Notable changes
* deps: Fixed an out-of-band write in utf8 decoder.
This is an important security update as it can be used to cause a
denial of service attack.
Notable changes
build:
- Added support for compiling with Microsoft Visual C++ 2015
- Started building and distributing headers-only tarballs along with binaries
Queued write requests should be invoked on handle close, otherwise the
"consumer" might be already destroyed when the write callbacks of the
"consumed" handle will be invoked. Same applies to the shutdown
requests.
Make sure to "move" away socket from server to not break the
`connections` counter in `net.js`. Otherwise it might not call `close`
callback, or call it too early.
Fix: https://github.com/iojs/io.js/issues/1696
PR-URL: https://github.com/nodejs/io.js/pull/1910
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
3beb880716 has a bug in VerifyCallback
when preverify is 1 and the cert chain has an verify error. If the
error is UNABLE_TO_GET_ISSUER_CERT_LOCALLY, it leads an assertion
error in finding rootCA.
The whitelist check should be made only when the cert chain has no
verify error with X509_V_OK.
Fixes: https://github.com/nodejs/io.js/issues/2061
PR-URL: https://github.com/nodejs/io.js/pull/2064
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
this opts for stream.push('') which has the same effect
but uses a public API.
PR-URL: https://github.com/nodejs/io.js/pull/454
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
If an object's prototype is munged it's possible to bypass the
instanceof check and cause the application to abort. Instead now use
HasInstance() to verify that the object is a Buffer, and throw if not.
This check will not work for JS only methods. So while the application
won't abort, it also won't throw.
In order to properly throw in all cases with toString() the JS
optimization of checking that length is zero has been removed. In its
place the native methods will now return early if a zero length string
is detected.
Ref: https://github.com/nodejs/io.js/pull/1486
Ref: https://github.com/nodejs/io.js/pull/1922
Fixes: https://github.com/nodejs/io.js/issues/1485
PR-URL: https://github.com/nodejs/io.js/pull/2012
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: https://github.com/nodejs/io.js/pull/1996
Notable changes
* module: The number of syscalls made during a require() have been
significantly reduced again (see #1801 from v2.2.0 for previous
work), which should lead to a performance improvement
(Pierre Inglebert) #1920.
* npm:
- Upgrade to v2.11.2 (Rebecca Turner) #1956.
- Upgrade to v2.11.3 (Forrest L Norvell) #2018.
* zlib: A bug was discovered where the process would abort if the
final part of a zlib decompression results in a buffer that would
exceed the maximum length of 0x3fffffff bytes (~1GiB). This was
likely to only occur during buffered decompression (rather than
streaming). This is now fixed and will instead result in a thrown
RangeError (Michaël Zasso) #1811.
Re-add the wrapper class id to AsyncWrap instances so they can be
tracked directly in a heapdump.
Previously the class id was given without setting the heap dump wrapper
class info provider. Causing a segfault when a heapdump was taken. This
has been added, and the label_ set to the given provider name so each
instance can be identified.
The id will not be set of the passed object has no internal field count.
As the class pointer cannot be retrieved from the object.
In order to properly report the allocated size of each class, the new
pure virtual method self_size() has been introduces.
PR-URL: https://github.com/nodejs/io.js/pull/1896
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
The accessors run inside an implicit HandleScope, there is no need to
create a new one.
PR-URL: https://github.com/nodejs/io.js/pull/2001
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Notable Changes:
* libuv: Upgraded to 1.6.0 and 1.6.1, see full ChangeLog for details.
(Saúl Ibarra Corretgé) #1905#1889. Highlights include:
- Fix TTY becoming blocked on OS X
- Fix UDP send callbacks to not to be synchronous
- Add uv_os_homedir() (exposed as os.homedir(), see below)
* npm: See full release notes for details. (Kat Marchán) #1899. Highlight:
- Use GIT_SSH_COMMAND (available as of Git 2.3)
* openssl:
- Upgrade to 1.0.2b and 1.0.2c, introduces DHE man-in-the-middle protection
(Logjam) and fixes malformed ECParameters causing infinite loop
(CVE-2015-1788). See the security advisory for full details.
(Shigeki Ohtsu) #1950#1958
- Support FIPS mode of OpenSSL, see README for instructions.
(Fedor Indutny) #1890
* os: Add os.homedir() method. (Colin Ihrig) #1791
* smalloc: Deprecate whole module. (Vladimir Kurchatkin) #1822
* Add new collaborators:
- Alex Kocharin (@rlidwka)
- Christopher Monsanto (@monsanto)
- Ali Ijaz Sheikh (@ofrobots)
- Oleg Elifantiev (@Olegas)
- Domenic Denicola (@domenic)
- Rich Trott (@Trott)
Support building and running with FIPS-compliant OpenSSL. The process is
following:
1. Download and verify `openssl-fips-x.x.x.tar.gz` from
https://www.openssl.org/source/
2. Extract source to `openssl-fips` folder
3. ``cd openssl-fips && ./config fipscanisterbuild --prefix=`pwd`/out``
(NOTE: On OS X, you may want to run
``./Configure darwin64-x86_64-cc --prefix=`pwd`/out`` if you are going to
build x64-mode io.js)
4. `make -j && make install`
5. Get into io.js checkout folder
6. `./configure --openssl-fips=/path/to/openssl-fips/out`
7. Build io.js with `make -j`
8. Verify with `node -p "process.versions.openssl"` (`1.0.2a-fips`)
Fix: https://github.com/joyent/node/issues/25463
PR-URL: https://github.com/nodejs/io.js/pull/1890
Reviewed-By: Rod Vagg <rod@vagg.org>
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
1. Change "Bad arguments" error messages to a more helpful message
"options should either be an object or a string".
2. Make braces consistent.
3. Return meaningful error message from fs_event_wrap's
FSEvent's Start function.
PR-URL: https://github.com/nodejs/io.js/pull/1870
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
os.homedir() calls libuv's uv_os_homedir() to retrieve the current
user's home directory.
PR-URL: https://github.com/nodejs/io.js/pull/1791
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Rod Vagg <rod@vagg.org>
Exporting it seems like an oversight. It's not safe to call once
V8 is running so there doesn't seem to be a point in exporting it
to add-ons. Un-export it.
PR-URL: https://github.com/nodejs/io.js/pull/1815
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Update the list of root certificates in src/node_root_certs.h with
tools/mk-ca-bundle.pl.
PR-URL: https://github.com/nodejs/io.js/pull/1833
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
This reverts commit c0e7bf2d8c.
There are a few edge cases that can cause a crash
and need to be properly handled.
PR-URL: https://github.com/nodejs/io.js/pull/1862
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Options have been moved into the NodeOptions class.
A new global, node_options now exists and is used
to access the options after the command line arguments
have been parsed.
PR-URL: https://github.com/nodejs/io.js/pull/1804
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
PR-URL: https://github.com/nodejs/io.js/pull/1808
Notable Changes:
* node: Speed-up require() by replacing usage of fs.statSync() and
fs.readFileSync() with internal variants that are faster for this use-case
and do not create as many objects for the garbage collector to clean up.
The primary two benefits are: significant increase in application start-up
time on typical applications and better start-up time for the debugger by
eliminating almost all of the thousands of exception events.
(Ben Noordhuis) #1801.
* node: Resolution of pre-load modules (-r or --require) now follows the
standard require() rules rather than just resolving paths, so you can now
pre-load modules in node_modules. (Ali Ijaz Sheikh) #1812.
* npm: Upgraded npm to v2.11.0. New hooks for preversion, version, and
postversion lifecycle events, some SPDX-related license changes and license
file inclusions. See the release notes for full details.
When the preload module is not a abs/relative path, we should use
the standard search mechanism of looking into the node_modules folders
outwards. The current working directory is deemed to be the 'requiring
module', i.e. parent. The search path starts from cwd outwards.
Fixes: https://github.com/nodejs/io.js/issues/1803
PR-URL: https://github.com/nodejs/io.js/pull/1812
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
The Socket writable only change was added and implemented in the
constructor around 5885f464f0, but this was never removed.
The libev counter issue is no longer prudent; the test remains in
test/sequential/test-regress-GH-1726.
PR-URL: https://github.com/nodejs/io.js/pull/1819
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
This reverts commit 3c44100558.
Reverted for breaking node-heapdump[0].
AsyncWrap assigns a class id but does not set a v8::RetainedObjectInfo
provider callback with v8::HeapProfiler::SetWrapperClassInfoProvider().
The result is a null pointer dereference when taking a heap snapshot.
It can probably be solved by setting a generic provider callback inside
the AsyncWrap constructor but that may have performance ramifications
that need to be investigated first. I move to revert it for now.
[0] https://github.com/bnoordhuis/node-heapdump
PR-URL: https://github.com/nodejs/io.js/pull/1827
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Replace calls to fs.readFileSync() with an internal variant that does
not create Error objects on failure and is a bit speedier in general.
A secondary benefit is that it improves start-up times in the debugger
because it no longer emits thousands of exception debug events.
On a medium-sized application[0], this commit and its predecessor reduce
start-up times from about 1.5s to 0.5s and reduce the number of start-up
exceptions from ~6100 to 32, half of them internal to the application.
[0] https://github.com/strongloop/loopback-sample-app
PR-URL: https://github.com/nodejs/io.js/pull/1801
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Replace calls to fs.statSync() with an internal variant that does not
create Error or Stat objects that put strain on the garbage collector.
A secondary benefit is that it improves start-up times in the debugger
because it no longer emits thousands of exception debug events.
PR-URL: https://github.com/nodejs/io.js/pull/1801
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
PR-URL: https://github.com/nodejs/io.js/pull/1777
Notable Changes:
* crypto: Diffie-Hellman key exchange (DHE) parameters ('dhparams') must now be
1024 bits or longer or an error will be thrown. A warning will also be printed
to the console if you supply less than 2048 bits. See https://weakdh.org/ for
further context on this security concern. (Shigeki Ohtsu) #1739.
* node: A new --trace-sync-io command line flag will print a warning and a stack
trace whenever a synchronous API is used. This can be used to track down
synchronous calls that may be slowing down an application.
(Trevor Norris) #1707.
* node: To allow for chaining of methods, the setTimeout(), setKeepAlive(),
setNoDelay(), ref() and unref() methods used in 'net', 'dgram', 'http',
'https' and 'tls' now return the current instance instead of undefined
(Roman Reiss & Evan Lucas) #1699#1768#1779.
* npm: Upgraded to v2.10.1, release notes can be found in
https://github.com/npm/npm/releases/tag/v2.10.1 and
https://github.com/npm/npm/releases/tag/v2.10.0.
* util: A significant speed-up (in the order of 35%) for the common-case of a
single string argument to util.format(), used by console.log()
(Сковорода Никита Андреевич) #1749.
Buffer.byteLength is important for speed because it is called whenever a
new Buffer is created from a string.
This commit optimizes Buffer.byteLength execution by:
- moving base64 length calculation into JS-land, which is now much
faster
- remove redundant code and streamline the UTF8 length calculation
It also adds a benchmark and better tests.
PR-URL: https://github.com/nodejs/io.js/pull/1713
Reviewed-By: Trevor Norris <trev.norris@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
DHE key lengths less than 1024bits is already weaken as pointed out in
https://weakdh.org/ . 1024bits will not be safe in near future. We
will extend this up to 2048bits somedays later.
PR-URL: https://github.com/nodejs/io.js/pull/1739
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Pass along the PROVIDER type, that is already passed to AsyncWrap, along
to BaseObject to set the handle_'s class id. This will allow all
Persistents to be transversed and uniquely identified by what type they
are using APIs such as v8::PersistentHandleVisitor.
PR-URL: https://github.com/nodejs/io.js/pull/1730
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Use the --trace-sync-io flag to print a stack trace whenever a sync
method is used after the first tick, excluding during the process exit
event. (e.g. fs.readFileSync()) It does not track if the warning has
occurred at a specific location in the past and so will print the
warning every time.
Reason for not printing during the first tick of the appication is so
all necessary resources can be required. Also by excluding synchronous
calls during exit is necessary in case any data needs to be logged out
by the application before it shuts down.
Fixes: https://github.com/nodejs/io.js/issues/1674
PR-URL: https://github.com/nodejs/io.js/pull/1707
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Fedor Indutny <fedor@indutny.com>
Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Reviewed-By: Petka Antonov <petka_antonov@hotmail.com>
SSL_read() returns 0 when fatal TLS Alert is received.
Fix to invoke ssl error callback in this case.
PR-URL: https://github.com/nodejs/io.js/pull/1661
Reviewed-By: Fedor Indutny <fedor@indutny.com>
PR-URL: https://github.com/iojs/io.js/pull/1679
Notable Changes:
* win,node-gyp: the delay-load hook for windows addons has now been
correctly enabled by default, it had wrongly defaulted to off in the
release version of 2.0.0 (Bert Belder) #1433
* os: tmpdir()'s trailing slash stripping has been refined to fix an
issue when the temp directory is at '/'. Also considers which slash is
used by the operating system. (cjihrig) #1673
* tls: default ciphers have been updated to use gcm and aes128 (Mike
MacCana) #1660
* build: v8 snapshots have been re-enabled by default as suggested by
the v8 team, since prior security issues have been resolved. This
should give some perf improvements to both startup and vm context
creation. (Trevor Norris) #1663
* src: fixed preload modules not working when other flags were used
before --require (Yosuke Furukawa) #1694
* dgram: fixed send()'s callback not being asynchronous (Yosuke
Furukawa) #1313
* readline: emitKeys now keeps buffering data until it has enough to
parse. This fixes an issue with parsing split escapes. (Alex Kocharin)
* cluster: works now properly emit 'disconnect' to cluser.worker (Oleg
Elifantiev) #1386
events: uncaught errors now provide some context (Evan Lucas) #1654
Bradley Meck
Jeremiah Senkpiel
Rod Vagg
Fedor Indutny
Shigeki Ohtsu
Chris Dickinson
Trevor Norris
Ben Noordhuis
Vladimir Kurchatkin
Sakthipriyan Vairamani
Brian White
cjihrig
Evan Lucas
Ali Ijaz Sheikh
Brendan Ashworth
Frederic Hemberger
Yosuke Furukawa