In December we announced that we would be doing a minor release in order to
get a number of voted on SEMVER-MINOR changes into LTS. Our ability to release this
was delayed due to the unforeseen security release v4.3. We are quickly bumping to
v4.4 in order to bring you the features that we had committed to releasing.
This release also includes over 70 fixes to our docs and over 50 fixes to tests.
The SEMVER-MINOR changes include:
* deps:
- An update to v8 that introduces a new flag --perf_basic_prof_only_functions (Ali Ijaz Sheikh) https://github.com/nodejs/node/pull/3609
* http:
- A new feature in http(s) agent that catches errors on *keep alived* connections (José F. Romaniello) https://github.com/nodejs/node/pull/4482
* src:
- Better support for Big-Endian systems (Bryon Leung) https://github.com/nodejs/node/pull/3410
* tls:
- A new feature that allows you to pass common SSL options to `tls.createSecurePair` (Коренберг Марк) https://github.com/nodejs/node/pull/2441
* tools
- a new flag `--prof-process` which will execute the tick processor on the provided isolate files (Matt Loring) https://github.com/nodejs/node/pull/4021
Notable semver patch changes include:
* buld:
- Support python path that includes spaces. This should be of particular interest to our Windows users who may have python living in `c:/Program Files` (Felix Becker) https://github.com/nodejs/node/pull/4841
* https:
- A potential fix for https://github.com/nodejs/node/issues/3692 HTTP/HTTPS client requests throwing EPROTO (Fedor Indutny) https://github.com/nodejs/node/pull/4982
* installer:
- More readable profiling information from isolate tick logs (Matt Loring) https://github.com/nodejs/node/pull/3032
* *npm:
- upgrade to npm 2.14.20 (Kat Marchán) https://github.com/nodejs/node/pull/5510
* process:
- Add support for symbols in event emitters. Symbols didn't exist when it was written ¯\_(ツ)_/¯ (cjihrig) https://github.com/nodejs/node/pull/4798
* querystring:
- querystring.parse() is now 13-22% faster! (Brian White) https://github.com/nodejs/node/pull/4675
* streams:
- performance improvements for moving small buffers that shows a 5% throughput gain. IoT projects have been seen to be as much as 10% faster with this change! (Matteo Collina) https://github.com/nodejs/node/pull/4354
* tools:
- eslint has been updated to version 2.1.0 (Rich Trott) https://github.com/nodejs/node/pull/5214
PR-URL: https://github.com/nodejs/node/pull/5301
Notable changes:
* openssl: Fully remove SSLv2 support, the `--enable-ssl2` command
line argument will now produce an error. The DROWN Attack
(https://drownattack.com/) creates a vulnerability where SSLv2 is
enabled by a server, even if a client connection is not using SSLv2.
The SSLv2 protocol is widely considered unacceptably broken and
should not be supported. More information is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0800
Note that the upgrade to OpenSSL 1.0.1s in Node.js v0.12.11 removed
internal SSLv2 support. The change in this release was originally
intended for v0.12.11. The `--enable-ssl2` command line argument now
produces an error rather than being a no-op.
PR-URL: https://github.com/nodejs/nodejs.org/pull/562
Notable changes:
* http_parser: Update to http-parser 1.2 to fix an unintentionally
strict limitation of allowable header characters.
(James M Snell) https://github.com/nodejs/node/pull/5242
* domains:
- Prevent an exit due to an exception being thrown rather than
emitting an 'uncaughtException' event on the `process` object when
no error handler is set on the domain within which an error is
thrown and an 'uncaughtException' event listener is set on
`process`. (Julien Gilli) https://github.com/nodejs/node/pull/3887
- Fix an issue where the process would not abort in the proper
function call if an error is thrown within a domain with no error
handler and `--abort-on-uncaught-exception` is used.
(Julien Gilli) https://github.com/nodejs/node/pull/3887
* openssl: Upgrade from 1.0.1r to 1.0.1s
(Ben Noordhuis) https://github.com/nodejs/node/pull/5508
- Fix a double-free defect in parsing malformed DSA keys that may
potentially be used for DoS or memory corruption attacks. It is
likely to be very difficult to use this defect for a practical
attack and is therefore considered low severity for Node.js users.
More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0705
- Fix a defect that can cause memory corruption in certain very rare
cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
functions. It is believed that Node.js is not invoking the code
paths that use these functions so practical attacks via Node.js
using this defect are _unlikely_ to be possible. More info is
available at
https://www.openssl.org/news/vulnerabilities.html#2016-0797
- Fix a defect that makes the CacheBleed Attack
(https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible.
This defect enables attackers to execute side-channel attacks
leading to the potential recovery of entire RSA private keys. It
only affects the Intel Sandy Bridge (and possibly older)
microarchitecture when using hyper-threading. Newer
microarchitectures, including Haswell, are unaffected. More info
is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0702
- Remove SSLv2 support, the `--enable-ssl2` command line argument
will now produce an error. The DROWN Attack
(https://drownattack.com/) creates a vulnerability where SSLv2 is
enabled by a server, even if a client connection is not using
SSLv2. The SSLv2 protocol is widely considered unacceptably broken
and should not be supported. More information is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0800
PR-URL: https://github.com/nodejs/node/pull/5404
Notable changes:
* http_parser: Update to http-parser 2.3.2 to fix an unintentionally
strict limitation of allowable header characters.
(James M Snell) https://github.com/nodejs/node/pull/5241
* domains:
- Prevent an exit due to an exception being thrown rather than
emitting an 'uncaughtException' event on the `process` object when
no error handler is set on the domain within which an error is
thrown and an 'uncaughtException' event listener is set on
`process`. (Julien Gilli) https://github.com/nodejs/node/pull/3885
- Fix an issue where the process would not abort in the proper
function call if an error is thrown within a domain with no error
handler and `--abort-on-uncaught-exception` is used.
(Julien Gilli) https://github.com/nodejs/node/pull/3885
* openssl: Upgrade from 1.0.2f to 1.0.2g
(Ben Noordhuis) https://github.com/nodejs/node/pull/5509
- Fix a double-free defect in parsing malformed DSA keys that may
potentially be used for DoS or memory corruption attacks. It is
likely to be very difficult to use this defect for a practical
attack and is therefore considered low severity for Node.js users.
More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0705
- Fix a defect that can cause memory corruption in certain very rare
cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
functions. It is believed that Node.js is not invoking the code
paths that use these functions so practical attacks via Node.js
using this defect are _unlikely_ to be possible. More info is
available at
https://www.openssl.org/news/vulnerabilities.html#2016-0797
- Fix a defect that makes the CacheBleed Attack
(https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This
defect enables attackers to execute side-channel attacks leading
to the potential recovery of entire RSA private keys. It only
affects the Intel Sandy Bridge (and possibly older)
microarchitecture when using hyper-threading. Newer
microarchitectures, including Haswell, are unaffected. More info
is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0702
PR-URL: https://github.com/nodejs/node/pull/5403
Notable changes:
* governance: The Core Technical Committee (CTC) added four new members
to help guide Node.js core development: Evan Lucas, Rich Trott, Ali
Ijaz Sheikh and Сковорода Никита Андреевич (Nikita Skovoroda).
* openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis)
https://github.com/nodejs/node/pull/5507
- Fix a double-free defect in parsing malformed DSA keys that may
potentially be used for DoS or memory corruption attacks. It is likely
to be very difficult to use this defect for a practical attack and is
therefore considered low severity for Node.js users. More info is
available at https://www.openssl.org/news/vulnerabilities.html#2016-0705
- Fix a defect that can cause memory corruption in certain very rare
cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()`
functions. It is believed that Node.js is not invoking the code paths
that use these functions so practical attacks via Node.js using this
defect are _unlikely_ to be possible. More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0797
- Fix a defect that makes the CacheBleed Attack
(https://ssrg.nicta.com.au/projects/TS/cachebleed/) possible. This
defect enables attackers to execute side-channel attacks leading to the
potential recovery of entire RSA private keys. It only affects the
Intel Sandy Bridge (and possibly older) microarchitecture when using
hyper-threading. Newer microarchitectures, including Haswell, are
unaffected. More info is available at
https://www.openssl.org/news/vulnerabilities.html#2016-0702
* Fixed several regressions that appeared in v5.7.0:
- path.relative():
- Output is no longer unnecessarily verbose (Brian White)
https://github.com/nodejs/node/pull/5389
- Resolving UNC paths on Windows now works correctly (Owen Smith)
https://github.com/nodejs/node/pull/5456
- Resolving paths with prefixes now works correctly from the root
directory (Owen Smith) https://github.com/nodejs/node/pull/5490
- url: Fixed an off-by-one error with `parse()` (Brian White)
https://github.com/nodejs/node/pull/5394
- dgram: Now correctly handles a default address case when offset and
length are specified (Matteo Collina)
https://github.com/nodejs/node/pull/5407
PR-URL: https://github.com/nodejs/node/pull/5464
This is a security release with only a single commit, an update to openssl due to a recent security advisory. You can read more about the security advisory on the Node.js website https://nodejs.org/en/blog/vulnerability/openssl-march-2016/
* openssl: Upgrade from 1.0.2f to 1.0.2g (Ben Noordhuis) https://github.com/nodejs/node/pull/5507
- Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks. It is likely to be very difficult to use this defect for a practical attack and is therefore considered low severity for Node.js users. More info is available at CVE-2016-0705 https://www.openssl.org/news/vulnerabilities.html#2016-0705.
- Fix a defect that can cause memory corruption in certain very rare cases relating to the internal `BN_hex2bn()` and `BN_dec2bn()` functions. It is believed that Node.js is not invoking the code paths that use these functions so practical attacks via Node.js using this defect are _unlikely_ to be possible. More info is available at CVE-2016-0797 https://www.openssl.org/news/vulnerabilities.html#2016-0797.
- Fix a defect that makes the _CacheBleed Atta https://ssrg.nicta.com.au/projects/TS/cachebleed/ _ possible. This defect enables attackers to execute side-channel attacks leading to the potential recovery of entire RSA private keys. It only affects the Intel Sandy Bridge (and possibly older) microarchitecture when using hyper-threading. Newer microarchitectures, including Haswell, are unaffected. More info is available at CVE-2016-0702 https://www.openssl.org/news/vulnerabilities.html#2016-0702.
PR-URL: https://github.com/nodejs/node/pull/5526
* buffer:
- You can now supply an encoding argument when filling a
Buffer Buffer#fill(string[, start[, end]][, encoding]), supplying
an existing Buffer will also work with
Buffer#fill(buffer[, start[, end]]). See the API documentation for
details on how this works. (Trevor Norris) #4935
- Buffer#indexOf() no longer requires a byteOffset argument if you
also wish to specify an encoding:
Buffer#indexOf(val[, byteOffset][, encoding]).
(Trevor Norris) #4803
* child_process: spawn() and spawnSync() now support a 'shell' option
to allow for optional execution of the given command inside a shell.
If set to true, cmd.exe will be used on Windows and /bin/sh
elsewhere. A path to a custom shell can also be passed to override
these defaults. On Windows, this option allows .bat. and .cmd files
to be executed with spawn() and spawnSync(). (Colin Ihrig) #4598
* http_parser: Update to http-parser 2.6.2 to fix an unintentionally
strict limitation of allowable header characters.
(James M Snell) #5237
* dgram: socket.send() now supports accepts an array of Buffers or
Strings as the first argument. See the API docs for details on how
this works. (Matteo Collina) #4374
* http: Fix a bug where handling headers will mistakenly trigger an
'upgrade' event where the server is just advertising its protocols.
This bug can prevent HTTP clients from communicating with HTTP/2
enabled servers. (Fedor Indutny) #4337
* net: Added a listening Boolean property to net and http servers to
indicate whether the server is listening for connections.
(José Moreira) #4743
* node: The C++ node::MakeCallback() API is now reentrant and calling
it from inside another MakeCallback() call no longer causes the
nextTick queue or Promises microtask queue to be processed out of
order. (Trevor Norris) #4507
* tls: Add a new tlsSocket.getProtocol() method to get the negotiated
TLS protocol version of the current connection. (Brian White) #4995
* vm: Introduce new 'produceCachedData' and 'cachedData' options to
new vm.Script() to interact with V8's code cache. When a new
vm.Script object is created with the 'produceCachedData' set to true
a Buffer with V8's code cache data will be produced and stored in
cachedData property of the returned object. This data in turn may be
supplied back to another vm.Script() object with a 'cachedData'
option if the supplied source is the same. Successfully executing a
script from cached data can speed up instantiation time. See the API
docs for details. (Fedor Indutny) #4777
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Notable changes
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 2.6.0 to 2.6.1
* npm: upgrade npm from 3.3.12 to 3.6.0
(Rebecca Turner) https://github.com/nodejs/node/pull/4958
* openssl: upgrade from 1.0.2e to 1.0.2f. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Note that this release includes a non-backward compatible change to
address a security issue. This change increases the version of the LTS
v4.x line to v4.3.0. There will be *no further updates* to v4.2.x.
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 2.5.0 to 2.5.1
* openssl: upgrade from 1.0.2e to 1.0.2f. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
* src:
- introduce new `--security-revert={cvenum}` command line flag for
selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted using
`--security-revert=CVE-2016-2216`
PR-URL: https://github.com/nodejs/node-private/pull/20
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Notable changes:
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 2.3.0 to 2.3.1
* openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
* src:
- introduce new `--security-revert={cvenum}` command line flag for
selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted using
`--security-revert=CVE-2016-2216`
* build:
- xz compressed tar files will be made available from nodejs.org for
v0.12 builds from v0.12.10 onward
- A headers.tar.gz file will be made available from nodejs.org for
v0.12 builds from v0.12.10 onward, a future change to node-gyp
will be required to make use of these
PR-URL: https://github.com/nodejs/node-private/pull/24
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Notable changes:
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 1.0 to 1.1
* openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
* src:
- introduce new `--security-revert={cvenum}` command line flag for
selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted using
`--security-revert=CVE-2016-2216`
* build:
- xz compressed tar files will be made available from nodejs.org for
v0.10 builds from v0.10.42 onward
- A headers.tar.gz file will be made available from nodejs.org for
v0.10 builds from v0.10.42 onward, a future change to node-gyp
will be required to make use of these
PR-URL: https://github.com/nodejs/node-private/pull/25
Notable changes:
* Fix regression in debugger and profiler functionality
PR-URL: https://github.com/nodejs/node/pull/4788
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
Notable Changes:
* Minor performance improvements:
- module: move unnecessary work for early return (Andres Suarez) https://github.com/nodejs/node/pull/3579
* Various bug fixes
* Various doc fixes
* Various test improvements
PR-URL: https://github.com/nodejs/node/pull/4626
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Maintenance Update
Notable changes
* Roughly 78% of the commits are documentation and test
improvements
* domains:
- Fix handling of uncaught exceptions (Julien Gilli)
[#3884
Maintenance release
Notable Changes:
* v8: Fixed an out-of-band write in utf8 decoder. This is an important
security update as it can be used to cause a denial of service
attack.
* openssl: - Upgrade to 1.0.2b and 1.0.2c, introduces DHE
man-in-the-middle protection (Logjam) and fixes malformed
ECParameters causing infinite loop (CVE-2015-1788). See the
security advisory for full details. (Shigeki Ohtsu) #1950
Notable changes:
* build:
- Add support for Intel's VTune JIT profiling when compiled with
--enable-vtune-profiling. For more information about VTune, see
https://software.intel.com/en-us/node/544211. (Chunyang Dai) #3785
.
- Properly enable V8 snapshots by default. Due to a configuration
error, snapshots have been kept off by default when the intention
is for the feature to be enabled. (Fedor Indutny) #3962
.
* crypto:
- Simplify use of ECDH (Elliptic Curve Diffie-Hellman) objects
(created via crypto.createECDH(curve_name)) with private keys that
are not dynamically generated via generateKeys(). The public key
is now computed when explicitly setting a private key. Added
validity checks to reduce the possibility of computing weak or
invalid shared secrets. Also, deprecated the setPublicKey() method
for ECDH objects as its usage is unnecessary and can lead to
inconsistent state. (Michael Ruddy) #3511
.
- Update root certificates from the current list stored maintained
by Mozilla NSS. (Ben Noordhuis) #3951
.
- Multiple CA certificates can now be passed with the ca option to
TLS methods as an array of strings or in a single new-line
separated string. (Ben Noordhuis) #4099
* tools: Include a tick processor in core, exposed via the
--prof-process command-line argument which can be used to process V8
profiling output files generated when using the --prof command-line
argument. (Matt Loring) #4021
Security Update
Notable items:
* **http**: Fix a bug where an HTTP socket may no longer have a socket
but a pipelined request triggers a pause or resume, a potential
denial-of-service vector. (Fedor Indutny)
* **openssl**: Upgrade to 1.0.2e, containing fixes for:
- CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64",
an attack is considered feasible against DH, an attack against RSA
and DSA is considered possible but unlikely, EC algorithms are not
affected. Details are available at
<http://openssl.org/news/secadv/20151203.txt>.
- CVE-2015-3194 "Certificate verify crash with missing PSS parameter",
a potential denial-of-service vector for Node.js TLS servers; TLS
clients are also impacted. Details are available at
<http://openssl.org/news/secadv/20151203.txt>.
(Shigeki Ohtsu) #4134
Security Update
Notable items:
* http: Fix a bug where an HTTP socket may no longer have a socket
but a pipelined request triggers a pause or resume, a potential
denial-of-service vector. (Fedor Indutny)
* openssl: Upgrade to 1.0.2e, containing fixes for:
- CVE-2015-3193 "BN_mod_exp may produce incorrect results on x86_64",
an attack is considered feasible against a Node.js TLS server using
DHE key exchange. Details are available at
<http://openssl.org/news/secadv/20151203.txt>.
- CVE-2015-3194 "Certificate verify crash with missing PSS parameter",
a potential denial-of-service vector for Node.js TLS servers; TLS
clients are also impacted. Details are available at
<http://openssl.org/news/secadv/20151203.txt>.
(Shigeki Ohtsu) #4134
Security Update
Notable items:
* http: Fix a bug where an HTTP socket may no longer have a socket but a
pipelined request triggers a pause or resume, a potential
denial-of-service vector. (Fedor Indutny)
* openssl: Upgrade to 1.0.1q, fixes CVE-2015-3194
"Certificate verify crash with missing PSS parameter", a potential
denial-of-service vector for Node.js TLS servers; TLS clients are also
impacted. Details are available at
<http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis) #4133
Security Update
Notable items:
* build: Add support for Microsoft Visual Studio 2015
* npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as
part of the strategy to get a version of npm into Node.js v0.10.x that
works with the current registry
(https://github.com/nodejs/LTS/issues/37). This version of npm prints
out a banner each time it is run. The banner warns that the next
standard release of Node.js v0.10.x will ship with a version of npm
v2.
* openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194
"Certificate verify crash with missing PSS parameter", a potential
denial-of-service vector for Node.js TLS servers; TLS clients are also
impacted. Details are available at
<http://openssl.org/news/secadv/20151203.txt>. (Ben Noordhuis)
#4133
* A known issue was resolved but not removed from the list
* The wrong date was documented in the changelog for v4.2.2
PR-URL: https://github.com/nodejs/node/pull/3650
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Notable changes:
* buffer: (Breaking) Removed both 'raw' and 'raws' encoding types from Buffer,
these have been deprecated for a long time (Sakthipriyan Vairamani) #2859
.
* console: (Breaking) Values reported by console.time() now have 3 decimals of
accuracy added (Michaël Zasso) #3166
.
* fs:
- fs.readFile*(), fs.writeFile*(), and fs.appendFile*() now also accept a file
descriptor as their first argument (Johannes Wüller) #3163
.
- (Breaking) In fs.readFile(), if an encoding is specified and the internal
toString() fails the error is no longer thrown but is passed to the callback
(Evan Lucas) #3485
.
- (Breaking) In fs.read() (using the fs.read(fd, length, position, encoding,
callback) form), if the internal toString() fails the error is no longer
thrown but is passed to the callback (Evan Lucas) #3503
.
* http:
- Fixed a bug where pipelined http requests would stall (Fedor Indutny) #3342
.
- (Breaking) When parsing HTTP, don't add duplicates of the following headers:
Retry-After, ETag, Last-Modified, Server, Age, Expires. This is in addition
to the following headers which already block duplicates: Content-Type,
Content-Length, User-Agent, Referer, Host, Authorization,
Proxy-Authorization, If-Modified-Since, If-Unmodified-Since, From, Location,
Max-Forwards (James M Snell) #3090
.
- (Breaking) The callback argument to OutgoingMessage#setTimeout() must be a
function or a TypeError is thrown (James M Snell) #3090
.
- (Breaking) HTTP methods and header names must now conform to the RFC 2616
"token" rule, a list of allowed characters that excludes control characters
and a number of separator characters. Specifically, methods and header names
must now match /^[a-zA-Z0-9_!#$%&'*+.^`|~-]+$/ or a TypeError will be thrown
(James M Snell) #2526
.
- (Breaking) Removed require.paths and require.registerExtension(), both had
been previously set to throw Error when accessed
(Sakthipriyan Vairamani) #2922
.
* npm: Upgraded to version 3.3.6 from 2.14.7, see
https://github.com/npm/npm/releases/tag/v3.3.6 for more details. This is a
major version bump for npm and it has seen a significant amount of change.
Please see the original npm v3.0.0 release notes for a list of major changes
(Rebecca Turner) #3310
.
* src: (Breaking) Bumped NODE_MODULE_VERSION to 47 from 46, this is necessary
due to the V8 upgrade. Native add-ons will need to be recompiled
(Rod Vagg) #3400
.
* timers: Attempt to reuse the timer handle for setTimeout().unref(). This fixes
a long-standing known issue where unrefed timers would perviously hold
beforeExit open (Fedor Indutny) #3407
.
* tls:
- Added ALPN Support (Shigeki Ohtsu) #2564
.
- TLS options can now be passed in an object to createSecurePair()
(Коренберг Марк) #2441
.
- (Breaking) The default minimum DH key size for tls.connect() is now 1024
bits and a warning is shown when DH key size is less than 2048 bits. This a security consideration to prevent "logjam" attacks. A new minDHSize TLS
option can be used to override the default. (Shigeki Ohtsu) #1831
.
* util:
- (Breaking) util.p() was deprecated for years, and has now been removed
(Wyatt Preul) #3432
.
- (Breaking) util.inherits() can now work with ES6 classes. This is considered
a breaking change because of potential subtle side-effects caused by a
change from directly reassigning the prototype of the constructor using
`ctor.prototype = Object.create(superCtor.prototype, { constructor: { ... } })`
to using `Object.setPrototypeOf(ctor.prototype, superCtor.prototype)`
(Michaël Zasso) #3455
.
* v8: (Breaking) Upgraded to 4.6.85.25 from 4.5.103.35 (Ali Ijaz Sheikh) #3351
PR-URL: https://github.com/nodejs/node/pull/3360
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
Update the label for v4.2.0 to (LTS) from (Stable)
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/3343
Notable changes
* http:
- Fix out-of-order 'finish' event bug in pipelining that can abort
execution, fixes DoS vulnerability CVE-2015-7384
(Fedor Indutny) #3128
- Account for pending response data instead of just the data on the
current request to decide whether pause the socket or not
(Fedor Indutny) #3128
* libuv: Upgraded from v1.7.4 to v1.7.5, see release notes for details
(Saúl Ibarra Corretgé) #3010
- A better rwlock implementation for all Windows versions
- Improved AIX support
* v8:
- Upgraded from v4.5.103.33 to v4.5.103.35 (Ali Ijaz Sheikh) #3117
- Backported f782159 from v8's upstream to help speed up Promise
introspection (Ben Noordhuis) #3130
- Backported c281c15 from v8's upstream to add JSTypedArray length
in post-mortem metadata (Julien Gilli) #3031
Notable changes
* buffer: Fixed a bug introduced in v4.1.0 where allocating a new
zero-length buffer can result in the next allocation of a TypedArray
in JavaScript not being zero-filled. In certain circumstances this
could result in data leakage via reuse of memory space in
TypedArrays, breaking the normally safe assumption that TypedArrays
should be always zero-filled. (Trevor Norris) #2931
.
* http: Guard against response-splitting of HTTP trailing headers
added via response.addTrailers() by removing new-line ([\r\n])
characters from values. Note that standard header values are already
stripped of new-line characters. The expected security impact is low
because trailing headers are rarely used. (Ben Noordhuis) #2945
.
* npm: Upgrade to npm 2.14.4 from 2.14.3, see release notes for full
details (Kat Marchán) #2958
- Upgrades graceful-fs on multiple dependencies to no longer rely on
monkey-patching fs
- Fix npm link for pre-release / RC builds of Node
* v8: Update post-mortem metadata to allow post-mortem debugging tools
to find and inspect:
- JavaScript objects that use dictionary properties
(Julien Gilli) #2959
- ScopeInfo and thus closures (Julien Gilli) #2974
This list of changes is relative to the last io.js v3.x branch
release, v3.3.0. Please see the list of notable changes in the v3.x,
v2.x and v1.x releases for a more complete list of changes from
0.12.x. Note, that some changes in the v3.x series as well as major
breaking changes in this release constitute changes required for full
convergence of the Node.js and io.js projects.
* child_process: ChildProcess.prototype.send() and process.send()
operate asynchronously across all platforms so an optional callback
parameter has been introduced that will be invoked once the message
has been sent, i.e. .send(message[, sendHandle][, callback])
(Ben Noordhuis) #2620
.
* node: Rename "io.js" code to "Node.js" (cjihrig) #2367
.
* node-gyp: This release bundles an updated version of node-gyp that
works with all versions of Node.js and io.js including nightly and
release candidate builds. From io.js v3 and Node.js v4 onward, it
will only download a headers tarball when building addons rather
than the entire source. (Rod Vagg) #2700
* util: The util.is*() functions have been deprecated, beginning with
deprecation warnings in the documentation for this release, users
are encouraged to seek more robust alternatives in the npm registry,
(Sakthipriyan Vairamani) #2447
.
* v8: Upgrade to version 4.5.103.30 from 4.4.63.30 (Ali Ijaz Sheikh) #2632
Jeremiah Senkpiel
Myles Borins
Evan Lucas
Rod Vagg
James M Snell
cjihrig
Phillip Johnsen
Timothy Gu
reggi
Martial