The wrong commit SHAs were used
PR-URL: https://github.com/nodejs/node/pull/5165
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Reviewed-By: Rod Vagg <r@va.gg>
This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Note that this release includes a non-backward compatible change to
address a security issue. This change increases the version of the LTS
v4.x line to v4.3.0. There will be *no further updates* to v4.2.x.
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 2.5.0 to 2.5.1
* openssl: upgrade from 1.0.2e to 1.0.2f. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
* src:
- introduce new `--security-revert={cvenum}` command line flag for
selective reversion of specific CVE fixes
- allow the fix for CVE-2016-2216 to be selectively reverted using
`--security-revert=CVE-2016-2216`
PR-URL: https://github.com/nodejs/node-private/pull/20
In openssl s_client on Windows, RAND_screen() is invoked to initialize
random state but it takes several seconds in each connection.
This added -no_rand_screen to openssl s_client on Windows to skip
RAND_screen() and gets a better performance in the unit test of
test-tls-server-verify.
Do not enable this except to use in the unit test.
Fixes: https://github.com/nodejs/node/issues/1461
PR-URL: https://github.com/nodejs/node/pull/1836
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
The `--security-revert={cvenum}` command line flag is a special purpose
flag to be used only in stable or LTS branches when a breaking change
is required to address a security vulnerability. Whenever a vulnerability
requires a breaking change, and a CVE has been assigned, the flag can
be used to force Node to revert to the insecure behavior that was
implemented before the fix was applied.
Note that this flag is intended to be used only as a last resort in the
case a security update breaks existing code. When used, a security
warning will be printed to stderr when Node launches.
The `--security-revert={cvenum}` flag takes a single CVE number as an
argument. Multiple instances of the `--security-revert={cvenum}` flag
can be used on the command line to revert multiple changes.
Whenever a new `--security-revert={cvenum}` is enabled, it should be
documented in the release notes and in the API docs.
Master and the first release of a new major (e.g. v6.0) should not have
any reverts available.
Every time a new `--security-revert={cvenum}` is added, there should be
a semver-minor bump in the stable and LTS branch.
PR-URL: https://github.com/nodejs/node-private/pull/20
Notable changes:
* Fix regression in debugger and profiler functionality
PR-URL: https://github.com/nodejs/node/pull/4788
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
With the introduction of temporary paths in the test runner
realpath tests would bail in scenarios where the temporary folder
wasn't in the same directory as the source code.
PR-URL: https://github.com/nodejs/node/pull/4477
Reviewed-By: Rich Trott <rtrott@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/4054
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
test-fs-realpath.js was writing files to the fixture dir. This changes
it to use the temp directory instead. This also replaces some of the
string concatenation for paths with uses of path.join() and
path.relative().
PR-URL: https://github.com/nodejs/node/pull/4489
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
A few tests assumed that temp dirs always lived in the same
parent folder as fixtures. Make these use `common.tmpDir` instead.
PR-URL: https://github.com/nodejs/node/pull/3325
Reviewed-By: Joao Reis <reis@janeasystems.com>
In CI we previously passed `NODE_COMMON_PIPE` to the test runner to
avoid long filenames. Add an option to the test runner that allows the
user to change the temporary directory instead. This also allows us to
run test suites in parallel since `NODE_COMMON_PIPE` otherwise would
have been used from multiple tests at the same time.
PR-URL: https://github.com/nodejs/node/pull/3325
Reviewed-By: Joao Reis <reis@janeasystems.com>
The last sentence of the explanation for the first stream section
seemed a bit confusing. I tried to change the sentence to clarify it.
Additionally, the sections were turned into a numbered list to be more
clear about which section is being described, and improve readability.
PR-URL: https://github.com/nodejs/node/pull/4234
Reviewed-By: James M Snell <jasnell@gmail.com>
Remove all remaining unused variables from tests in test/parallel.
PR-URL: https://github.com/nodejs/node/pull/4511
Reviewed-By: James M Snell<jasnell@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
The http tests seem especially prone to including unused variables.
This change removes them.
PR-URL: https://github.com/nodejs/node/pull/4422
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Debug mode slows execution speed. There is work afoot to enable Debug
mode runs on the continuous integration infrastructure for the project.
Some tests are timing out, such as test-net-GH-5504.js.
This change doubles the timeout returned from `common.platformTimeout()`
when running in Debug mode. It also removes an unused variable from the
aforementioned test-net-GH-5504.js.
PR-URL: https://github.com/nodejs/node/pull/4431
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Some of the TLS tests have variables that do not get used. This removes
those variables.
PR-URL: https://github.com/nodejs/node/pull/4424
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Remove a handful of variables that are declared but never used in the
tests for the net module.
PR-URL: https://github.com/nodejs/node/pull/4430
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
In addition to removing unused vars, this also fixes an instance where
booleans were set presumably to check something but then never used.
This now confirms that the events that were setting the booleans are
fired.
PR-URL: https://github.com/nodejs/node/pull/4425
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Remove unused vars in tests
PR-URL: https://github.com/nodejs/node/pull/4536
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Some files in `lib` were using `require` to load modules that were
subsequently not used in the file. This removes those `require`
statements.
PR-URL: https://github.com/nodejs/node/pull/4683
Reviewed-By: Myles Borins <mborins@us.ibm.com>
Many tests use require() to import modules that subsequently never gets
used. This removes those imports and, in a few cases, removes other
unused variables from tests.
PR-URL: https://github.com/nodejs/node/pull/4684
Reviewed-By: Myles Borins <mborins@us.ibm.com>
On single core Windows systems, process.send() would cause an
EPIPE because of the ordering of the IPC channel disconnect and
the process.send().
The test was originally only relevant for non-Windows platforms,
so this commit merely skips the test on Windows.
Fixes: https://github.com/nodejs/node/issues/4450
PR-URL: https://github.com/nodejs/node/pull/4457
Reviewed-By: Rich Trott <rtrott@gmail.com>
Original key did not have personal information associated with it.
The new key rectifies this problem
PR-URL: https://github.com/nodejs/node/pull/4657
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/4656
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: James M Snell <jasnell@gmail.com>
Useful to have for reference, especially for onboarding
PR-URL: https://github.com/nodejs/node/pull/4636
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell<jasnell@gmail.com>
- Changed colors to match frontpage as close as possible.
- Links are slightly more horizontally padded as compared before to
accomodate for the hover effect.
- Slightly reduced the scroll indication height on the TOC.
- The main content is now offset using margin instead of the previous
border hack.
- remove empty footer that was rendering a dark bar on the bottom of
each page without any content.
PR-URL: https://github.com/nodejs/node/pull/4621
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
In order to make developers aware of node-core built-in
functionality, which might replace module APIs, we should
add an example of readline`s interface usage.
SEO will eventually aid this goal, since it is well searched
on Q&A sites.
PR-URL: https://github.com/nodejs/node/pull/4609
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: James M Snell <jasnell@gmail.com>>
fix description about the latest LTS release download page
to make it clear
PR-URL: https://github.com/nodejs/node/pull/4583
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Adds Evan Lucas and his public key to the README for releases
PR-URL: https://github.com/nodejs/node/pull/4579
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Myles Borins <myles.borins@gmail.com>
Adds Myles Borins and his public key to the README
PR-URL: https://github.com/nodejs/node/pull/4578
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
James M Snell
Shigeki Ohtsu
Myles Borins
Myles Borins
cjihrig
ronkorving
Rich Trott
Johan Bergström
jpersson
Fedor Indutny
Vitor Cortez
Roman Reiss
Brian White
Robert Jefe Lindstaedt
Sequoia McDowell
Minwoo Jung
Evan Lucas