Skip to content
Permalink
Branch: master
Commits on Jun 12, 2018
  1. 2018-06-12, Version 10.4.1 (Current)

    evanlucas committed Jun 12, 2018
    Notable changes:
    
    * **Fixes memory exhaustion DoS** (CVE-2018-7164): Fixes a bug introduced
        in 9.7.0 that increases the memory consumed when reading from the network
        into JavaScript using the net.Socket object directly as a stream.
    * **http2**
      * (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the
        http2 implementation to not crash under certain circumstances during cleanup
      * (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading
        nghttp2 to 1.32.0
    * **tls** (CVE-2018-7162): Fixes Denial of Service vulnerability by updating
        the TLS implementation to not crash upon receiving
    * **n-api**: Prevent use-after-free in napi_delete_async_work
    
    PR-URL: nodejs-private/node-private#136
  2. 2018-06-12, Version 9.11.2 (Maintenance)

    evanlucas committed Jun 12, 2018
    Notable changes:
    
    * **Fixes memory exhaustion DoS** (CVE-2018-7164): Fixes a bug introduced
        in 9.7.0 that increases the memory consumed when reading from the network
        into JavaScript using the net.Socket object directly as a stream.
    * **buffer** (CVE-2018-7167): Fixes Denial of Service vulnerability where
        calling Buffer.fill() could hang
    * **http2**
      * (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the
        http2 implementation to not crash under certain circumstances during cleanup
      * (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading
        nghttp2 to 1.32.0
    * **tls** (CVE-2018-7162): Fixes Denial of Service vulnerability by updating
        the TLS implementation to not crash upon receiving
    
    PR-URL: nodejs-private/node-private#135
  3. 2018-06-12, Version 8.11.3 (LTS)

    evanlucas committed Jun 11, 2018
    Notable changes:
    
    * **buffer** (CVE-2018-7167): Fixes Denial of Service vulnerability
        where calling Buffer.fill() could hang
    * **http2**
      * (CVE-2018-7161): Fixes Denial of Service vulnerability by
          updating the http2 implementation to not crash under
          certain circumstances during cleanup
      * (CVE-2018-1000168): Fixes Denial of Service vulnerability
          by upgrading nghttp2 to 1.32.0
    
    PR-URL: nodejs-private/node-private#126
  4. 2018-06-12, Version 6.14.3 (LTS)

    evanlucas committed Jun 11, 2018
    Notable changes:
    
    * **buffer** (CVE-2018-7167): Fixes Denial of Service
        vulnerability where calling Buffer.fill() could hang
    
    PR-URL: nodejs-private/node-private#134
Commits on Jun 11, 2018
  1. Revert "src: restore stdio on program exit"

    evanlucas authored and addaleax committed Jun 11, 2018
    This reverts commit c2c9c0c.
    It seems to be causing hangs when piping output to other processes.
    
    PR-URL: #21257
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Commits on Apr 11, 2018
  1. doc: move evanlucas to TSC Emeritus

    evanlucas committed Apr 11, 2018
    I no longer have the time to dedicate to being on the TSC.
    I am still planning to contribute when time permits.
    
    PR-URL: #19953
    Reviewed-By: Rich Trott <rtrott@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
    Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
    Reviewed-By: Myles Borins <myles.borins@gmail.com>
    Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Commits on Feb 10, 2018
  1. doc: add error check to fs example

    evanlucas authored and BridgeAR committed Feb 9, 2018
    Previously, the err passed to the callback of fs.open() was not checked.
    
    PR-URL: #18681
    Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
    Reviewed-By: Vse Mozhet Byt <vsemozhetbyt@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
    Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Commits on Feb 1, 2018
  1. 2018-01-31, Version 9.5.0 (Current)

    evanlucas committed Jan 30, 2018
    Notable changes:
    
    * cluster
      - add cwd to cluster.settings (cjihrig) [#18399](#18399)
    * deps
      - upgrade libuv to 1.19.1 (cjihrig) [#18260](#18260)
    * meta
      - add Leko to collaborators (Leko) [#18117](#18117)
      - add vdeturckheim as collaborator (vdeturckheim) [#18432](#18432)
    * n-api
      - expose n-api version in process.versions (Michael Dawson) [#18067](#18067)
    * perf_hooks
      - add performance.clear() (James M Snell) [#18046](#18046)
    * stream
      - avoid writeAfterEnd() while ending (陈刚) [#18170](#18170)
    
    PR-URL: #18464
Commits on Jan 5, 2018
  1. http: remove duplicate export

    evanlucas committed Jan 4, 2018
    5425e0d switched to using
    the module.exports pattern vs just exports, but left
    a duplicate export around for OutgoingMessage.
    
    PR-URL: #17982
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Jon Moss <me@jonathanmoss.me>
    Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
    Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
    Reviewed-By: Yuta Hiroto <hello@about-hiroppy.com>
Commits on Dec 21, 2017
  1. doc: improve fs api descriptions

    evanlucas authored and maclover7 committed Dec 14, 2017
    This improves the api descriptions for fs.chown, fs.chmod, and fs.mkdir
    along with their *Sync counterparts.
    
    PR-URL: #17679
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
    Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
    Reviewed-By: Jon Moss <me@jonathanmoss.me>
    Reviewed-By: James M Snell <jasnell@gmail.com>
Commits on Dec 18, 2017
  1. doc: improve release guide

    evanlucas committed Dec 14, 2017
    Specify that $VERSION should include the `v` when replacing
    REPLACEME in documentation.
    
    PR-URL: #17677
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
    Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
    Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Commits on Dec 13, 2017
  1. process: fix coverage generation

    evanlucas authored and addaleax committed Dec 13, 2017
    e8a26e7 added `process` to the
    internal module wrapper. This broke the utility used to write
    coverage information due to a SyntaxError that `process` had
    already been declared.
    
    PR-URL: #17651
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Timothy Gu <timothygu99@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Jon Moss <me@jonathanmoss.me>
    Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
    Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Commits on Dec 8, 2017
  1. 2017-12-08 Version 9.2.1 (Current)

    evanlucas authored and MylesBorins committed Dec 7, 2017
    Notable changes:
    
    * **buffer**:
      * buffer allocated with an invalid content will now be zero filled (Anna Henningsen) #17428
    * **deps**:
      * openssl updated to 1.0.2n (Shigeki Ohtsu) #17526
    
    PR-URL: #17531
Commits on Nov 30, 2017
  1. src: fix typo in NODE_OPTIONS whitelist

    evanlucas committed Nov 28, 2017
    The whitelist of allowed cli flags that can be passed in the
    NODE_OPTIONS environment variable had --trace-events-categories,
    but the cli flag is actually --trace-event-categories.
    
    PR-URL: #17369
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Richard Lau <riclau@uk.ibm.com>
    Reviewed-By: Jon Moss <me@jonathanmoss.me>
    Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
    Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Commits on Nov 14, 2017
  1. 2017-11-14, Version 9.2.0 (Current)

    evanlucas committed Nov 13, 2017
    Notable changes:
    
    * **crypto**:
      - Support building with both 1.1.0 and 1.0.2 (David Benjamin) #16130
    * **fs**:
      - fs.realpathSync.native and fs.realpath.native are now exposed (Ben Noordhuis) #15776
    * **process**:
      - expose process.ppid (cjihrig) #16839
    
    PR-URL: #16992
Commits on Nov 2, 2017
  1. src: pass context to Get() operations for cares_wrap

    evanlucas authored and jasnell committed Oct 31, 2017
    Using Get() without the context argument will soon be deprecated.
    This also passed context to Int32Value() operations as well.
    
    PR-URL: #16641
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
    Reviewed-By: Tobias Nießen <tniessen@tnie.de>
    Reviewed-By: James M Snell <jasnell@gmail.com>
Commits on Oct 18, 2017
  1. build: add c++ coverage support on macOS

    evanlucas committed Oct 9, 2017
    macOS requires passing the --coverage flag in OTHER_LDFLAGS and
    OTHER_CFLAGS in xcode_settings.
    
    PR-URL: #16163
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
    Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
    Reviewed-By: Khaidi Chu <i@2333.moe>
    Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Commits on Oct 15, 2017
  1. test: improve coverage for process.umask

    evanlucas authored and lance committed Oct 13, 2017
    This ensures that process.umask() throws with the correct error when
    invalid inputs are supplied.
    
    PR-URL: #16188
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Tobias Nießen <tniessen@tnie.de>
    Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
    Reviewed-By: Yuta Hiroto <hello@about-hiroppy.com>
    Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Commits on Sep 14, 2017
  1. src: fix typo in probe description

    evanlucas authored and jasnell committed Sep 13, 2017
    This fixes a typo in a probe description added in
    dc1996d.
    
    PR-URL: #15397
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Commits on Aug 14, 2017
  1. http2: fix [kInspect]() output for Http2Stream

    evanlucas committed Aug 10, 2017
    This fixes a typo in the util.inspect output of Http2Stream. It
    previously had writeableSate instead of writableState.
    
    PR-URL: #14753
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Timothy Gu <timothygu99@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Commits on Jul 19, 2017
  1. build: codesign tarball binary on macOS

    evanlucas committed Jul 12, 2017
    Previously, we were signing the binary that was released in the .pkg,
    but not the binary released in the tarball.
    
    PR-URL: #14179
    Fixes: #11936
    Reviewed-By: Refael Ackermann <refack@gmail.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: Myles Borins <myles.borins@gmail.com>
    Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
  2. build,tools: do not force codesign prefix

    evanlucas committed Jul 12, 2017
    Allow passing the prefix in via the PKGDIR env var. This will allow us
    to use this same script to codesign the binary tarball.
    
    PR-URL: #14179
    Reviewed-By: Refael Ackermann <refack@gmail.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: Myles Borins <myles.borins@gmail.com>
    Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
Commits on Jul 13, 2017
  1. test: decrease duration of test-cli-syntax

    evanlucas authored and mhdawson committed Jul 12, 2017
    Previously, test/parallel/test-cli-syntax.js was spawning a lot of child
    processes, but using spawnSync, which made the test run each child
    process serially. This switches most of the test cases to use exec so
    that they are asynchronous. Locally, the test went from > 5 seconds to
    under 2 seconds.
    
    PR-URL: #14187
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
    Reviewed-By: Rich Trott <rtrott@gmail.com>
    Reviewed-By: Refael Ackermann <refack@gmail.com>
Commits on Jul 11, 2017
  1. test: add get/set effective uid/gid tests

    evanlucas committed Jul 5, 2017
    3c92ca2 should have had tests
    to go along with it. This adds tests for the following functions:
    
    * `process.geteuid()`
    * `process.seteuid()`
    * `process.getegid()`
    * `process.setegid()`
    
    PR-URL: #14091
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Claudio Rodriguez <cjrodr@yahoo.com>
    Reviewed-By: Refael Ackermann <refack@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
  2. 2017-07-11, Version 8.1.4 (Current)

    evanlucas committed Jul 10, 2017
    This is a security release. All Node.js users should consult the
    security release summary at
    https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
    for details on patched vulnerabilities.
    
    Notable changes
    
    * **build**:
      - Disable V8 snapshots - The hashseed embedded in the snapshot is
        currently the same for all runs of the binary. This opens node up to
    collision attacks which could result in a Denial of Service. We have
    temporarily disabled snapshots until a more robust solution is found
    (Ali Ijaz Sheikh)
    * **deps**:
      - CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(),
        which is used for parsing NAPTR responses, could be triggered to
    read memory outside of the given input buffer if the passed in DNS
    response packet was crafted in a particular way. This patch checks that
    there is enough data for the required elements of an NAPTR record (2
    int16, 3 bytes for string lengths) before processing a record. (David
    Drysdale)
    
    PR-URL: nodejs-private/node-private#91
  3. 2017-07-11, Version 7.10.1 (Current)

    evanlucas committed Jul 10, 2017
    This is a security release. All Node.js users should consult the
    security release summary at
    https://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
    for details on patched vulnerabilities.
    
    * **build**:
      - Disable V8 snapshots - The hashseed embedded in the snapshot is
        currently the same for all runs of the binary. This opens node up to
    collision attacks which could result in a Denial of Service. We have
    temporarily disabled snapshots until a more robust solution is found
    (Ali Ijaz Sheikh)
    * **deps**:
      - CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(),
        which is used for parsing NAPTR responses, could be triggered to
    read memory outside of the given input buffer if the passed in DNS
    response packet was crafted in a particular way. This patch checks that
    there is enough data for the required elements of an NAPTR record (2
    int16, 3 bytes for string lengths) before processing a record. (David
    Drysdale)
    
    PR-URL: nodejs-private/node-private#92
Commits on Jul 7, 2017
  1. build: allow enabling the --trace-maps flag in V8

    evanlucas committed Jul 1, 2017
    This can be useful for tracing map creation.
    
    PR-URL: #14018
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Refael Ackermann <refack@gmail.com>
Commits on May 23, 2017
  1. test: add regression test for immediate socket errors

    evanlucas committed May 11, 2017
    This test ensures that a http client request with the default agent
    that has a socket that is immediately destroyed can still be caught by
    adding an error event listener to the request object.
    
    PR-URL: #12854
    Fixes: #12841
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
  2. Revert "net: remove unnecessary process.nextTick()"

    evanlucas committed May 5, 2017
    This reverts commit 571882c.
    
    Removing the process.nextTick() call can prevent the consumer
    from being able to catch error events.
    
    PR-URL: #12854
    Fixes: #12841
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Commits on May 3, 2017
  1. 2017-05-02, Version 7.10.0 (Current)

    evanlucas committed May 1, 2017
    Notable changes:
    
    * **crypto**:
      - add randomFill and randomFillSync (Evan Lucas)
        #10209
    * **meta**: Added new collaborators
      - add lucamaraschi to collaborators (Luca Maraschi)
        #12538
      - add DavidCai1993 to collaborators (David Cai)
        #12435
      - add jkrems to collaborators (Jan Krems)
        #12427
      - add AnnaMag to collaborators (AnnaMag)
        #12414
    * **process**:
      - fix crash when Promise rejection is a Symbol (Cameron Little)
        #11640
    * **url**:
      - make WHATWG URL more spec compliant (Timothy Gu)
        #12507
    * **v8**:
      - fix stack overflow in recursive method (Ben Noordhuis)
        #12460
      - fix build errors with g++ 7 (Ben Noordhuis)
        #12392
    
    PR-URL: #12775
Commits on Apr 17, 2017
  1. crypto: add randomFill and randomFillSync

    evanlucas committed Dec 9, 2016
    crypto.randomFill and crypto.randomFillSync are similar to
    crypto.randomBytes, but allow passing in a buffer as the first
    argument. This allows us to reuse buffers to prevent having to
    create a new one on every call.
    
    PR-URL: #10209
    Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
Commits on Apr 16, 2017
  1. doc: add guide for backporting prs

    evanlucas authored and gibfahn committed Feb 1, 2017
    This guide should help answer questions for contributors
    that are not familiar with the backport process.
    
    PR-URL: #11099
    Reviewed-By: Anna Henningsen <anna@addaleax.net>
    Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
    Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
    Reviewed-By: Myles Borins <myles.borins@gmail.com>
    Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Commits on Apr 13, 2017
  1. doc: limit lines to 80 cols in internal README

    evanlucas authored and jasnell committed Apr 12, 2017
    We generally stick to 80 columns even in markdown files.
    
    PR-URL: #12358
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Michaël Zasso <targos@protonmail.com>
    Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
    Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
    Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: Alexey Orlenko <eaglexrlnk@gmail.com>
    Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Commits on Mar 14, 2017
  1. doc: add missing changelog heading for 7.7.2

    evanlucas authored and italoacasas committed Mar 13, 2017
    When the release was cut, the changelog heading in CHANGELOG_V7
    was accidentally omitted.
    
    PR-URL: #11823
    Fixes: #11822
    Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
    Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
    Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
    Reviewed-By: James M Snell <jasnell@gmail.com>
    Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com>
Commits on Mar 8, 2017
  1. 2017-03-08, Version 7.7.2 (Current)

    evanlucas committed Mar 8, 2017
    Notable changes:
    
    * doc: add `Daijiro Wachi` to collaborators (Daijiro Wachi) #11676
    * tty: add ref() so process.stdin.ref() etc. work (Ben Schmidt) #7360
    * util: fix inspecting symbol key in string (Ali BARIN) #11672
    
    PR-URL: #11745
Older
You can’t perform that action at this time.