)
- lib: fix and improve os typings (Akhil Marsonya)
- lib: add URI handling functions to primordials (Antoine du Hamel)
- lib: fix WebIDL object and dictionary type conversion (ExE Boss)
- lib: refactor to use optional chaining in internal/options.js (raisinten)
- lib: support returning Safe collections from C++ (ExE Boss)
- lib: expose primordials object (Antoine du Hamel)
- lib: refactor source_map to use more primordials (Antoine du Hamel)
- lib: refactor source_map to avoid unsafe array iteration (Antoine du Hamel)
- lib: simplify primordials.uncurryThis (ExE Boss)
- lib: remove v8_prof_polyfill from eslint ignore list (Antoine du Hamel)
- lib: remove unused code (Brian White)
- lib: refactor to use more primordials in internal/encoding.js (raisinten)
- lib: refactor to use primordials in internal/priority_queue.js (ZiJian Liu)
- lib: add primordials.SafeStringIterator (Antoine du Hamel)
- lib: make safe primordials safe to construct (Antoine du Hamel)
- lib: make safe primordials safe to iterate (Antoine du Hamel)
- lib: refactor to use more primordials in internal/histogram.js (raisinten)
- lib: add uncurried accessor properties to primordials (ExE Boss)
- lib: refactor primordials.uncurryThis (Antoine du Hamel)
- lib: refactor to use more primordials (Antoine du Hamel)
- lib: add %TypedArray% abstract constructor to primordials (ExE Boss)
- lib: use Object static properties from primordials (Michaël Zasso)
- lib,tools: enforce access to prototype from primordials (Antoine du Hamel)
- meta: add v8 team (Jiawen Geng)
- meta: post comment when pr labeled fast-track (James M Snell)
- module: clarify CJS global-like variables not defined error message (Antoine du Hamel)
- module: refactor NativeModule to avoid unsafe array iteration (Antoine du Hamel)
- module: simplify tryStatSync with throwIfNoEntry option (Antoine du Hamel)
- module: refactor to use more primordials (Antoine du Hamel)
- module: refactor to use more primordials (Antoine du Hamel)
- module: refactor to use iterable-weak-map (Benjamin Coe)
- net: refactor to use more primordials (Antoine du Hamel)
- node-api: faster threadsafe_function (Fedor Indutny)
- node-api: fix shutdown crashes (Michael Dawson)
- node-api: make reference weak parameter an indirect link to references (Chengzhong Wu)
- os: refactor to use more primordials (Antoine du Hamel)
- path: inline conditions (Voltrex)
- path: refactor to use more primordials (Akhil Marsonya)
- path: refactor to use more primordials (Antoine du Hamel)
- perf_hooks: throw ERR_INVALID_ARG_VALUE if histogram.percentile param is NaN (ZiJian Liu)
- perf_hooks: refactor to avoid unsafe array iteration (Antoine du Hamel)
- perf_hooks: refactor to use more primordials (Antoine du Hamel)
- policy: refactor to use more primordials (Antoine du Hamel)
- querystring: refactor to use more primordials (Antoine du Hamel)
- readline: refactor to use more primordials (Antoine du Hamel)
- repl: document top level await limitation with const/let (James M Snell)
- repl: display prompt once after error callback (Anna Henningsen)
- src: fix multiple AddLinkedBinding() calls (Anna Henningsen)
- src: update cares_wrap OpenBSD defines (Anna Henningsen)
- src: remove extra semi after member fn (Shelley Vohr)
- src: make workers messaging more resilient (Juan José Arboleda)
- src: fix validation of negative offset to avoid abort (James M Snell)
- src: use %progbits instead of @progbits (Stephen Gallagher)
- src: fix setting Converter sub char length (James M Snell)
- src: avoid deferred gc/cleanup for Buffer.from (James M Snell)
- src: indent long help text properly (David Glasser)
- src: fix ETW_WRITE_EMPTY_EVENT macro (Michaël Zasso)
- src: disable unfixable MSVC warnings (Michaël Zasso)
- src: avoid implicit type conversions (take 2) (Michaël Zasso)
- src: fix compiler warnings in node_buffer.cc (Darshan Sen)
- src: fix compiler warning in env.cc (Anna Henningsen)
- src: add check against non-weak BaseObjects at process exit (Anna Henningsen)
- src: use transferred consistently (Daniel Bevenius)
- src: fix label indentation (Rich Trott)
- stream: fix multiple Writable.destroy() calls (Robert Nagy)
- stream: the position of _read() is wrong (helloyou2012)
- stream: only use legacy close listeners if not willEmitClose (Robert Nagy)
- stream: fix legacy pipe error handling (Robert Nagy)
- string_decoder: throw ERR_STRING_TOO_LONG for UTF-8 (Michaël Zasso)
- string_decoder: refactor to use more primordials (Antoine du Hamel)
- test: improve coverage of lib/_http_client.js (Rongjian Zhang)
- test: improve coverage of lib/os.js (Rongjian Zhang)
- test: call functions internally (Voltrex)
- test: complete coverage of querystring (Rongjian Zhang)
- test: increase coverage for AbortController (ZiJian Liu)
- test: run message and pseudo-tty tests in parallel (Richard Lau)
- test: move test-net-connect-econnrefused from pummel to sequential (Rich Trott)
- test: fix common.mustCall length and name properties (Antoine du Hamel)
- test: address deprecation warning (Rich Trott)
- test: move abort test from pummel to abort directory (Rich Trott)
- test: skip some pummel tests on slower machines (Rich Trott)
- test: add ancestor package.json checks for tmpdir (Richard Lau)
- test: replace function with arrow function and remove unused argument (Andres)
- test: use .test domain for not found address (Richard Lau)
- test: increase fs promise coverage (Emil Sivervik)
- test: increase timeout on ASAN Action (Antoine du Hamel)
- test: improve coverage of SourceTextModule getters (Juan José Arboleda)
- test: improve coverage for Module getters (Juan José Arboleda)
- test: improve coverage on worker threads (Juan José Arboleda)
- test: improve coverage at lib/internal/vm/module.js (Juan José Arboleda)
- test: guard large string decoder allocation (Michaël Zasso)
- test: add already-aborted-controller test for spawn() (Rich Trott)
- test: add test for reused AbortController with execfile() (Rich Trott)
- test: add Actions annotation output (Mary Marchini)
- test: use .then(common.mustCall()) for all async IIFEs (Anna Henningsen)
- test,doc,lib: adjust object literal newlines for lint rule (Rich Trott)
- test,readline: improve tab completion coverage (Antoine du Hamel)
- timers: fix unsafe array iteration (Darshan Sen)
- timers: reject with AbortError on cancellation (Benjamin Gruenbaum)
- timers: refactor to use more primordials (Antoine du Hamel)
- timers: cleanup abort listener on awaitable timers (James M Snell)
- tls: validate ticket keys buffer (Antoine du Hamel)
- tls: fix session and keylog add listener segfault (Nitzan Uziely)
- tools: refloat 7 Node.js patches to cpplint.py (Rich Trott)
- tools: bump cpplint to 1.5.4 (Rich Trott)
- tools: refloat 7 Node.js patches to cpplint.py (Rich Trott)
- tools: bump cpplint to 1.5.3 (Rich Trott)
- tools: refloat 7 Node.js patches to cpplint.py (Rich Trott)
- tools: bump cpplint.py to 1.5.2 (Rich Trott)
- tools: update ESLint to 7.27.0 (Luigi Pinca)
- tools: update ESLint to 7.26.0 (Colin Ihrig)
- tools: update ESLint to 7.25.0 (Colin Ihrig)
- tools: update ESLint to 7.24.0 (Colin Ihrig)
- tools: update ESLint to 7.23.0 (Luigi Pinca)
- tools: update ESLint to 7.22.0 (Colin Ihrig)
- tools: make update-eslint.sh work with npm@7 (Luigi Pinca)
- tools: add support for mjs and cjs JS snippet linting (Antoine du Hamel)
- tools: update eslint-plugin-markdown configuration (Colin Ihrig)
- tools: enable object-curly-newline in ESLint rules (Rich Trott)
- tools: make GH Actions workflows work if default branch is not master (Antoine du Hamel)
- tools: use mktemp to create the workspace directory (Luigi Pinca)
- tools: use a shallow clone of the npm/cli repository (Luigi Pinca)
- tools: remove fixer for non-ascii-character ESLint custom rule (Rich Trott)
- tools: fix doc generation when version info is not available (Antoine du Hamel)
- tools: add _depot_tools to PATH (for V8 tests) (DeeDeeG)
- tools: fix type mismatch in test runner (Richard Lau)
- tools: simplify eslint comma-dangle configuration (tools) (Rich Trott)
- tools: simplify eslint comma-dangle configuration (Rich Trott)
- tools: run doctool tests on GitHub Actions CI (Antoine du Hamel)
- tools: refactor prefer-primordials (Antoine du Hamel)
- tools: update ESLint to 7.21.0 (Luigi Pinca)
- tools: update ESLint to 7.20.0 (Colin Ihrig)
- tools: update ESLint to 7.19.0 (Colin Ihrig)
- tools: update ESLint to 7.18.0 (Colin Ihrig)
- tools: update gyp-next to v0.7.0 (Michaël Zasso)
- tools: update ESLint to 7.17.0 (Colin Ihrig)
- tools: update ESLint to 7.16.0 (Yongsheng Zhang)
- tools: enable no-unsafe-optional-chaining lint rule (Colin Ihrig)
- tools: update ESLint to 7.15.0 (Colin Ihrig)
- tools: enable no-unused-expressions lint rule (Michaël Zasso)
- tools: enable no-nonoctal-decimal-escape lint rule (Colin Ihrig)
- tools: update ESLint to 7.14.0 (Colin Ihrig)
- tools: add linting rule for async IIFEs (Anna Henningsen)
- tools: update ESLint to 7.13.0 (Luigi Pinca)
- tools: update ESLint to 7.12.1 (Colin Ihrig)
- tools: update ESLint to 7.12.0 (Colin Ihrig)
- tools: update ESLint to 7.11.0 (Colin Ihrig)
- tools: add new ESLint rule: prefer-primordials (Leko)
- tools,doc: add support for several flavors of JS code snippets (Antoine du Hamel)
- tools,lib: recommend using safe primordials (Antoine du Hamel)
- tools,lib: tighten prefer-primordials rules for Error statics (Antoine du Hamel)
- tty: refactor to avoid unsafe array iteration (Antoine du Hamel)
- tty: refactor to use more primordials (Zijian Liu)
- typings: add JSDoc typings for util (Rohit Gohri)
- url: refactor to use more primordials (Antoine du Hamel)
- util: simplify constructor retrieval in inspect() (Rich Trott)
- v8: refactor to use more primordials (Antoine du Hamel)
- v8: refactor to use more primordials (Antoine du Hamel)
- vm: refactor to avoid unsafe array iteration (Antoine du Hamel)
- wasi: refactor to avoid unsafe array iteration (Antoine du Hamel)
- Revert "worker: remove ERR_CLOSED_MESSAGE_PORT" (Juan José Arboleda)
- worker: refactor to avoid unsafe array iteration (Antoine du Hamel)
- worker: refactor to use more primordials (Antoine du Hamel)
- zlib: fix brotli flush range (Khaidi Chu)
- zlib: refactor to avoid unsafe array iteration (Antoine du Hamel)
- zlib: refactor to use primordial instead of <string>.startsWith (Rohan Chougule)
- zlib: refactor to use more primordials (Antoine du Hamel)
Version 14.15.2 'Fermium' (LTS)
Notable Changes
deps:
upgrade npm to 6.14.9
update acorn to v8.0.4
doc: add release key for Danielle Adams
http2: check write not scheduled in scope destructor
stream: fix regression on duplex end
Version 14.13.0 (Current)
Notable Changes
(SEMVER-MINOR) deps: upgrade to libuv 1.40.0
(SEMVER-MINOR) module: named exports for CJS via static analysis
(SEMVER-MINOR) module: exports pattern support
(SEMVER-MINOR) src: allow N-API addon in AddLinkedBinding()
Version 14.12.0 (Current)
Notable changes
deps:
* update to uvwasi 0.0.11
n-api:
* create N-API version 7
* add more property defaults
Version 14.11.0 (Current)
Notable Changes
This is a security release.
Vulnerabilities fixed:
CVE-2020-8251: Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests (Critical).
CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion (High).
Version 14.1.0
Notable Changes
deps: upgrade openssl sources to 1.1.1g
doc: add juanarbol as collaborator
http: doc deprecate abort and improve docs
module: do not warn when accessing __esModule of unfinished exports
n-api: detect deadlocks in thread-safe function
src: deprecate embedder APIs with replacements
stream:
* don't emit end after close
* don't wait for close on legacy streams
* pipeline should only destroy un-finished streams
vm: add importModuleDynamically option to compileFunction
Version 14.0.0 (Current)
Notable Changes
ECMAScript Modules - Experimental Warning Removal
New V8 ArrayBuffer API
cli, report: move --report-on-fatalerror to stable
deps: upgrade to libuv 1.37.0
fs: add fs/promises alias module
Version 13.10.0 (Current):
Notable Changes
async_hooks
- introduce async-context API
stream
- support passing generator functions into pipeline()
tls
- expose SSL_export_keying_material
vm
- implement vm.measureMemory() for per-context memory measurement
Version 13.3.0:
Notable Changes
fs:
Reworked experimental recursive rmdir()
The maxBusyTries option is renamed to maxRetries, and its default is set to 0. The emfileWait option has been removed, and EMFILE errors use the same retry logic as other errors. The retryDelay option is now supported. ENFILE errors are now retried.
http:
Make maximum header size configurable per-stream or per-server
http2:
Make maximum tolerated rejected streams configurable
Allow to configure maximum tolerated invalid frames
wasi:
Introduce initial WASI support
Version 10.14.0 'Dubnium' (LTS):
This is a security release. All Node.js users should consult the security release summary at:
https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
for details on patched vulnerabilities.
Fixes for the following CVEs are included in this release:
* Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
* Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
* Node.js: Hostname spoofing in URL parser for javascript protocol (CVE-2018-12123)
* OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
* OpenSSL: Timing vulnerability in ECDSA signature generation (CVE-2019-0735)
Notable Changes
* deps: Upgrade to OpenSSL 1.1.0j, fixing CVE-2018-0734 and CVE-2019-0735
* http:
- Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. Reported by Trevor Norris. (CVE-2018-12121 / Matteo Collina)
- A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with server.headersTimeout. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with server.setTimeout(), this aids in protecting against excessive resource retention and possible Denial of Service. Reported by Jan Maybach (liebdich.com). (CVE-2018-12122 / Matteo Collina)
* url: Fix a bug that would allow a hostname being spoofed when parsing URLs with url.parse() with the 'javascript:' protocol.
Use bundled OpenSSL until pkgsrc provides the required 1.1.x.
### Notable Changes
- Assert
- Calling `assert.fail()` with more than one argument is deprecated.
- Calling `assert.ok()` with no arguments will now throw.
- Calling `assert.ifError()` will now throw with any argument other
than `undefined` or `null`. Previously the method would throw with
any truthy value.
- The `assert.rejects()` and `assert.doesNotReject()` methods have
been added for working with async functions.
- Async_hooks
- Older experimental async_hooks APIs have been removed.
- Buffer
- Uses of `new Buffer()` and `Buffer()` outside of the
`node_modules` directory will now emit a runtime deprecation
warning.
- `Buffer.isEncoding()` now returns `undefined` for falsy values,
including an empty string.
- `Buffer.fill()` will throw if an attempt is made to fill with an
empty `Buffer`.
- Child Process
- Undefined properties of env are ignored.
- Console
- The `console.table()` method has been added.
- Crypto
- The `crypto.createCipher()` and `crypto.createDecipher()` methods
have been deprecated. Please use `crypto.createCipheriv()` and
`crypto.createDecipheriv()` instead.
- The `decipher.finaltol()` method has been deprecated.
- The `crypto.DEFAULT_ENCODING` property has been deprecated.
- The `ECDH.convertKey()` method has been added.
- The `crypto.fips` property has been deprecated.
- Dependencies
- V8 has been updated to 6.6.
- OpenSSL has been updated to 1.1.0h.
- EventEmitter
- The `EventEmitter.prototype.off()` method has been added as an
alias for `EventEmitter.prototype.removeListener()`.
- File System
- The `fs/promises` API provides experimental promisified versions
of the `fs` functions.
- Invalid path errors are now thrown synchronously.
- The `fs.readFile()` method now partitions reads to avoid thread
pool exhaustion.
- HTTP
- Processing of HTTP Status codes `100`, `102-199` has been
improved.
- Multi-byte characters in URL paths are now forbidden.
- N-API
- The n-api is no longer experimental.
- Net
- The `'close'` event will be emitted after `'end'`.
- Perf_hooks
- The `PerformanceObserver` class is now an `AsyncResource` and can
be monitored using `async_hooks`.
- Trace events are now emitted for performance events.
- The `performance` API has been simplified.
- Performance milestone marks will be emitted as trace events.
- Process
- Using non-string values for `process.env` is deprecated.
- The `process.assert()` method is deprecated.
- REPL
- REPL now experimentally supports top-level await when using the
`--experimental-repl-await` flag.
- The previously deprecated "magic mode" has been removed.
- The previously deprecated `NODE_REPL_HISTORY_FILE` environment
variable has been removed.
- Proxy objects are shown as Proxy objects when inspected.
- Streams
- The `'readable'` event is now always deferred with nextTick.
- A new `pipeline()` method has been provided for building
end-to-data stream pipelines.
- Experimental support for async for-await has been added to
`stream.Readable`.
- Timers
- The `enroll()` and `unenroll()` methods have been deprecated.
- TLS
- The `tls.convertNPNProtocols()` method has been deprecated.
- Support for NPN (next protocol negotiation) has been dropped.
- The `ecdhCurve` default is now `'auto'`.
- Trace Events
- A new `trace_events` top-level module allows trace event
categories to be enabled/disabled at runtime.
- URL
- The WHATWG URL API is now a global.
- Util
- `util.types.is[…]` type checks have been added.
- Support for bigint formatting has been added to `util.inspect()`.
#### Deprecations:
The following APIs have been deprecated in Node.js 10.0.0
- Passing more than one argument to `assert.fail()` will emit a
runtime deprecation warning.
- Previously deprecated legacy async_hooks APIs have reached
end-of-life and have been removed.
- Using `require()` to access several of Node.js' own internal
dependencies will emit a runtime deprecation.
- The `crypto.createCipher()` and `crypto.createDecipher()` methods
have been deprecated in documentation.
- Using the `Decipher.finaltol()` method will emit a runtime
deprecation warning.
- Using the `crypto.DEFAULT_ENCODING` property will emit a runtime
deprecation warning.
- Use by native addons of the `MakeCallback()` variant that passes a
`Domain` will emit a runtime deprecation warning.
- Previously deprecated internal getters/setters on `net.Server` has
reached end-of-life and have been removed.
- Use of non-string values for `process.env` has been deprecated in
documentation.
- Use of `process.assert()` will emit a runtime deprecation warning.
- Previously deprecated `NODE_REPL_HISTORY_FILE` environment variable
has reached end-of-life and has been removed.
- Use of the `timers.enroll()` and `timers.unenroll()` methods will
emit a runtime deprecation warning.
- Use of the `tls.convertNPNProtocols()` method will emit a runtime
deprecation warning. Support for NPN has been removed from Node.js.
- The `crypto.fips` property has been deprecated in documentation.
Changes since nodejs 8.8.1:
- doc: add Gibson Fahnestock to Release team
- deps: update npm to 5.5.1
- http2: The exposed http2 socket is no longer manipulatable
- module: support custom paths to require.resolve()
- util: util.TextEncoder and util.TextDecoder are no longer experimental.
There will no longer be a warning when they are used
8.2.1
- configure:
- add mips64el to valid_arch
- crypto:
- Updated root certificates based on NSS 3.30
- deps:
- upgrade OpenSSL to version 1.0.2.l
- http:
- parse errors are now reported when NODE_DEBUG=http
- Agent construction can now be envoked without `new`
- zlib:
- node will now throw an Error when zlib rejects the value of
windowBits, instead of crashing
8.2.0
- Async Hooks
- Multiple improvements to Promise support in `async_hooks` have
been made.
- Build
- The compiler version requirement to build Node with GCC has been
raised to GCC 4.9.4.
- Cluster
- Users now have more fine-grained control over the inspector port
used by individual cluster workers. Previously, cluster workers were
restricted to incrementing from the master's debug port.
- DNS
- The server used for DNS queries can now use a custom port.
- Support for `dns.resolveAny()` has been added.
- npm
- The `npm` CLI has been updated to version 5.3.0. In particular, it
now comes with the `npx` binary, which is also shipped with Node.
This release will become the new LTS later in 2016.
The following significant changes have been made since the
previous Node.js v5.0.0 release.
Buffer
- New Buffer constructors have been added #4682 and #5833.
- Existing Buffer() and SlowBuffer() constructors have been
deprecated in docs #4682 and #5833.
- Previously deprecated Buffer APIs are removed #5048, #4594.
- Improved error handling #4514.
- The Buffer.prototype.lastIndexOf() method has been added #4846.
Cluster
- Worker emitted as first argument in 'message' event #5361.
- The worker.exitedAfterDisconnect property replaces
worker.suicide #3743.
Console
- Calling console.timeEnd() with an unknown label now emits a
process warning rather than throwing #5901.
Crypto
- Improved error handling #3100, #5611.
- Simplified Certificate class bindings #5382.
- Improved control over FIPS mode #5181.
- pbkdf2 digest overloading is deprecated #4047.
Dependencies
- Reintroduce shared c-ares build support #5775.
- V8 updated to 5.0.71.35 #6372.
DNS
- Add dns.resolvePtr() API to query plain DNS PTR records #4921.
Domains
- Clear stack when no error handler #4659.
Events
- The EventEmitter.prototype._events object no longer inherits
from Object.prototype #6092.
- The EventEmitter.prototype.prependListener() and
EventEmitter.prototype.prependOnceListener() methods have been
added #6032.
File System
- The fs.realpath() and fs.realpathSync() methods have been
updated to use a more efficient libuv-based implementation. This
change includes the removal of the cache argument and the method
can throw new errors #3594.
- FS apis can now accept and return paths as Buffers #5616.
- Error handling and type checking improvements #5616, #5590,
#4518, #3917.
- fs.read's string interface is deprecated #4525.
HTTP
- 'clientError' can now be used to return custom errors from an
HTTP server #4557.
