Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time
923 lines (692 sloc) 51.9 KB

Node.js 0.10 ChangeLog


Note: Node.js v0.10 is covered by the Node.js Long Term Support Plan and will be maintained until October 2016.

2016-10-18, Version 0.10.48 (Maintenance), @rvagg

This is a security release. All Node.js users should consult the security release summary at for details on patched vulnerabilities.

Notable changes


2016-09-27, Version 0.10.47 (Maintenance), @rvagg

This is a security release. All Node.js users should consult the security release summary at for details on patched vulnerabilities.

Notable changes:

  • buffer: Zero-fill excess bytes in new Buffer objects created with Buffer.concat() while providing a totalLength parameter that exceeds the total length of the original Buffer objects being concatenated. (Сковорода Никита Андреевич)
  • http:
    • CVE-2016-5325 - Properly validate for allowable characters in the reason argument in ServerResponse#writeHead(). Fixes a possible response splitting attack vector. This introduces a new case where throw may occur when configuring HTTP responses, users should already be adopting try/catch here. Originally reported independently by Evan Lucas and Romain Gaucher. (Evan Lucas)
    • Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999. Lack of proper validation may also serve as a potential response splitting attack vector. Backported from v4.x. (Brian White)
  • openssl: Upgrade to 1.0.1u, fixes a number of defects impacting Node.js: CVE-2016-6304 ("OCSP Status Request extension unbounded memory growth", high severity), CVE-2016-2183, CVE-2016-2183, CVE-2016-2178 and CVE-2016-6306.
  • tls: CVE-2016-7099 - Fix invalid wildcard certificate validation check whereby a TLS server may be able to serve an invalid wildcard certificate for its hostname due to improper validation of *. in the wildcard string. Originally reported by Alexander Minozhenko and James Bunton (Atlassian) (Ben Noordhuis)


2016-06-23, Version 0.10.46 (Maintenance), @rvagg

Notable changes:

This is a security release. All Node.js users should consult the security release summary at for details on patched vulnerabilities.


2016-05-06, Version 0.10.45 (Maintenance), @rvagg

Notable changes:


2016-03-31, Version 0.10.44 (Maintenance), @rvagg

Notable changes

  • npm: Upgrade to v2.15.1. Fixes a security flaw in the use of authentication tokens in HTTP requests that would allow an attacker to set up a server that could collect tokens from users of the command-line interface. Authentication tokens have previously been sent with every request made by the CLI for logged-in users, regardless of the destination of the request. This update fixes this by only including those tokens for requests made against the registry or registries used for the current install. IMPORTANT: This is a major upgrade to npm v2 LTS from the previously deprecated npm v1. (Forrest L Norvell)
  • openssl: OpenSSL v1.0.1s disables the EXPORT and LOW ciphers as they are obsolete and not considered safe. This release of Node.js turns on OPENSSL_NO_WEAK_SSL_CIPHERS to fully disable the 27 ciphers included in these lists which can be used in SSLv3 and higher. Full details can be found in our LTS discussion on the matter ( (Shigeki Ohtsu)


2016-03-04, Version 0.10.43 (Maintenance), @rvagg

Notable changes:

  • http_parser: Update to http-parser 1.2 to fix an unintentionally strict limitation of allowable header characters. (James M Snell)
  • domains:
    • Prevent an exit due to an exception being thrown rather than emitting an 'uncaughtException' event on the process object when no error handler is set on the domain within which an error is thrown and an 'uncaughtException' event listener is set on process. (Julien Gilli)
    • Fix an issue where the process would not abort in the proper function call if an error is thrown within a domain with no error handler and --abort-on-uncaught-exception is used. (Julien Gilli)
  • openssl: Upgrade from 1.0.1r to 1.0.1s (Ben Noordhuis)
    • Fix a double-free defect in parsing malformed DSA keys that may potentially be used for DoS or memory corruption attacks. It is likely to be very difficult to use this defect for a practical attack and is therefore considered low severity for Node.js users. More info is available at
    • Fix a defect that can cause memory corruption in certain very rare cases relating to the internal BN_hex2bn() and BN_dec2bn() functions. It is believed that Node.js is not invoking the code paths that use these functions so practical attacks via Node.js using this defect are unlikely to be possible. More info is available at
    • Fix a defect that makes the CacheBleed Attack ( possible. This defect enables attackers to execute side-channel attacks leading to the potential recovery of entire RSA private keys. It only affects the Intel Sandy Bridge (and possibly older) microarchitecture when using hyper-threading. Newer microarchitectures, including Haswell, are unaffected. More info is available at
    • Remove SSLv2 support, the --enable-ssl2 command line argument will now produce an error. The DROWN Attack ( creates a vulnerability where SSLv2 is enabled by a server, even if a client connection is not using SSLv2. The SSLv2 protocol is widely considered unacceptably broken and should not be supported. More information is available at


2016-02-09, Version 0.10.42 (Maintenance), @jasnell

This is an important security release. All Node.js users should consult the security release summary at for details on patched vulnerabilities.

Notable changes

  • http: fix defects in HTTP header parsing for requests and responses that can allow request smuggling (CVE-2016-2086) or response splitting (CVE-2016-2216). HTTP header parsing now aligns more closely with the HTTP spec including restricting the acceptable characters.
  • http-parser: upgrade from 1.0 to 1.1
  • openssl: upgrade from 1.0.1q to 1.0.1r. To mitigate against the Logjam attack, TLS clients now reject Diffie-Hellman handshakes with parameters shorter than 1024-bits, up from the previous limit of 768-bits.
  • src:
    • introduce new --security-revert={cvenum} command line flag for selective reversion of specific CVE fixes
    • allow the fix for CVE-2016-2216 to be selectively reverted using --security-revert=CVE-2016-2216
  • build:
    • xz compressed tar files will be made available from for v0.10 builds from v0.10.42 onward
    • A headers.tar.gz file will be made available from for v0.10 builds from v0.10.42 onward, a future change to node-gyp will be required to make use of these


2015-12-04, Version 0.10.41 (Maintenance), @rvagg

Security Update

Notable changes

  • build: Add support for Microsoft Visual Studio 2015
  • npm: Upgrade to v1.4.29 from v1.4.28. A special one-off release as part of the strategy to get a version of npm into Node.js v0.10.x that works with the current registry ( This version of npm prints out a banner each time it is run. The banner warns that the next standard release of Node.js v0.10.x will ship with a version of npm v2.
  • openssl: Upgrade to 1.0.1q, containing fixes CVE-2015-3194 "Certificate verify crash with missing PSS parameter", a potential denial-of-service vector for Node.js TLS servers using client certificate authentication; TLS clients are also impacted. Details are available at (Ben Noordhuis)


2015-07-09, Version 0.10.40 (Maintenance)


2015-06-18, Version 0.10.39 (Maintenance)


  • [456c22f63f] - openssl: upgrade to 1.0.1o (Addressing multiple CVEs) #25523
  • [9d19dfbfdb] - install: fix source path for openssl headers (Oguz Bastemur) #14089
  • [4028669531] - install: make sure opensslconf.h is overwritten (Oguz Bastemur) #14089
  • [d38e865fce] - timers: fix timeout when added in timer's callback (Julien Gilli) #17203
  • [e7c84f82c7] - windows: broadcast WM_SETTINGCHANGE after install (Mathias Küsel) #25100

2015-03-23, Version 0.10.38 (Maintenance)


  • [3b511a8ccd] - openssl: upgrade to 1.0.1m (Addressing multiple CVES)

2015-03-11, Version 0.10.37 (Maintenance)


  • [dcff5d565c] - uv: update to 0.10.36 (CVE-2015-0278) #9274
  • [f2a45caf2e] - domains: fix stack clearing after error handled (Jonas Dohse) #9364
  • [d01a900078] - buffer: reword Buffer.concat error message (Chris Dickinson) #8723
  • [c8239c08d7] - console: allow Object.prototype fields as labels (Julien Gilli) #9215
  • [431eb172f9] - V8: log version in profiler log file (Ben Noordhuis) #9043
  • [8bcd0a4c4a] - http: fix performance regression for GET requests (Florin-Cristian Gavrila) #9026

2015-01-26, Version 0.10.36 (Stable)


  • [deef605085] - openssl: update to 1.0.1l
  • [45f1330425] - v8: Fix debugger and strict mode regression (Julien Gilli)
  • [6ebd85e105] - v8: don't busy loop in cpu profiler thread (Ben Noordhuis) #8789

2014.12.22, Version 0.10.35 (Stable)

  • tls: re-add 1024-bit SSL certs removed by f9456a2 (Chris Dickinson)
  • timers: don't close interval timers when unrefd (Julien Gilli)
  • timers: don't mutate unref list while iterating it (Julien Gilli)

2014.12.17, Version 0.10.34 (Stable)

  • uv: update to v0.10.30
  • zlib: upgrade to v1.2.8
  • child_process: check execFile args is an array (Sam Roberts)
  • child_process: check fork args is an array (Sam Roberts)
  • crypto: update root certificates (Ben Noordhuis)
  • domains: fix issues with abort on uncaught (Julien Gilli)
  • timers: Avoid linear scan in _unrefActive. (Julien Gilli)
  • timers: fix unref() memory leak (Trevor Norris)
  • v8: add api for aborting on uncaught exception (Julien Gilli)
  • debugger: fix when using "use strict" (Julien Gilli)

2014.10.20, Version 0.10.33 (Stable)

  • openssl: Update to 1.0.1j (Addressing multiple CVEs)

  • uv: Update to v0.10.29

  • child_process: properly support optional args (cjihrig)

  • crypto: Disable autonegotiation for SSLv2/3 by default (Fedor Indutny, Timothy J Fontaine, Alexis Campailla)

    This is a behavior change, by default we will not allow the negotiation to SSLv2 or SSLv3. If you want this behavior, run Node.js with either --enable-ssl2 or --enable-ssl3 respectively.

    This does not change the behavior for users specifically requesting SSLv2_method or SSLv3_method. While this behavior is not advised, it is assumed you know what you're doing since you're specifically asking to use these methods.

2014.09.16, Version 0.10.32 (Stable)

  • npm: Update to 1.4.28
  • v8: fix a crash introduced by previous release (Fedor Indutny)
  • configure: add --openssl-no-asm flag (Fedor Indutny)
  • crypto: use domains for any callback-taking method (Chris Dickinson)
  • http: do not send 0\r\n\r\n in TE HEAD responses (Fedor Indutny)
  • querystring: fix unescape override (Tristan Berger)
  • url: Add support for RFC 3490 separators (Mathias Bynens)

2014.08.19, Version 0.10.31 (Stable)

  • v8: backport CVE-2013-6668
  • openssl: Update to v1.0.1i
  • npm: Update to v1.4.23
  • cluster: disconnect should not be synchronous (Sam Roberts)
  • fs: fix fs.readFileSync fd leak when get RangeError (Jackson Tian)
  • stream: fix Readable.wrap objectMode falsy values (James Halliday)
  • timers: fix timers with non-integer delay hanging. (Julien Gilli)

2014.07.31, Version 0.10.30 (Stable)

  • uv: Upgrade to v0.10.28
  • npm: Upgrade to v1.4.21
  • v8: Interrupts must not mask stack overflow.
  • Revert "stream: start old-mode read in a next tick" (Fedor Indutny)
  • buffer: fix sign overflow in readUIn32BE (Fedor Indutny)
  • buffer: improve {read,write}{U}Int* methods (Nick Apperson)
  • child_process: handle writeUtf8String error (Fedor Indutny)
  • deps: backport 4ed5fde4f from v8 upstream (Fedor Indutny)
  • deps: cherry-pick eca441b2 from OpenSSL (Fedor Indutny)
  • lib: remove and restructure calls to isNaN() (cjihrig)
  • module: eliminate double getenv() (Maciej Małecki)
  • stream2: flush extant data on read of ended stream (Chris Dickinson)
  • streams: remove unused require('assert') (Rod Vagg)
  • timers: backport f8193ab (Julien Gilli)
  • util.h: interface compatibility (Oguz Bastemur)
  • zlib: do not crash on write after close (Fedor Indutny)

2014.06.05, Version 0.10.29 (Stable)

  • openssl: to 1.0.1h (CVE-2014-0224)

  • npm: upgrade to 1.4.14

  • utf8: Prevent Node from sending invalid UTF-8 (Felix Geisendörfer)

    • NOTE this introduces a breaking change, previously you could construct invalid UTF-8 and invoke an error in a client that was expecting valid UTF-8, now unmatched surrogate pairs are replaced with the unknown UTF-8 character. To restore the old functionality simply have NODE_INVALID_UTF8 environment variable set.
  • child_process: do not set args before throwing (Greg Sabia Tucker)

  • child_process: spawn() does not throw TypeError (Greg Sabia Tucker)

  • constants: export O_NONBLOCK (Fedor Indutny)

  • crypto: improve memory usage (Alexis Campailla)

  • fs: close file if fstat() fails in readFile() (cjihrig)

  • lib: name EventEmitter prototype methods (Ben Noordhuis)

  • tls: fix performance issue (Alexis Campailla)

2014.05.01, Version 0.10.28 (Stable)

  • npm: upgrade to v1.4.9

2014.05.01, Version 0.10.27 (Stable)

  • npm: upgrade to v1.4.8
  • openssl: upgrade to 1.0.1g
  • uv: update to v0.10.27
  • dns: fix certain txt entries (Fedor Indutny)
  • assert: Ensure reflexivity of deepEqual (Mike Pennisi)
  • child_process: fix deadlock when sending handles (Fedor Indutny)
  • child_process: fix sending handle twice (Fedor Indutny)
  • crypto: do not lowercase cipher/hash names (Fedor Indutny)
  • dtrace: workaround linker bug on FreeBSD (Fedor Indutny)
  • http: do not emit EOF non-readable socket (Fedor Indutny)
  • http: invoke createConnection when no agent (Nathan Rajlich)
  • stream: remove useless check (Brian White)
  • timer: don't reschedule timer bucket in a domain (Greg Brail)
  • url: treat \ the same as / (isaacs)
  • util: format as Error if instanceof Error (Rod Vagg)

2014.02.18, Version 0.10.26 (Stable)

  • uv: Upgrade to v0.10.25 (Timothy J Fontaine)
  • npm: upgrade to 1.4.3 (isaacs)
  • v8: support compiling with VS2013 (Fedor Indutny)
  • cares: backport TXT parsing fix (Fedor Indutny)
  • crypto: throw on SignFinal failure (Fedor Indutny)
  • crypto: update root certificates (Ben Noordhuis)
  • debugger: Fix breakpoint not showing after restart (Farid Neshat)
  • fs: make unwatchFile() insensitive to path (iamdoron)
  • net: do not re-emit stream errors (Fedor Indutny)
  • net: make Socket destroy() re-entrance safe (Jun Ma)
  • net: reset endEmitted on reconnect (Fedor Indutny)
  • node: do not close stdio implicitly (Fedor Indutny)
  • zlib: avoid assertion in close (Fedor Indutny)

2014.01.23, Version 0.10.25 (Stable)

  • uv: Upgrade to v0.10.23
  • npm: Upgrade to v1.3.24
  • v8: Fix enumeration for objects with lots of properties
  • child_process: fix spawn() optional arguments (Sam Roberts)
  • cluster: report more errors to workers (Fedor Indutny)
  • domains: exit() only affects active domains (Ryan Graham)
  • src: OnFatalError handler must abort() (Timothy J Fontaine)
  • stream: writes may return false but forget to emit drain (Yang Tianyang)

2013.12.18, Version 0.10.24 (Stable)

  • uv: Upgrade to v0.10.21
  • npm: upgrade to 1.3.21
  • v8: backport fix for CVE-2013-{6639|6640}
  • build: unix install node and dep library headers (Timothy J Fontaine)
  • cluster, v8: fix --logfile=%p.log (Ben Noordhuis)
  • module: only cache package main (Wyatt Preul)

2013.12.12, Version 0.10.23 (Stable)

  • uv: Upgrade to v0.10.20 (Timothy J Fontaine)
  • npm: Upgrade to 1.3.17 (isaacs)
  • gyp: update to 78b26f7 (Timothy J Fontaine)
  • build: include postmortem symbols on linux (Timothy J Fontaine)
  • crypto: Make Decipher._flush() emit errors. (Kai Groner)
  • dgram: fix abort when getting fd of closed dgram (Fedor Indutny)
  • events: do not accept NaN in setMaxListeners (Fedor Indutny)
  • events: avoid calling once functions twice (Tim Wood)
  • events: fix TypeError in removeAllListeners (Jeremy Martin)
  • fs: report correct path when EEXIST (Fedor Indutny)
  • process: enforce allowed signals for kill (Sam Roberts)
  • tls: emit 'end' on .receivedShutdown (Fedor Indutny)
  • tls: fix potential data corruption (Fedor Indutny)
  • tls: handle ssl.start() errors appropriately (Fedor Indutny)
  • tls: reset NPN callbacks after SNI (Fedor Indutny)

2013.11.12, Version 0.10.22 (Stable)

  • npm: Upgrade to 1.3.14
  • uv: Upgrade to v0.10.19
  • child_process: don't assert on stale file descriptor events (Fedor Indutny)
  • darwin: Fix "Not Responding" in Mavericks activity monitor (Fedor Indutny)
  • debugger: Fix bug in sb() with unnamed script (Maxim Bogushevich)
  • repl: do not insert duplicates into completions (Maciej Małecki)
  • src: Fix memory leak on closed handles (Timothy J Fontaine)
  • tls: prevent stalls by using read(0) (Fedor Indutny)
  • v8: use correct timezone information on Solaris (Maciej Małecki)

2013.10.18, Version 0.10.21 (Stable)

  • uv: Upgrade to v0.10.18
  • crypto: clear errors from verify failure (Timothy J Fontaine)
  • dtrace: interpret two byte strings (Dave Pacheco)
  • fs: fix fs.truncate() file content zeroing bug (Ben Noordhuis)
  • http: provide backpressure for pipeline flood (isaacs)
  • tls: fix premature connection termination (Ben Noordhuis)

2013.09.30, Version 0.10.20 (Stable)

  • tls: fix sporadic hang and partial reads (Fedor Indutny)
    • fixes "npm ERR! cb() never called!"

2013.09.24, Version 0.10.19 (Stable)

  • uv: Upgrade to v0.10.17
  • npm: upgrade to 1.3.11
  • readline: handle input starting with control chars (Eric Schrock)
  • configure: add mips-float-abi (soft, hard) option (Andrei Sedoi)
  • stream: objectMode transforms allow falsey values (isaacs)
  • tls: prevent duplicate values returned from read (Nathan Rajlich)
  • tls: NPN protocols are now local to connections (Fedor Indutny)

2013.09.04, Version 0.10.18 (Stable)

  • uv: Upgrade to v0.10.15
  • stream: Don't crash on unset _events property (isaacs)
  • stream: Pass 'buffer' encoding with decoded writable chunks (isaacs)

2013.08.21, Version 0.10.17 (Stable)

  • uv: Upgrade v0.10.14
  • http_parser: Do not accept PUN/GEM methods as PUT/GET (Chris Dickinson)
  • tls: fix assertion when ssl is destroyed at read (Fedor Indutny)
  • stream: Throw on 'error' if listeners removed (isaacs)
  • dgram: fix assertion on bad send() arguments (Ben Noordhuis)
  • readline: pause stdin before turning off terminal raw mode (Daniel Chatfield)

2013.08.16, Version 0.10.16 (Stable)

  • v8: back-port fix for CVE-2013-2882
  • npm: Upgrade to 1.3.8
  • crypto: fix assert() on malformed hex input (Ben Noordhuis)
  • crypto: fix memory leak in randomBytes() error path (Ben Noordhuis)
  • events: fix memory leak, don't leak event names (Ben Noordhuis)
  • http: Handle hex/base64 encodings properly (isaacs)
  • http: improve chunked res.write(buf) performance (Ben Noordhuis)
  • stream: Fix double pipe error emit (Eran Hammer)

2013.07.25, Version 0.10.15 (Stable)

  • src: fix process.getuid() return value (Ben Noordhuis)

2013.07.25, Version 0.10.14 (Stable)

  • uv: Upgrade to v0.10.13
  • npm: Upgrade to v1.3.5
  • os: Don't report negative times in cpu info (Ben Noordhuis)
  • fs: Handle large UID and GID (Ben Noordhuis)
  • url: Fix edge-case when protocol is non-lowercase (Shuan Wang)
  • doc: Streams API Doc Rewrite (isaacs)
  • node: call MakeDomainCallback in all domain cases (Trevor Norris)
  • crypto: fix memory leak in LoadPKCS12 (Fedor Indutny)

2013.07.09, Version 0.10.13 (Stable)

  • uv: Upgrade to v0.10.12
  • npm: Upgrade to 1.3.2
  • windows: get proper errno (Ben Noordhuis)
  • tls: only wait for finish if we haven't seen it (Timothy J Fontaine)
  • http: Dump response when request is aborted (isaacs)
  • http: use an unref'd timer to fix delay in exit (Peter Rust)
  • zlib: level can be negative (Brian White)
  • zlib: allow zero values for level and strategy (Brian White)
  • buffer: add comment explaining buffer alignment (Ben Noordhuis)
  • string_bytes: properly detect 64bit (Timothy J Fontaine)
  • src: fix memory leak in UsingDomains() (Ben Noordhuis)

2013.06.18, Version 0.10.12 (Stable)

  • npm: Upgrade to 1.2.32
  • readline: make ctrl + L clear the screen (Yuan Chuan)
  • v8: add setVariableValue debugger command (Ben Noordhuis)
  • net: Do not destroy socket mid-write (isaacs)
  • v8: fix build for mips32r2 architecture (Andrei Sedoi)
  • configure: fix cross-compilation host_arch_cc() (Andrei Sedoi)

2013.06.13, Version 0.10.11 (Stable)

  • uv: upgrade to 0.10.11
  • npm: Upgrade to 1.2.30
  • openssl: add missing configuration pieces for MIPS (Andrei Sedoi)
  • Revert "http: remove bodyHead from 'upgrade' events" (isaacs)
  • v8: fix pointer arithmetic undefined behavior (Trevor Norris)
  • crypto: fix utf8/utf-8 encoding check (Ben Noordhuis)
  • net: Fix busy loop on POLLERR|POLLHUP on older linux kernels (Ben Noordhuis, isaacs)

2013.06.04, Version 0.10.10 (Stable)

  • uv: Upgrade to 0.10.10
  • npm: Upgrade to 1.2.25
  • url: Properly parse certain oddly formed urls (isaacs)
  • stream: unshift('') is a noop (isaacs)

2013.05.30, Version 0.10.9 (Stable)

  • npm: Upgrade to 1.2.24
  • uv: Upgrade to v0.10.9
  • repl: fix JSON.parse error check (Brian White)
  • tls: proper .destroySoon (Fedor Indutny)
  • tls: invoke write cb only after opposite read end (Fedor Indutny)
  • tls: ignore .shutdown() syscall error (Fedor Indutny)

2013.05.24, Version 0.10.8 (Stable)

  • v8: update to
  • uv: upgrade to 0.10.8
  • npm: Upgrade to 1.2.23
  • http: remove bodyHead from 'upgrade' events (Nathan Zadoks)
  • http: Return true on empty writes, not false (isaacs)
  • http: save roundtrips, convert buffers to strings (Ben Noordhuis)
  • configure: respect the --dest-os flag consistently (Nathan Rajlich)
  • buffer: throw when writing beyond buffer (Trevor Norris)
  • crypto: Clear error after DiffieHellman key errors (isaacs)
  • string_bytes: strip padding from base64 strings (Trevor Norris)

2013.05.17, Version 0.10.7 (Stable)

  • uv: upgrade to v0.10.7
  • npm: Upgrade to 1.2.21
  • crypto: Don't ignore verify encoding argument (isaacs)
  • buffer, crypto: fix default encoding regression (Ben Noordhuis)
  • timers: fix setInterval() assert (Ben Noordhuis)

2013.05.14, Version 0.10.6 (Stable)

  • module: Deprecate require.extensions (isaacs)
  • stream: make Readable.wrap support objectMode, empty streams (Daniel Moore)
  • child_process: fix handle delivery (Ben Noordhuis)
  • crypto: Fix performance regression (isaacs)
  • src: DRY string encoding/decoding (isaacs)

2013.04.23, Version 0.10.5 (Stable)

  • uv: Upgrade to 0.10.5 (isaacs)
  • build: added support for Visual Studio 2012 (Miroslav Bajtoš)
  • http: Don't try to destroy nonexistent sockets (isaacs)
  • crypto: LazyTransform on properties, not methods (isaacs)
  • assert: put info in err.message, not (Ryan Doenges)
  • dgram: fix no address bind() (Ben Noordhuis)
  • handle_wrap: fix NULL pointer dereference (Ben Noordhuis)
  • os: fix unlikely buffer overflow in os.type() (Ben Noordhuis)
  • stream: Fix unshift() race conditions (isaacs)

2013.04.11, Version 0.10.4 (Stable)

  • uv: Upgrade to 0.10.4
  • npm: Upgrade to 1.2.18
  • v8: Avoid excessive memory growth in JSON.parse (Fedor Indutny)
  • child_process, cluster: fix O(n*m) scan of cmd string (Ben Noordhuis)
  • net: fix socket.bytesWritten Buffers support (Fedor Indutny)
  • buffer: fix offset checks (Łukasz Walukiewicz)
  • stream: call write cb before finish event (isaacs)
  • http: Support write(data, 'hex') (isaacs)
  • crypto: dh secret should be left-padded (Fedor Indutny)
  • process: expose NODE_MODULE_VERSION in process.versions (Rod Vagg)
  • crypto: fix constructor call in crypto streams (Andreas Madsen)
  • net: account for encoding in .byteLength (Fedor Indutny)
  • net: fix buffer iteration in bytesWritten (Fedor Indutny)
  • crypto: zero is not an error if writing 0 bytes (Fedor Indutny)
  • tls: Re-enable check of CN-ID in cert verification (Tobias Müllerleile)

2013.04.03, Version 0.10.3 (Stable)

  • npm: Upgrade to 1.2.17
  • child_process: acknowledge sent handles (Fedor Indutny)
  • etw: update prototypes to match dtrace provider (Timothy J Fontaine)
  • dtrace: pass more arguments to probes (Dave Pacheco)
  • build: allow building with dtrace on osx (Dave Pacheco)
  • http: Remove legacy ECONNRESET workaround code (isaacs)
  • http: Ensure socket cleanup on client response end (isaacs)
  • tls: Destroy socket when encrypted side closes (isaacs)
  • repl: isSyntaxError() catches "strict mode" errors (Nathan Rajlich)
  • crypto: Pass options to ctor calls (isaacs)
  • src: tie process.versions.uv to uv_version_string() (Ben Noordhuis)

2013.03.28, Version 0.10.2 (Stable)

  • npm: Upgrade to 1.2.15
  • uv: Upgrade to 0.10.3
  • tls: handle SSL_ERROR_ZERO_RETURN (Fedor Indutny)
  • tls: handle errors before calling C++ methods (Fedor Indutny)
  • tls: remove harmful unnecessary bounds checking (Marcel Laverdet)
  • crypto: make getCiphers() return non-SSL ciphers (Ben Noordhuis)
  • crypto: check randomBytes() size argument (Ben Noordhuis)
  • timers: do not calculate Timeout._when property (Alexey Kupershtokh)
  • timers: fix off-by-one ms error (Alexey Kupershtokh)
  • timers: handle signed int32 overflow in enroll() (Fedor Indutny)
  • stream: Fix stall in Transform under very specific conditions (Gil Pedersen)
  • stream: Handle late 'readable' event listeners (isaacs)
  • stream: Fix early end in Writables on zero-length writes (isaacs)
  • domain: fix domain callback from MakeCallback (Trevor Norris)
  • child_process: don't emit same handle twice (Ben Noordhuis)
  • child_process: fix sending utf-8 to child process (Ben Noordhuis)

2013.03.21, Version 0.10.1 (Stable)

  • npm: upgrade to 1.2.15
  • crypto: Improve performance of non-stream APIs (Fedor Indutny)
  • tls: always reset this.ssl.error after handling (Fedor Indutny)
  • tls: Prevent mid-stream hangs (Fedor Indutny, isaacs)
  • net: improve arbitrary tcp socket support (Ben Noordhuis)
  • net: handle 'finish' event only after 'connect' (Fedor Indutny)
  • http: Don't hot-path end() for large buffers (isaacs)
  • fs: Missing cb errors are deprecated, not a throw (isaacs)
  • fs: make write/appendFileSync correctly set file mode (Raymond Feng)
  • stream: Return self from readable.wrap (isaacs)
  • stream: Never call decoder.end() multiple times (Gil Pedersen)
  • windows: enable watching signals with process.on('SIGXYZ') (Bert Belder)
  • node: revert removal of MakeCallback (Trevor Norris)
  • node: Unwrap without aborting in handle fd getter (isaacs)

2013.03.11, Version 0.10.0 (Stable)

  • npm: Upgrade to 1.2.14
  • core: Append filename properly in dlopen on windows (isaacs)
  • zlib: Manage flush flags appropriately (isaacs)
  • domains: Handle errors thrown in nested error handlers (isaacs)
  • buffer: Strip high bits when converting to ascii (Ben Noordhuis)
  • win/msi: Enable modify and repair (Bert Belder)
  • win/msi: Add feature selection for various node parts (Bert Belder)
  • win/msi: use consistent registry key paths (Bert Belder)
  • child_process: support sending dgram socket (Andreas Madsen)
  • fs: Raise EISDIR on Windows when calling on a dir (isaacs)
  • unix: fix strict aliasing warnings, macro-ify functions (Ben Noordhuis)
  • unix: honor UV_THREADPOOL_SIZE environment var (Ben Noordhuis)
  • win/tty: fix typo in color attributes enumeration (Bert Belder)
  • win/tty: don't touch insert mode or quick edit mode (Bert Belder)