Upgrade Node.js to 19.0.1

[depfu]

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

Release Notes

19.0.1

This is a security release.

Notable changes

The following CVEs are fixed in this release:

• CVE-2022-3602: X.509 Email Address 4-byte Buffer Overflow (High)
• CVE-2022-3786: X.509 Email Address Variable Length Buffer Overflow (High)
• CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP address (Medium)

More detailed information on each of the vulnerabilities can be found in November 2022 Security Releases blog post.

Commits

• [e58e8d70a8] - deps: update archs files for quictls/openssl-3.0.7+quic (RafaelGSS) #45286
• [85f4548d57] - deps: upgrade openssl sources to quictls/openssl-3.0.7+quic (RafaelGSS) #45286
• [43403f56f7] - inspector: harden IP address validation again (Tobias Nießen) nodejs-private/node-private#354

19.0.0

Node.js 19 is here! Highlights include the update of the V8 JavaScript engine to 10.7, HTTP(s)/1.1 KeepAlive enabled by default, and ESM Resolution adjusts.

Node.js 19 will replace Node.js 18 as our ‘Current’ release line when Node.js 18 enters long-term support (LTS) later this month. As per the release schedule, Node.js 19 will be ‘Current' release for the next 6 months, until April 2023.

Notable Changes

Deprecations and Removals

• [7dd2f41c73] - (SEMVER-MAJOR) module: runtime deprecate exports double slash maps (Guy Bedford) #44495
• [ada2d053ae] - (SEMVER-MAJOR) process: runtime deprecate coercion to integer in process.exit() (Daeyeon Jeong) #44711

18.0.0

Node.js 18 is here! Highlights include the update of the V8 JavaScript engine to 10.1, global fetch enabled by default, and a core test runner module.

Initially, Node.js 18 will replace Node.js 17 as our ‘Current’ release line. As per the release schedule, Node.js 18 will be the ‘Current’ release for the next 6 months and then promoted to Long-term Support (LTS) in October 2022. Once promoted to long-term support the release will be designated the codename ‘Hydrogen’. Node.js 18 will be supported until April 2025.

Notable Changes

Deprecations and Removals

• (SEMVER-MAJOR) fs: runtime deprecate string coercion in fs.write, fs.writeFileSync (Livia Medeiros) #42607
• (SEMVER-MAJOR) dns: remove dns.lookup and dnsPromises.lookup options type coercion (Antoine du Hamel) #41431
• (SEMVER-MAJOR) process: runtime deprecate multipleResolves (Benjamin Gruenbaum) #41896
• (SEMVER-MAJOR) stream: remove thenable support (Robert Nagy) #40773
• (SEMVER-MAJOR) tls: move tls.parseCertString to end-of-life (Tobias Nießen) #41479

fetch (experimental)

An experimental fetch API is available on the global scope by default. The implementation is based upon undici, an HTTP/1.1 client written for Node.js by contributors to the project.

const res = await fetch('https://nodejs.org/api/documentation.json');
if (res.ok) {
  const data = await res.json();
  console.log(data);
}

Through this addition, the following globals are made available: fetch, FormData, Headers, Request, Response.

Disable this API with the --no-experimental-fetch command-line flag.

Contributed by Michaël Zasso in #41811.

HTTP Timeouts

server.headersTimeout which limits the amount of time the parser will wait to receive the complete HTTP headers is now set to 60000 (60 seconds) by default.

server.requestTimeout which sets the timeout value in milliseconds for receiving the entire request from the client is now set to 300000 (5 minutes) by default.

If these timeouts expire, the server responds with status 408 without forwarding the request to the request listener and then closes the connection.

Both timeouts must be set to a non-zero value to protect against potential Denial-of-Service attacks in case the server is deployed without a reverse proxy in front.

Contributed by Paolo Insogna in #41263.

Test Runner module (experimental)

The node:test module facilitates the creation of JavaScript tests that report results in TAP format. To access it:

import test from 'node:test';

This module is only available under the node: scheme.

The following is an example implementation of a parent test with two subtests:

test('top level test', async (t) => {
await t.test('subtest 1', (t) => {
assert.strictEqual(1, 1);
});

await t.test('subtest 2', (t) => {
assert.strictEqual(2, 2);
});
});

Read more in https://nodejs.org/dist/latest-v18.x/docs/api/test.html.

Contributed by Colin Ihrig in #42325.

Toolchain and Compiler Upgrades

• Prebuilt binaries for Linux are now built on Red Hat Enterprise Linux (RHEL) 8 and are compatible with Linux distributions based on glibc 2.28 or later, for example, Debian 10, RHEL 8, Ubuntu 20.04.
• Prebuilt binaries for macOS now require macOS 10.15 or later.
• For AIX the minimum supported architecture has been raised from Power 7 to Power 8.

Prebuilt binaries for 32-bit Windows will initially not be available due to issues building the V8 dependency in Node.js. We hope to restore 32-bit Windows binaries for Node.js 18 with a future V8 update.

Node.js does not support running on operating systems that are no longer supported by their vendor. For operating systems where their vendor has planned to end support earlier than April 2025, such as Windows 8.1 (January 2023) and Windows Server 2012 R2 (October 2023), support for Node.js 18 will end at the earlier date.

Full details about the supported toolchains and compilers are documented in the Node.js BUILDING.md file.

Contributed by Richard Lau in #42292, #42604 and #42659,and Michaël Zasso in #42105 and #42666.

17.0.0

Notable Changes

Deprecations and Removals

• [f182b9b29f] - (SEMVER-MAJOR) dns: runtime deprecate type coercion of dns.lookup options (Antoine du Hamel) #39793
• [4b030d0573] - doc: deprecate (doc-only) http abort related (dr-js) #36670
• [36e2ffe6dc] - (SEMVER-MAJOR) module: subpath folder mappings EOL (Guy Bedford) #40121
• [64287e4d45] - (SEMVER-MAJOR) module: runtime deprecate trailing slash patterns (Guy Bedford) #40117

---

All Depfu comment commands

@​depfu refresh

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Pauses all engine updates and closes this PR