Node.js JavaScript runtime 🐢🚀
Switch branches/tags
Clone or download
cjihrig tls: support changing credentials dynamically
This commit adds a setSecureContext() method to TLS servers. In
order to maintain backwards compatibility, the method takes the
options needed to create a new SecureContext, rather than an
instance of SecureContext.

Fixes: #4464
Refs: #10349
Refs: nodejs/help#603
Refs: #15115
PR-URL: #23644
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Latest commit 96a986d Oct 13, 2018
Permalink
Failed to load latest commit information.
.github doc: add multiple issue templates for GitHub Aug 12, 2018
benchmark benchmark: coerce PORT to number Oct 19, 2018
deps deps: add missing ares_android.h file Oct 19, 2018
doc tls: support changing credentials dynamically Oct 21, 2018
lib tls: support changing credentials dynamically Oct 21, 2018
src src,lib: move `natives` and `constants` to `internalBinding()` Oct 21, 2018
test tls: support changing credentials dynamically Oct 21, 2018
tools tools: prefer filter to remove empty strings Oct 18, 2018
.clang-format tools: add `make format-cpp` to run clang-format on C++ diffs Aug 3, 2018
.editorconfig tools: unify .editorconfig rules for 2-space Oct 1, 2018
.eslintignore tools: use lint-md.js Sep 11, 2018
.eslintrc.js tools: .eslintrc.js messages "default" typo style Sep 24, 2018
.gitattributes src: limit .gitattributes eol to vcbuild.bat Jan 13, 2015
.gitignore build: add .DS_store to .gitgnore Oct 15, 2018
.mailmap doc: update AUTHORS list Sep 14, 2018
.nycrc test: fix tests that fail under coverage May 22, 2018
.travis.yml tools: clarify commit message linting Oct 19, 2018
AUTHORS doc: update AUTHORS list Sep 14, 2018
BSDmakefile node: rename from io.js to node Aug 23, 2015
BUILDING.md doc: fix index in table of contents in BUILDING.md Oct 20, 2018
CHANGELOG.md 2018-10-10, Version 10.12.0 (Current) Oct 10, 2018
CODE_OF_CONDUCT.md doc: move Code of Conduct to admin repo Nov 28, 2017
COLLABORATOR_GUIDE.md meta: clarify fast-track approval Oct 19, 2018
CONTRIBUTING.md doc: add contents table to CONTRIBUTING.md Oct 1, 2018
CPP_STYLE_GUIDE.md doc: formalize non-const reference usage in C++ style guide Oct 21, 2018
GOVERNANCE.md doc: require two approvals to land changes Sep 25, 2018
LICENSE tools: use lint-md.js Sep 11, 2018
Makefile build: spawn `make test-ci` with `-j1` Oct 20, 2018
README.md doc: improve README.md Oct 19, 2018
android-configure build: don't create directory for NDK toolchain Mar 22, 2017
common.gypi deps: cherry-pick b0af309 from upstream V8 Oct 13, 2018
configure build: move meta-shebang back to `configure` Sep 7, 2018
configure.py src: initial large page (2M) support Oct 18, 2018
node.gyp src: initial large page (2M) support Oct 18, 2018
node.gypi src: initial large page (2M) support Oct 18, 2018
vcbuild.bat doc: remove GA tracking Oct 4, 2018

README.md

Node.js

Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. For more information on using Node.js, see the Node.js Website.

The Node.js project uses an open governance model. The Node.js Foundation provides support for the project.

This project is bound by a Code of Conduct.

Table of Contents

Support

Node.js contributors have limited availability to address general support questions. Please make sure you are using a currently-supported version of Node.js.

When looking for support, please first search for your question in these venues:

If you didn't find an answer in the resources above, try these unofficial resources:

GitHub issues are for tracking enhancements and bugs, not general support.

The open source license grants you the freedom to use Node.js. It does not guarantee commitments of other people's time. Please be respectful and manage your expectations.

Release Types

  • Current: Under active development. Code for the Current release is in the branch for its major version number (for example, v10.x). Node.js releases a new major version every 6 months, allowing for breaking changes. This happens in April and October every year. Releases appearing each October have a support life of 8 months. Releases appearing each April convert to LTS (see below) each October.
  • LTS: Releases that receive Long-term Support, with a focus on stability and security. Every even-numbered major version will become an LTS release. LTS releases receive 18 months of Active LTS support and a further 12 months of Maintenance. LTS release lines have alphabetically-ordered codenames, beginning with v4 Argon. There are no breaking changes or feature additions, except in some special circumstances.
  • Nightly: Code from the Current branch built every 24-hours when there are changes. Use with caution.

Current and LTS releases follow Semantic Versioning. A member of the Release Team signs each Current and LTS release. For more information, see the Release README.

Download

Binaries, installers, and source tarballs are available at https://nodejs.org/en/download/.

Current and LTS Releases

https://nodejs.org/download/release/

The latest directory is an alias for the latest Current release. The latest-codename directory is an alias for the latest release from an LTS line. For example, the latest-carbon directory contains the latest Carbon (Node.js 8) release.

Nightly Releases

https://nodejs.org/download/nightly/

Each directory name and filename contains a date (in UTC time) and the commit SHA at the HEAD of the release.

API Documentation

Documentation for the latest Current release is at https://nodejs.org/api/. Version-specific documentation is available in each release directory in the docs subdirectory. Version-specific documentation is also at https://nodejs.org/download/docs/.

Verifying Binaries

Download directories contain a SHASUMS256.txt file with SHA checksums for the files.

To download SHASUMS256.txt using curl:

$ curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt

To check that a downloaded file matches the checksum, run it through sha256sum with a command such as:

$ grep node-vx.y.z.tar.gz SHASUMS256.txt | sha256sum -c -

For Current and LTS, the GPG detached signature of SHASUMS256.txt is in SHASUMS256.txt.sig. You can use it with gpg to verify the integrity of SHASUM256.txt. You will first need to import all the GPG keys of individuals authorized to create releases. They are at the bottom of this README under Release Team. To import the keys:

$ gpg --keyserver pool.sks-keyservers.net --recv-keys DD8F2338BAE7501E3DD5AC78C273792F7D83545D

See the bottom of this README for a full script to import active release keys.

Next, download the SHASUMS256.txt.sig for the release:

$ curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt.sig

Then use gpg --verify SHASUMS256.txt.sig SHASUMS256.txt to verify the file's signature.

Building Node.js

See BUILDING.md for instructions on how to build Node.js from source and a list of supported platforms.

Security

If you find a security vulnerability in Node.js, please report it to security@nodejs.org. Please withhold public disclosure until after the security team has addressed the vulnerability.

The security team will acknowledge your email within 24 hours. You will receive a more detailed response within 48 hours.

There are no hard and fast rules to determine if a bug is worth reporting as a security issue. Here are some examples of past issues and what the Security Response Team thinks of them. When in doubt, please do send us a report nonetheless.

Public disclosure preferred

  • #14519: Internal domain function can be used to cause segfaults. Causing program termination using either the public JavaScript APIs or the private bindings layer APIs requires the ability to execute arbitrary JavaScript code, which is already the highest level of privilege possible.

  • #12141: buffer: zero fill Buffer(num) by default. The buffer constructor behavior was documented, but found to be prone to mis-use. It has since been changed, but despite much debate, was not considered misuse prone enough to justify fixing in older release lines and breaking our API stability contract.

Private disclosure preferred

  • CVE-2016-7099: Fix invalid wildcard certificate validation check. This is a high severity defect that would allow a malicious TLS server to serve an invalid wildcard certificate for its hostname and be improperly validated by a Node.js client.

  • #5507: Fix a defect that makes the CacheBleed Attack possible. Many, though not all, OpenSSL vulnerabilities in the TLS/SSL protocols also affect Node.js.

  • CVE-2016-2216: Fix defects in HTTP header parsing for requests and responses that can allow response splitting. While the impact of this vulnerability is application and network dependent, it is remotely exploitable in the HTTP protocol.

When in doubt, please do send us a report.

Current Project Team Members

For information about the governance of the Node.js project, see GOVERNANCE.md.

TSC (Technical Steering Committee)

TSC Emeriti

Collaborators

Collaborator Emeriti

Collaborators follow the COLLABORATOR_GUIDE.md in maintaining the Node.js project.

Release Team

Node.js releases are signed with one of the following GPG keys:

To import the full set of trusted release keys:

gpg --keyserver pool.sks-keyservers.net --recv-keys 94AE36675C464D64BAFA68DD7434390BDBE9B9C5
gpg --keyserver pool.sks-keyservers.net --recv-keys B9AE9905FFD7803F25714661B63B535A4C206CA9
gpg --keyserver pool.sks-keyservers.net --recv-keys 77984A986EBC2AA786BC0F66B01FBB92821C587A
gpg --keyserver pool.sks-keyservers.net --recv-keys 71DCFD284A79C3B38668286BC97EC7A07EDE3FC1
gpg --keyserver pool.sks-keyservers.net --recv-keys FD3A5288F042B6850C66B31F09FE44734EB7990E
gpg --keyserver pool.sks-keyservers.net --recv-keys 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600
gpg --keyserver pool.sks-keyservers.net --recv-keys C4F0DFFF4E8C1A8236409D08E73BC641CC11F4C8
gpg --keyserver pool.sks-keyservers.net --recv-keys DD8F2338BAE7501E3DD5AC78C273792F7D83545D

See the section above on Verifying Binaries for how to use these keys to verify a downloaded file.

Other keys used to sign some previous releases:

Contributing to Node.js