PR-URL: https://github.com/nodejs/node/pull/12206
Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Timothy Gu <timothygu99@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This is a special LTS to fix a number of regressions that were found
on the 6.10.x release line.
This includes:
* a fix for memory leak in the crypto module that
was introduced in 6.10.1
* a fix for a regression introduced to the windows repl in 6.10.0
* a backported fix for V8 to stop a segfault that could occur
when using spread syntax
It also includes an upgrade to zlib 1.2.11 to fix a numberof low
severity CVEs that were present in zlib 1.2.8.
http://seclists.org/oss-sec/2016/q4/602
Notable changes
* crypto:
- fix memory leak if certificate is revoked (Tom Atkinson)
https://github.com/nodejs/node/pull/12089
* deps:
- upgrade zlib to 1.2.11 (Sam Roberts)
https://github.com/nodejs/node/pull/10980
- backport V8 fixes for spread syntax regression causing segfaults
(Michaël Zasso) https://github.com/nodejs/node/pull/12037
* repl:
- Revert commit that broke REPL display on Windows (Myles Borins)
https://github.com/nodejs/node/pull/12123
When the release was cut, the changelog heading in CHANGELOG_V7
was accidentally omitted.
PR-URL: https://github.com/nodejs/node/pull/11823
Fixes: https://github.com/nodejs/node/issues/11822
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
PR-URL: https://github.com/nodejs/node/pull/11189
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Notable changes:
Node.js 7.7.0 contains a bug that will prevent all native modules
from building, this patch should fix the issue. Apologies to
everyone who was affected by 7.7.0.
PR-URL: https://github.com/nodejs/node/pull/11638
This adds an anchor for v6.10.0 in the LTS column.
PR-URL: https://github.com/nodejs/node/pull/11534
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Notable changes:
* crypto:
* ability to select cert store at runtime (Adam Majer) #8334
* Use system CAs instead of using bundled ones (Adam Majer) #8334
* deps:
* upgrade npm to 4.1.2 (Kat Marchán) #11020
* upgrade openssl sources to 1.0.2k (Shigeki Ohtsu) #11021
* doc: add basic documentation for WHATWG URL API (James M Snell) #10620
* process: add NODE_NO_WARNINGS environment variable (cjihrig) #10842
* url: allow use of URL with http.request and https.request (James M Snell) #10638
PR-URL: https://github.com/nodejs/node/pull/11062
This is a security release of the 'Boron' release line to upgrade
OpenSSL to version 1.0.2k
Although the OpenSSL team have determined a maximum severity rating
of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
and Fedor Indutny) have determined the impact to Node users is "low".
Details on this determination can be found on the Nodejs.org website
https://nodejs.org/en/blog/vulnerability/openssl-january-2017/
Notable Changes:
* deps:
- upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
https://github.com/nodejs/node/pull/11021
PR-URL: https://github.com/nodejs/node/pull/11083
This is a security release of the 'Boron' release line to upgrade
OpenSSL to version 1.0.2k
Although the OpenSSL team have determined a maximum severity rating
of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu
and Fedor Indutny) have determined the impact to Node users is "low".
Details on this determination can be found on the Nodejs.org website
https://nodejs.org/en/blog/vulnerability/openssl-january-2017/
Notable Changes:
* deps:
- upgrade openssl sources to 1.0.2k (Shigeki Ohtsu)
https://github.com/nodejs/node/pull/11021
PR-URL: https://github.com/nodejs/node/pull/11081
Move the LTS releases for Node 6 to the `LTS` column in the
corresponding `CHANGELOG_V6.md`.
PR-URL: https://github.com/nodejs/node/pull/10827
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This contained a duplicate link to the PR for a notable change,
presumably because that PR was composed of 2 separate commits.
PR-URL: https://github.com/nodejs/node/pull/10827
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This is a special release that contains 0 commits. While promoting
additional platforms for v6.9.3 after the release, the tarballs on the
release server were overwritten and now have different shasums. In
order to remove any ambiguity around the release we have opted to do a
semver patch release with no changes.
This is a special release that contains 0 commits. While promoting
additional platforms for v4.7.1 after the release, the tarballs on the
release server were overwritten and now have different shasums. In
order to remove any ambiguity around the release we have opted to do a
semver patch release with no changes.
Notable changes:
* npm: upgrade from v2.15.1 to v2.15.11, including accurate updated license (Jeremiah Senkpiel)
* process: `process.versions.ares` now outputs the c-ares version (Johan Bergström)
PR-URL: https://github.com/nodejs/node/pull/10352
This LTS release comes with 108 commits. This includes 30 which are doc
related, 28 which are test related, 16 which are build / tool related,
and 4 commits which are updates to dependencies.
Notable Changes:
The SEMVER-MINOR changes include:
* build:
- export openssl symbols on Windows making it possible to build
addons linked against the bundled version of openssl (Alex Hultman)
https://github.com/nodejs/node/pull/7576
* debugger:
- make listen address configurable in the debugger server
(Ben Noordhuis) https://github.com/nodejs/node/pull/3316
* dgram:
- generalized send queue to handle close fixing a potential throw
when dgram socket is closed in the listening event handler.
(Matteo Collina) https://github.com/nodejs/node/pull/7066
* http:
- Introduce the 451 status code "Unavailable For Legal Reasons"
(Max Barinov) https://github.com/nodejs/node/pull/4377
* tls:
- introduce `secureContext` for `tls.connect` which is useful for
caching client certificates, key, and CA certificates.
(Fedor Indutny) https://github.com/nodejs/node/pull/4246
Notable SEMVER-PATCH changes include:
* build:
- introduce the configure --shared option for embedders (sxa555)
https://github.com/nodejs/node/pull/6994
* gtest:
- the test reporter now outputs tap comments as yamlish
(Johan Bergström) https://github.com/nodejs/node/pull/9262
* src:
- node no longer aborts when c-ares initialization fails
(Ben Noordhuis) https://github.com/nodejs/node/pull/8710
* tls:
- fix memory leak when writing data to TLSWrap instance during
handshake (Fedor Indutny)
https://github.com/nodejs/node/pull/9586
PR-URL: https://github.com/nodejs/node/pull/9736
markdown had a dispensation because 2 or more trailing spaces triggers a
new paragraph. There are no examples of that usage in Node, all trailing
whitespace found were mistakes, and the dispensation is now removed.
See: https://github.com/nodejs/node/pull/9620
PR-URL: https://github.com/nodejs/node/pull/9676
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Notable changes:
* buffer: add buffer.transcode to transcode a buffer's content from one
encoding to another primarily using ICU (James M Snell)
* child_process: add public API for IPC channel (cjihrig)
* icu
* Upgraded to ICU 58 - small icu (Steven R. Loomis)
* Add `cldr`, `tz`, and `unicode` to `process.versions` (Steven R. Loomis)
* lib: make `String(global) === '[object global]'` (Anna Henningsen)
* libuv: Upgraded to 1.10.0 (cjihrig)
* readline: use icu based string width calculation (James M Snell)
* src:
* add NODE_PRESERVE_SYMLINKS environment variable that has the same
effect as the `--preserve-symlinks` flag (Marc Udoff)
* Fix `String#toLocaleUpperCase()` and `String#toLocaleLowerCase()`
(Steven R. Loomis)
PR-URL: https://github.com/nodejs/node/pull/9438
Originally was h2 should be h3
PR-URL: https://github.com/nodejs/node/pull/9515
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Notable changes:
* streams: Fix a regression introduced in v6.8.0 in readable stream
that caused unpipe to remove the wrong stream (Anna Henningsen)
PR-URL: https://github.com/nodejs/node/pull/9186
This release marks the transition of Node.js v6 into Long Term Support
(LTS) with the codename 'Boron'. The v6 release line now moves in to
"Active LTS" and will remain so until April 2018. After that time it
will move in to "Maintenance" until end of life in April 2019.
This is also a security release. All Node.js users should consult the
security release summary at
https://nodejs.org/en/blog/vulnerability/october-2016-security-releases/
for details on patched vulnerabilities.
Notable changes:
* crypto: Don't automatically attempt to load an OpenSSL configuration
file, from the `OPENSSL_CONF` environment variable or from the
default location for the current platform. Always triggering a
configuration file load attempt may allow an attacker to load
compromised OpenSSL configuration into a Node.js process if they are
able to place a file in a default location. (Fedor Indutny, Rod Vagg)
* node: Introduce the `process.release.lts` property, set to `"Boron"`.
This value is `"Argon"` for v4 LTS releases and `undefined` for all
other releases. (Rod Vagg)
* V8: Backport fix for CVE-2016-5172, an arbitrary memory read.
The parser in V8 mishandled scopes, potentially allowing an attacker
to obtain sensitive information from arbitrary memory locations via
crafted JavaScript code. This vulnerability would require an
attacker to be able to execute arbitrary JavaScript code in a
Node.js process. (Rod Vagg)
* **v8_inspector**: Generate a UUID for each execution of the
inspector. This provides additional security to prevent unauthorized
clients from connecting to the Node.js process via the v8_inspector
port when running with `--inspect`. Since the debugging protocol
allows extensive access to the internals of a running process, and
the execution of arbitrary code, it is important to limit
connections to authorized tools only. Vulnerability originally
reported by Jann Horn. (Eugene Ostroukhov)
PR-URL: https://github.com/nodejs/node-private/pull/81