Permalink
Commits on Oct 2, 2016
  1. test: add and assert readable/writable arguments

    Currently the readable and writable arguments are not specified in the
    req.oncomplete method. Adding and asserting that they are always true
    (which is always the case for TCP). This might seem unnecessary but it
    can't hurt to have them to pickup any breaking modifications made to
    ConnectionWrap::AfterConnect in the future.
    
    PR-URL: nodejs#8815
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    danbev committed Sep 27, 2016
Commits on Oct 1, 2016
  1. timers: improve setTimeout/Interval performance

    This commit improves timers performance by making functions
    inlineable and avoiding the creation of extra closures/functions.
    
    This commit also makes setTimeout/Interval argument handling
    consistent with that of setImmediate.
    
    These changes give ~22% improvement in the existing 'breadth' timers
    benchmark.
    
    PR-URL: nodejs#8661
    Reviewed-By: Franziska Hinkelmann <franziska.hinkelmann@gmail.com>
    Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
    Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
    mscdex committed Sep 20, 2016
Commits on Sep 30, 2016
  1. test: cleanup/update test-os.js

    Replaced `==` with `===
    Replaced `indexOf(...) !== -1` with `includes()`
    
    PR-URL: nodejs#8761
    Reviewed-By: Rich Trott <rtrott@gmail.com>
    Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
    mikeswoods committed with Trott Sep 24, 2016
  2. src: fixes misplaced comment

    In e26622b, a comment was incorrectly moved from the code
    it was describing.
    
    Fixes: nodejs#8856
    PR-URL: nodejs#8860
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    madhavgharmalkar committed with jasnell Sep 30, 2016
  3. src: add missing length argument to send comment

    The list.length argument is missing from the comment and just adding
    this for clarity.
    
    PR-URL: nodejs#8816
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
    danbev committed with jasnell Sep 27, 2016
  4. test: modernize syntax, add strict checks

    Changed `var` to `const`, strings to template literals, and
    assert.equal to assert.strictEqual where appropriate.
    
    PR-URL: nodejs#8841
    Reviewed-By: Rich Trott <rtrott@gmail.com>
    Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
    llkats committed with Fishrock123 Sep 29, 2016
  5. test: use common.skip for tap skip output

    These were missed from 52bae22
    
    PR-URL: nodejs#8841
    Reviewed-By: Rich Trott <rtrott@gmail.com>
    Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
    llkats committed with Fishrock123 Sep 29, 2016
  6. test: stream writable ended state

    PR-URL: nodejs#8778
    Ref: nodejs#8686
    Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    italoacasas committed with mcollina Sep 27, 2016
  7. doc: add example for running with v8-inspector

    Add example to show what running Node.js with `--inspect`
    should look like.
    
    Some IDEs do not show the link when running with `--inspect`.
    This example hints to what the full output looks like.
    
    PR-URL: nodejs#8845
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Myles Borins <myles.borins@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
    fhinkel committed with jasnell Sep 29, 2016
  8. benchmark: add info about required Unix tools

    This adds note to README.md about Unix tools being
    required by some benchmarks
    
    PR-URL: nodejs#8788
    Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
    Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
    bzoz committed with jasnell Sep 26, 2016
  9. doc: fix typo in repl doc

    PR-URL: nodejs#8826
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
    Reviewed-By: Yorkie Liu <yorkiefixer@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Myles Borins <myles.borins@gmail.com>
    Reviewed-By: Michaël Zasso <targos@protonmail.com>
    Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
    fhinkel committed with jasnell Sep 28, 2016
  10. fs,module: add module-loader-only realpath cache

    Reintroduce a realpath cache with the same mechanisms which existed
    before b488b19
    (`fs: optimize realpath using uv_fs_realpath()`), but only for
    the synchronous version and with the cache being passed as a
    hidden option to make sure it is only used internally.
    
    The cache is hidden from userland applications because it has been
    decided that fully reintroducing as part of the public API might stand
    in the way of future optimizations.
    
    PR-URL: nodejs#8100
    Reviewed-By: Bartosz Sosnowski <bartosz@janeasystems.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    addaleax committed Aug 14, 2016
  11. dns: remove internal variable from makeAsync

    PR-URL: nodejs#8800
    Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
    Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    yorkie committed Sep 27, 2016
Commits on Sep 29, 2016
  1. stream: improve stream error messages

    Improve message when tranform._transform() method is not implemented
    Improve error message when Readable._read() is not implemented
    Remove extra word in err msg when Writable._write() when not implemented
    Remove extra word in err msg when Transform._transform() when not implemented
    
    PR-URL: nodejs#8801
    Reviewed-By: Rich Trott <rtrott@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
    italoacasas committed with imyller Sep 27, 2016
  2. test: mark test-inspector flaky on windows

    PR-URL: nodejs#8835
    Reviewed-By: Eugene Ostroukhov <eostroukhov@google.com>
    Reviewed-By: Myles Borins <myles.borins@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Trott committed with TheAlphaNerd Sep 28, 2016
  3. src: update NODE_MODULE_VERSION to 51

    When V8 was updated on master to 5.4 there were ABI breaking changes.
    In the past we have not landed these types of changes before a release,
    and as such have only bumped the NODE_MODULE_VERSION number in the
    release commit.
    
    Since we are going to be keeping the V8 5.4 beta on master and in the
    v7 betas I think it makes sense for us to bump the module number prior
    to a release commit being made. It is possible that this commit should
    be reverted prior to v7.0.0 being cut. Alternatively we may want to
    modify our release process for V8 to include a NODE_MODULE_VERSION
    bump before landing on master when applicable.
    
    NODE_MODULE_VERSION is being bumped to 51 instead of 49 to avoid
    conflicts with NODE_MODULE_VERSIONs being used in electron.
    
    Ref: electron/electron#5851 (comment)
    Ref: nodejs#8317
    
    PR-URL: nodejs#8808
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Evan Lucas <evanlucas@me.com>
    Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    TheAlphaNerd committed Sep 27, 2016
  4. test: clean up test-buffer-badhex

    This test was recently (at the time of writing) introduced in
    151d316
    and could be cleaned up a bit.
    
    Refs: nodejs#7602
    PR-URL: nodejs#7773
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Minwoo Jung <jmwsoft@gmail.com>
    Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Fishrock123 committed Jul 17, 2016
  5. src: notify V8 for low memory when alloc fails

    Call `v8::Isolate::GetCurrent()->LowMemoryNotification()` when
    an allocation fails to give V8 a chance to clean up and return
    memory before retrying (and possibly giving up).
    
    PR-URL: nodejs#8482
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
    Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
    addaleax committed Sep 10, 2016
  6. src: provide allocation + nullptr check shortcuts

    Provide shortcut `node::CheckedMalloc()` and friends that
    replace `node::Malloc()` + `CHECK_NE(·, nullptr);` combinations
    in a few places.
    
    PR-URL: nodejs#8482
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
    Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
    addaleax committed Sep 10, 2016
  7. src: pass desired return type to allocators

    Pass the desired return type directly to the allocation functions,
    so that the resulting `static_cast` from `void*` becomes unneccessary
    and the return type can be use as a reasonable default value for the
    `size` parameter.
    
    PR-URL: nodejs#8482
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
    Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
    addaleax committed Sep 10, 2016
  8. src: add Malloc() size param + overflow detection

    Adds an optional second parameter to `node::Malloc()` and
    an optional third parameter to `node::Realloc()` giving the
    size/number of items to be allocated, in the style of `calloc(3)`.
    
    Use a proper overflow check using division;
    the previous `CHECK_GE(n * size, n);` would not detect all cases
    of overflow (e.g. `size == SIZE_MAX / 2 && n == 3`).
    
    PR-URL: nodejs#8482
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
    Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
    addaleax committed Sep 10, 2016
  9. test: cleanup test-net-server-address.js

    Refactored test:
    - 'var' to 'const'
    - functon to arrow function
    - using common.mustCall() and common.fail()
    
    PR-URL: nodejs#8586
    Reviewed-By: Yosuke Furukawa <yosuke.furukawa@gmail.com>
    Reviewed-By: Michaël Zasso <targos@protonmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Akito Ito committed with imyller Sep 17, 2016
  10. doc: improve documentation for commit subject line

    Specify that commit subject line must be made of only lowercase words
    and should start with an imperative verb.
    
    PR-URL: nodejs#8546
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Rich Trott <rtrott@gmail.com>
    Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
    Reviewed-By: Michaël Zasso <targos@protonmail.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
    lpinca committed Sep 15, 2016
  11. doc: encourage 2FA before onboarding

    In the onboarding document, add a note to ask the new Collaborator if
    they are using two-factor authentication on their GitHub account. If
    they are not, suggest that they enable it as their account will have
    elevated privileges in many of the Node.js repositories.
    
    PR-URL: nodejs#8776
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
    Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
    Reviewed-By: Johan Bergstrom <bugs@bergstroem.nu>
    Reviewed-By: Robert Jefe Lindstaedt <robert.lindstaedt@gmail.com>
    Reviewed-By: Myles Borins <myles.borins@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Trott committed Sep 25, 2016
  12. doc: add optional step to onboarding doc

    Include information on how to force push to the contributor's own branch
    so that pull requests show as merged in GitHub interface.
    
    PR-URL: nodejs#8774
    Reviewed-By: Robert Jefe Lindstaedt <robert.lindstaedt@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Michaël Zasso <targos@protonmail.com>
    Reviewed-By: Johan Bergstrom <bugs@bergstroem.nu>
    Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Trott committed Sep 25, 2016
Commits on Sep 28, 2016
  1. test:replace indexOf, assert.equal, add mustCall()

    replace indexOf with includes
    replace assert.equal with assert.strictEqual
    add common.mustCall
    replace throw error with assert.ifError
    
    PR-URL: nodejs#8766
    Reviewed-By: Rich Trott <rtrott@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
    Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
    richHong committed with Trott Sep 24, 2016
  2. doc: remove failing workaround in BUILDING.md

    Updated BUILDING.md, removing workaround for Python conflicts that
    didn't work.
    
    PR-URL: nodejs#8763
    Reviewed-By: Ilkka Myller <ilkka.myller@nodefield.com>
    Reviewed-By: Rich Trott <rtrott@gmail.com>
    Reviewed-By: Bryan English <bryan@bryanenglish.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Refs: nodejs#8763
    christopherfujino committed with Trott Sep 24, 2016
  3. src: rename CHECK_NOT_OOB() macro

    Rename CHECK_NOT_OOB() to THROW_AND_RETURN_IF_OOB() because the old name
    suggests it asserts and aborts when it is really a control flow macro.
    
    PR-URL: nodejs#8784
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
    bnoordhuis committed Sep 26, 2016
  4. buffer: zero-fill uninitialized bytes in .concat()

    This makes sure that no uninitialized bytes are leaked when the specified
    `totalLength` input value is greater than the actual total length of the
    specified buffers array, e.g. in Buffer.concat([Buffer.alloc(0)], 100).
    
    PR-URL: nodejs/node-private#64
    Reviewed-By: Rod Vagg <rod@vagg.org>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    ChALkeR committed with rvagg Sep 16, 2016
  5. lib: make tls.checkServerIdentity() more strict

    PR-URL: nodejs/node-private#75
    Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    bnoordhuis committed with rvagg Aug 15, 2016
  6. crypto: don't build hardware engines

    Compile out hardware engines.  Most are stubs that dynamically load
    the real driver but that poses a security liability when an attacker
    is able to create a malicious DLL in one of the default search paths.
    
    PR-URL: nodejs/node-private#73
    Reviewed-By: Rod Vagg <rod@vagg.org>
    Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
    bnoordhuis committed with rvagg Sep 8, 2016
  7. http: check reason chars in writeHead

    Previously, the reason argument passed to ServerResponse#writeHead was
    not being properly validated.  One could pass CRLFs which could lead to
    http response splitting. This commit changes the behavior to throw an
    error in the event any invalid characters are included in the reason.
    
    CVE-2016-5325
    
    PR-URL: nodejs/node-private#60
    Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
    evanlucas committed with rvagg Sep 27, 2016
  8. tls: improve createSecureContext in _tls_common

    - this shares the iterator variable `i` expictly.
    - this converts some var to const.
    
    PR-URL: nodejs#8781
    Reviewed-By: Brian White <mscdex@mscdex.net>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    yorkie committed Sep 26, 2016
  9. 2016-09-27, Version 6.7.0 (Current)

    This is a security release. All Node.js users should consult the
    security release summary at
    https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
    for details on patched vulnerabilities.
    
    Notable Changes
    
    Semver Minor:
    
    * openssl:
      - Upgrade to 1.0.2i, fixes a number of defects impacting Node.js:
        CVE-2016-6304 ("OCSP Status Request extension unbounded memory
        growth", high severity), CVE-2016-2183, CVE-2016-2178, and CVE-2016-6306.
        (Shigeki Ohtsu) nodejs#8714
      - Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in
        a crash when using CRLs, CVE-2016-7052.
        (Shigeki Ohtsu) nodejs#8786
      - Remove support for loading dynamic third-party engine modules.
        An attacker may be able to hide malicious code to be inserted
        into Node.js at runtime by masquerading as one of the dynamic
        engine modules. Originally reported by Ahmed Zaki (Skype).
        (Ben Noordhuis) nodejs/node-private#73
    * http: CVE-2016-5325 - Properly validate for allowable characters in
      the `reason` argument in `ServerResponse#writeHead()`. Fixes a
      possible response splitting attack vector. This introduces a new
      case where `throw` may occur when configuring HTTP responses, users
      should already be adopting try/catch here. Originally reported
      independently by Evan Lucas and Romain Gaucher.
      (Evan Lucas) nodejs/node-private#60
    
    Semver Patch:
    
    * buffer: Zero-fill excess bytes in new `Buffer` objects created with
      `Buffer.concat()` while providing a `totalLength` parameter that
      exceeds the total length of the original `Buffer` objects being
      concatenated.
      (Сковорода Никита Андреевич) nodejs/node-private#64
    * src: Fix regression where passing an empty password and/or salt to
      crypto.pbkdf2() would cause a fatal error
      (Rich Trott) nodejs#8572
    * tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
      check whereby a TLS server may be able to serve an invalid wildcard
      certificate for its hostname due to improper validation of `*.` in the
      wildcard string. Originally reported by Alexander Minozhenko and
      James Bunton (Atlassian).
      (Ben Noordhuis) nodejs/node-private#75
    * v8: Fix regression where a regex on a frozen object was broken
      (Myles Borins) nodejs#8673
    evanlucas committed Sep 27, 2016
  10. 2016-09-27, Version 4.6.0 'Argon' (LTS)

    This is a security release. All Node.js users should consult the
    security release summary at
    https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
    for details on patched vulnerabilities.
    
    Notable Changes
    
    Semver Minor:
    
    * openssl:
      - Upgrade to 1.0.2i, fixes a number of defects impacting Node.js:
        CVE-2016-6304 ("OCSP Status Request extension unbounded memory
        growth", high severity), CVE-2016-2183, CVE-2016-6303,
        CVE-2016-2178 and CVE-2016-6306.
        (Shigeki Ohtsu) nodejs#8714
      - Upgrade to 1.0.2j, fixes a defect included in 1.0.2i resulting in
        a crash when using CRLs, CVE-2016-7052.
        (Shigeki Ohtsu) nodejs#8786
      - Remove support for loading dynamic third-party engine modules.
        An attacker may be able to hide malicious code to be inserted into
        Node.js at runtime by masquerading as one of the dynamic engine
        modules. Originally reported by Ahmed Zaki (Skype).
        (Ben Noordhuis) nodejs/node-private#70
    * http: CVE-2016-5325 - Properly validate for allowable characters in
      the `reason` argument in `ServerResponse#writeHead()`. Fixes a
      possible response splitting attack vector. This introduces a new
      case where `throw` may occur when configuring HTTP responses, users
      should already be adopting try/catch here. Originally reported
      independently by Evan Lucas and Romain Gaucher.
      (Evan Lucas) nodejs/node-private#46
    
    Semver Patch:
    
    * buffer: Zero-fill excess bytes in new `Buffer` objects created with
      `Buffer.concat()` while providing a `totalLength` parameter that
      exceeds the total length of the original `Buffer` objects being
      concatenated.
      (Сковорода Никита Андреевич) nodejs/node-private#65
    * tls: CVE-2016-7099 - Fix invalid wildcard certificate validation
      check whereby a TLS server may be able to serve an invalid wildcard
      certificate for its hostname due to improper validation of `*.` in
      the wildcard string. Originally reported by Alexander Minozhenko and
      James Bunton (Atlassian).
      (Ben Noordhuis) nodejs/node-private#63
    
    PR-URL: nodejs/node-private#74
    rvagg committed Sep 27, 2016