Skip to content
Commits on Feb 9, 2016
  1. @Trott @silverwind

    tools,doc: fix linting errors

    Refs: nodejs#4741 (comment)
    PR-URL: nodejs#5161
    Reviewed-By: Roman Reiss <me@silverwind.io>
    Reviewed-By: Myles Borins <myles.borins@gmail.com>
    Trott committed with silverwind Feb 9, 2016
  2. @Trott

    tools: disallow mixed spaces and tabs for indents

    Enable eslint rule disallowing mixing tabs and spaces for indentation.
    Modify the one file that had been mixing tabs and spaces.
    
    PR-URL: nodejs#5135
    Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
    Reviewed-By: Roman Reiss <me@silverwind.io>
    Trott committed Feb 8, 2016
  3. @Trott

    tools: alphabetize eslint stylistic issues section

    Rearrange the style rules in .eslintrc to be in alphabetical order.
    
    This has two benefits:
    
    It means the rules appear in the same order as they do in the ESLint
    documentation, easing cross-referencing.
    
    It also means that it is much easier to determine with visual inspection
    if a rule is set or not.
    
    nodejs#5135
    Reviewed-By: Michaël Zasso <mic.besace@gmail.com>
    Reviewed-By: Roman Reiss <me@silverwind.io>
    Trott committed Feb 7, 2016
  4. @jasnell

    2016-02-09, Version 5.6.0 (Stable)

    This is an important security release. All Node.js users should
    consult the security release summary at nodejs.org for details on
    patched vulnerabilities.
    
    Notable changes
    
    * http: fix defects in HTTP header parsing for requests and responses
      that can allow request smuggling (CVE-2016-2086) or response
      splitting (CVE-2016-2216). HTTP header parsing now aligns more
      closely with the HTTP spec including restricting the acceptable
      characters.
    * http-parser: upgrade from 2.6.0 to 2.6.1
    * npm: upgrade npm from 3.3.12 to 3.6.0
      (Rebecca Turner) nodejs#4958
    * openssl: upgrade from 1.0.2e to 1.0.2f. To mitigate against the
      Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
      parameters shorter than 1024-bits, up from the previous limit of
      768-bits.
    jasnell committed Feb 9, 2016
  5. @jasnell

    2016-02-09, Version 4.3.0 'Argon' (LTS)

    This is an important security release. All Node.js users should
    consult the security release summary at nodejs.org for details on
    patched vulnerabilities.
    
    Note that this release includes a non-backward compatible change to
    address a security issue. This change increases the version of the LTS
    v4.x line to v4.3.0. There will be *no further updates* to v4.2.x.
    
    * http: fix defects in HTTP header parsing for requests and responses
      that can allow request smuggling (CVE-2016-2086) or response
      splitting (CVE-2016-2216). HTTP header parsing now aligns more
      closely with the HTTP spec including restricting the acceptable
      characters.
    * http-parser: upgrade from 2.5.0 to 2.5.1
    * openssl: upgrade from 1.0.2e to 1.0.2f. To mitigate against the
      Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
      parameters shorter than 1024-bits, up from the previous limit of
      768-bits.
    * src:
      - introduce new `--security-revert={cvenum}` command line flag for
        selective reversion of specific CVE fixes
      - allow the fix for CVE-2016-2216 to be selectively reverted using
        `--security-revert=CVE-2016-2216`
    
    PR-URL: nodejs/node-private#20
    jasnell committed Feb 8, 2016
  6. @jasnell

    2016-02-09, Version 0.12.10 (LTS)

    This is an important security release. All Node.js users should
    consult the security release summary at nodejs.org for details on
    patched vulnerabilities.
    
    Notable changes:
    
    * http: fix defects in HTTP header parsing for requests and responses
      that can allow request smuggling (CVE-2016-2086) or response
      splitting (CVE-2016-2216). HTTP header parsing now aligns more
      closely with the HTTP spec including restricting the acceptable
      characters.
    * http-parser: upgrade from 2.3.0 to 2.3.1
    * openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the
      Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
      parameters shorter than 1024-bits, up from the previous limit of
      768-bits.
    * src:
      - introduce new `--security-revert={cvenum}` command line flag for
        selective reversion of specific CVE fixes
      - allow the fix for CVE-2016-2216 to be selectively reverted using
        `--security-revert=CVE-2016-2216`
    * build:
      - xz compressed tar files will be made available from nodejs.org for
        v0.12 builds from v0.12.10 onward
      - A headers.tar.gz file will be made available from nodejs.org for
        v0.12 builds from v0.12.10 onward, a future change to node-gyp
        will be required to make use of these
    
    PR-URL: nodejs/node-private#24
    jasnell committed Feb 8, 2016
  7. @jasnell

    2016-02-09, Version 0.10.42 (Maintenance)

    This is an important security release. All Node.js users should
    consult the security release summary at nodejs.org for details on
    patched vulnerabilities.
    
    Notable changes:
    
    * http: fix defects in HTTP header parsing for requests and responses
      that can allow request smuggling (CVE-2016-2086) or response
      splitting (CVE-2016-2216). HTTP header parsing now aligns more
      closely with the HTTP spec including restricting the acceptable
      characters.
    * http-parser: upgrade from 1.0 to 1.1
    * openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the
      Logjam attack, TLS clients now reject Diffie-Hellman handshakes with
      parameters shorter than 1024-bits, up from the previous limit of
      768-bits.
    * src:
      - introduce new `--security-revert={cvenum}` command line flag for
        selective reversion of specific CVE fixes
      - allow the fix for CVE-2016-2216 to be selectively reverted using
        `--security-revert=CVE-2016-2216`
    * build:
      - xz compressed tar files will be made available from nodejs.org for
        v0.10 builds from v0.10.42 onward
      - A headers.tar.gz file will be made available from nodejs.org for
        v0.10 builds from v0.10.42 onward, a future change to node-gyp
        will be required to make use of these
    
    PR-URL: nodejs/node-private#25
    jasnell committed Feb 8, 2016
  8. @jasnell

    src: avoid compiler warning in node_revert.cc

    PR-URL: nodejs/node-private#26
    Reviewed-By: Rod Vagg <r@va.gg>
    Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    jasnell committed Feb 8, 2016
  9. @jasnell

    http: strictly forbid invalid characters from headers

    PR-URL: nodejs/node-private#26
    Reviewed-By: Rod Vagg <r@va.gg>
    Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    jasnell committed Feb 3, 2016
  10. @jasnell

    deps: update http-parser to version 2.6.1

    includes parsing improvements to ensure closer HTTP spec conformance
    
    PR-URL: nodejs/node-private#26
    Reviewed-By: Rod Vagg <r@va.gg>
    Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    jasnell committed Feb 3, 2016
  11. @jasnell

    src: add --security-revert command line flag

    The `--security-revert={cvenum}` command line flag is a special purpose
    flag to be used only in stable or LTS branches when a breaking change
    is required to address a security vulnerability. Whenever a vulnerability
    requires a breaking change, and a CVE has been assigned, the flag can
    be used to force Node to revert to the insecure behavior that was
    implemented before the fix was applied.
    
    Note that this flag is intended to be used only as a last resort in the
    case a security update breaks existing code. When used, a security
    warning will be printed to stderr when Node launches.
    
    The `--security-revert={cvenum}` flag takes a single CVE number as an
    argument. Multiple instances of the `--security-revert={cvenum}` flag
    can be used on the command line to revert multiple changes.
    
    Whenever a new `--security-revert={cvenum}` is enabled, it should be
    documented in the release notes and in the API docs.
    
    Master and the first release of a new major (e.g. v6.0) should not have
    any reverts available.
    
    Every time a new `--security-revert={cvenum}` is added, there should be
    a semver-minor bump in the stable and LTS branch.
    
    PR-URL: nodejs/node-private#26
    Reviewed-By: Rod Vagg <r@va.gg>
    Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    jasnell committed Feb 3, 2016
  12. @felixfbecker @silverwind

    build: fix build when python path contains spaces

    PR-URL: nodejs#4841
    Reviewed-By: Benjamin Gruenbaum <inglor@gmail.com>
    Reviewed-By: Roman Reiss <me@silverwind.io>
    Reviewed-By: Johan Bergström <bugs@bergstroem.nu>
    felixfbecker committed with silverwind Jan 24, 2016
  13. @princejwesley @silverwind

    repl: handle quotes within regexp literal

    PR-URL: nodejs#5117
    Reviewed-By: Roman Reiss <me@silverwind.io>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Minwoo Jung <jmwsoft@gmail.com>
    princejwesley committed with silverwind Feb 6, 2016
  14. @a0viedo @silverwind

    doc: merging behavior of writeHead vs setHeader

    PR-URL: nodejs#5081
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Roman Reiss <me@silverwind.io>
    a0viedo committed with silverwind Feb 5, 2016
  15. @claudiorodriguez @silverwind

    doc: fix type references for link gen, link css

    Fixes several type references in the docs so that the
    doc html gen tool that parses them can put the correct
    links in.
    
    Changes css styling for the generated type links.
    
    PR-URL: nodejs#4741
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
    Reviewed-By: Chris Dickinson <chris@neversaw.us>
    Reviewed-By: Roman Reiss <me@silverwind.io>
    claudiorodriguez committed with silverwind Jan 19, 2016
  16. @claudiorodriguez @silverwind

    tools: parse types into links in doc html gen

    Changes the parsing of parameter types in the doc html gen
    Links to either MDN or nodejs docs depending on type
    See #4350
    
    PR-URL: nodejs#4741
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
    Reviewed-By: Chris Dickinson <chris@neversaw.us>
    Reviewed-By: Roman Reiss <me@silverwind.io>
    claudiorodriguez committed with silverwind Jan 19, 2016
  17. @BridgeAR @trevnorris

    node: improve process.nextTick performance

    Prevent deoptimization of process.nextTick by removing the try finally
    block. This is not necessary as the next tick queue will be reset
    anyway, no matter if the callback throws or not.
    
    Use a predefined array size prevents resizing the array and is therefor
    faster.
    
    PR-URL: nodejs#5092
    Reviewed-By: Trevor Norris <trev.norris@gmail.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    BridgeAR committed with trevnorris Feb 4, 2016
  18. @mcollina

    streams: 5% throughput gain when sending small chunks

    Improves the performance when moving small buffers by 5%,
    and it adds a benchmark to avoid regression in that area.
    In all other cases it is equally performant to current master.
    
    Full performance results available at:
    https://gist.github.com/mcollina/717c35ad07d15710b6b9.
    
    PR-URL: nodejs#4354
    Reviewed-By: James M Snell <jasnell@gmail.com>
    mcollina committed Dec 16, 2015
  19. @shigeki

    test: enable to work pkcs12 test in FIPS mode

    The pfx file created by pkcs12 command of openssl causes an error in
    FIPS mode because its certificate is encrypted with RC2 by default.
    Adding `-descert` option resolves the error.
    
    Fix: nodejs#5144
    Fix: nodejs#5109
    PR-URL: nodejs#5150
    Reviewed-By: Rich Trott <rtrott@gmail.com>
    shigeki committed Feb 9, 2016
Commits on Feb 8, 2016
  1. @indutny @Trott

    test: disable gh-5100 test when in FIPS mode

    This is a follow-up fix for half-broken test in 23196fe, and an attempt
    to recover some dignity after breaking CI.
    
    PR-URL: nodejs#5144
    Reviewed-By: Rich Trott <rtrott@gmail.com>
    indutny committed with Trott Feb 8, 2016
  2. @Trott

    doc: fix dgram doc indentation

    PR-URL: nodejs#5118
    Reviewed-By: Roman Reiss <me@silverwind.io>
    Trott committed Feb 5, 2016
  3. @bnoordhuis @indutny

    deps: reapply c-ares floating patch

    PR-URL: nodejs#5090
    Reviewed-By: Fedor Indutny <fedor@indutny.com>
    bnoordhuis committed with indutny May 15, 2013
  4. @zcbenz @indutny

    src,deps: replace LoadLibrary by LoadLibraryW

    On Windows, when compiling with `UNICODE` defined, `LoadLibrary` becomes
    `LoadLibraryW`. When an ASCII string is passed to that function it
    crashes.
    
    PR-URL: nodejs#226
    Reviewed-By: Bert Belder <bertbelder@gmail.com>
    zcbenz committed with indutny Dec 31, 2014
  5. @indutny

    deps: sync with upstream c-ares/c-ares@2bae2d5

    PR-URL: nodejs#5090
    Reviewed-By: Saúl Ibarra Corretgé <saghul@gmail.com>
    indutny committed Feb 4, 2016
  6. @indutny

    crypto: fix memory leak in LoadPKCS12

    `sk_X509_pop_free` should be used instead of `sk_X509_free` to free all
    items in queue too, not just the queue itself.
    
    PR-URL: nodejs#5109
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
    indutny committed Feb 5, 2016
  7. @indutny

    crypto: add `pfx` certs as CA certs too

    According to documentation all certificates specified in `pfx` option
    should be treated as a CA certificates too. While it doesn't seem to be
    logically correct to me, we can't afford to break API stability at this
    point.
    
    Fix: #5100
    PR-URL: nodejs#5109
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
    indutny committed Feb 5, 2016
  8. @juliepagano @Fishrock123

    doc: clarify code of conduct reporting

    Clarifies the code of conduct by making the following changes:
    
    - Adds section headings to make it easier to quickly parse.
    - Adds easy to find contact information.
    - Adds link to TSC moderation policies.
    - Moves attribution to the bottom of the page.
    
    PR-URL: nodejs#5107
    Reviewed-By: Myles Borins <mborins@us.ibm.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Kat Marchán <kzm@sykosomatic.org>
    Reviewed-By: Evan Lucas <evanlucas@me.com>
    Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
    juliepagano committed with Fishrock123 Feb 5, 2016
  9. @dturing @silverwind

    dns: add resolvePtr to query plain DNS PTR records

    Resolving plain PTR records is used beyond reverse DNS, most
    prominently with DNS-SD (RFC6763). This adds dns.resolvePtr(),
    and uses it (instead of dns.reverse()) in dns.resolve().
    
    PR-URL: nodejs#4921
    Reviewed-By: Roman Reiss <me@silverwind.io>
    Reviewed-By: Brian White <mscdex@mscdex.net>
    dturing committed with silverwind Feb 8, 2016
  10. @dturing @silverwind

    dns: add failure test for dns.resolveXXX

    test whether the various resolve functions cause ENOTFOUND when trying
    to resolve a known invalid domain/hostname.
    
    PR-URL: nodejs#4921
    Reviewed-By: Roman Reiss <me@silverwind.io>
    Reviewed-By: Brian White <mscdex@mscdex.net>
    dturing committed with silverwind Feb 8, 2016
  11. @mcollina

    doc: clarify dgram socket.send() multi-buffer support

    Fixes: #5124
    See: nodejs#4374
    PR-URL: nodejs#5130
    Reviewed-By: Rich Trott <rtrott@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    mcollina committed Feb 7, 2016
Commits on Feb 7, 2016
  1. @bnoordhuis

    doc: console is asynchronous unless it's a file

    Mea culpa, looks like I forgot to update console.markdown in commit
    dac1d38 ("doc: stdout/stderr can block when directed to file").
    This commit rectifies that.
    
    Refs: nodejs#5131
    PR-URL: nodejs#5133
    Reviewed-By: Brian White <mscdex@mscdex.net>
    Reviewed-By: Evan Lucas <evanlucas@me.com>
    bnoordhuis committed Feb 7, 2016
  2. @Trott @jasnell

    tools: lint for empty character classes in regex

    Enable linting rule to forbid empty character classes in regular
    expressions. See http://eslint.org/docs/rules/no-empty-character-class
    
    Organize "Possible Error" rules in .eslintrc in alphabetical order to
    match eslint documentation.
    
    PR-URL: nodejs#5115
    Reviewed-By: Roman Reiss <me@silverwind.io>
    Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Trott committed with jasnell Feb 5, 2016
  3. @Trott @jasnell

    test: fix flaky test-dgram-pingpong

    There is no guarantee UDP messages will be received. Accommodate the
    occasional dropped message.
    
    This is a functionality test, not a performance benchmark. Speed up the
    test by not sending 1500 messages across three ports.
    
    Fixes: nodejs#4526
    PR-URL: nodejs#5125
    Reviewed-By: Brian White <mscdex@mscdex.net>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Trott committed with jasnell Feb 4, 2016
  4. @dcposch @jasnell

    buffer: remove deprecated Buffer.write branch

    * Explit throw on deprecated Buffer.write(...)
    * Update tests, remove obsolete Buffer.write(...)
    * Add comment for obsolete Buffer.write(...)
    
    PR-URL: nodejs#5048
    Reviewed-By: Brian White <mscdex@mscdex.net>
    Reviewed-By: Trevor Norris <trev.norris@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    dcposch committed with jasnell Feb 2, 2016
  5. @JacksonTian @jasnell

    src: clean up usage of __proto__

    Prefer using Object.setPrototypeOf() instead.
    
    PR-URL: nodejs#5069
    Reviewed-By: Trevor Norris <trev.norris@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    JacksonTian committed with jasnell Feb 4, 2016
Something went wrong with that request. Please try again.