This is an important security release. All Node.js users should
consult the security release summary at nodejs.org for details on
patched vulnerabilities.
Notable changes
* http: fix defects in HTTP header parsing for requests and responses
that can allow request smuggling (CVE-2016-2086) or response
splitting (CVE-2016-2216). HTTP header parsing now aligns more
closely with the HTTP spec including restricting the acceptable
characters.
* http-parser: upgrade from 2.6.0 to 2.6.1
* npm: upgrade npm from 3.3.12 to 3.6.0
(Rebecca Turner) https://github.com/nodejs/node/pull/4958
* openssl: upgrade from 1.0.2e to 1.0.2f. To mitigate against the
Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
parameters shorter than 1024-bits, up from the previous limit of
768-bits.
The `--security-revert={cvenum}` command line flag is a special purpose
flag to be used only in stable or LTS branches when a breaking change
is required to address a security vulnerability. Whenever a vulnerability
requires a breaking change, and a CVE has been assigned, the flag can
be used to force Node to revert to the insecure behavior that was
implemented before the fix was applied.
Note that this flag is intended to be used only as a last resort in the
case a security update breaks existing code. When used, a security
warning will be printed to stderr when Node launches.
The `--security-revert={cvenum}` flag takes a single CVE number as an
argument. Multiple instances of the `--security-revert={cvenum}` flag
can be used on the command line to revert multiple changes.
Whenever a new `--security-revert={cvenum}` is enabled, it should be
documented in the release notes and in the API docs.
Master and the first release of a new major (e.g. v6.0) should not have
any reverts available.
Every time a new `--security-revert={cvenum}` is added, there should be
a semver-minor bump in the stable and LTS branch.
PR-URL: https://github.com/nodejs/node-private/pull/26
This is a follow-up fix for half-broken test in 23196fe, and an attempt
to recover some dignity after breaking CI.
PR-URL: https://github.com/nodejs/node/pull/5144
Reviewed-By: Rich Trott <rtrott@gmail.com>
On Windows, when compiling with `UNICODE` defined, `LoadLibrary` becomes
`LoadLibraryW`. When an ASCII string is passed to that function it
crashes.
PR-URL: https://github.com/iojs/io.js/pull/226
Reviewed-By: Bert Belder <bertbelder@gmail.com>
`sk_X509_pop_free` should be used instead of `sk_X509_free` to free all
items in queue too, not just the queue itself.
PR-URL: https://github.com/nodejs/node/pull/5109
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
According to documentation all certificates specified in `pfx` option
should be treated as a CA certificates too. While it doesn't seem to be
logically correct to me, we can't afford to break API stability at this
point.
Fix: #5100
PR-URL: https://github.com/nodejs/node/pull/5109
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Clarifies the code of conduct by making the following changes:
- Adds section headings to make it easier to quickly parse.
- Adds easy to find contact information.
- Adds link to TSC moderation policies.
- Moves attribution to the bottom of the page.
PR-URL: https://github.com/nodejs/node/pull/5107
Reviewed-By: Myles Borins <mborins@us.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Kat Marchán <kzm@sykosomatic.org>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Enable linting rule to forbid empty character classes in regular
expressions. See http://eslint.org/docs/rules/no-empty-character-class
Organize "Possible Error" rules in .eslintrc in alphabetical order to
match eslint documentation.
PR-URL: https://github.com/nodejs/node/pull/5115
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
There is no guarantee UDP messages will be received. Accommodate the
occasional dropped message.
This is a functionality test, not a performance benchmark. Speed up the
test by not sending 1500 messages across three ports.
Fixes: https://github.com/nodejs/node/issues/4526
PR-URL: https://github.com/nodejs/node/pull/5125
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Prefer using Object.setPrototypeOf() instead.
PR-URL: https://github.com/nodejs/node/pull/5069
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
There was a very subtle change in behavior introduced with 27def4f
In the past if querystring.parse was given Infinity for maxKeys,
everything worked as expected.
Check to see is maxKeys is Infinity before forwarding the value to
String.prototype.split which causes this regression
PR-URL: https://github.com/nodejs/node/pull/5066
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Add fromArrayLike() to handle logic of copying in values from array-like
argument.
PR-URL: https://github.com/nodejs/node/pull/4948
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Enable `space-unary-ops` in `.eslintrc`. This prohibits things like:
i ++ // use `i++` instead
typeof(foo) // use `typeof foo` or `typeof (foo)` instead
Ref: https://github.com/nodejs/node/pull/4772#discussion_r51732299
PR-URL: https://github.com/nodejs/node/pull/5063
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: James M Snell <jasnell@gmail.com>
Sort links in lexical order
PR-URL: https://github.com/nodejs/node/pull/5076
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Roman Klauke <romaaan.git@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Add links to `process.arch` and `process.platform`.
PR-URL: https://github.com/nodejs/node/pull/5006
Reviewed-By: Roman Klauke <romaaan.git@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
Put links in a lexical order. Add missing links. Remove duplicates.
PR-URL: https://github.com/nodejs/node/pull/5072
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
From time to time this test is failing in OS X because at least one of
the connections takes quite a long time (around 5 seconds) causing some
of the timers may fire before the test exited. To solve this, wait for
all the connections to be established before setting the timeouts and
unrefing the sockets.
PR-URL: https://github.com/nodejs/node/pull/4772
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/5068
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/5047
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Roman Reiss <me@silverwind.io>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
fix a reference to a non-existent API, `hash.final()`.
It should be `hash.digest()`.
PR-URL: https://github.com/nodejs/node/pull/5050
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Evan Lucas <evanlucas@me.com>
PR-URL: https://github.com/nodejs/node/pull/4985
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/4988
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/4984
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Always refer to (for example) `assert.deepEqual()` as
`assert.deepEqual()` and never as `assert.deepEqual`.
PR-URL: https://github.com/nodejs/node/pull/4974
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
I'm a fan of small changesets, but even I'm getting a little annoyed at
me for opening all these PRs weeding out variable redeclarations. So I'm
bundling a bunch of small changes here.
PR-URL: https://github.com/nodejs/node/pull/4992
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/4994
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Klauke <romaaan.git@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/4999
Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Roman Klauke <romaaan.git@gmail.com>
TransformState has the writeencoding property that gets set on the
first _write. It is not declared when the transform state is initially
constructed and can cause a deopt.
PR-URL: https://github.com/nodejs/node/pull/5032
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
In some conditions it can happen that the client-side socket is destroyed
before the server-side socket has gracefully closed, thus causing a
'ECONNRESET' error in this socket. To solve this, wait in the client-side
socket for the 'end' event before closing it.
PR-URL: https://github.com/nodejs/node/pull/4043
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Improve functions styling. Connect sections with links.
PR-URL: https://github.com/nodejs/node/pull/5005
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
Reviewed-By: James M Snell <jasnell@gmail.com>