2018-08-15, Version 10.9.0 (Current), @rvagg

This is a security release. All Node.js users should consult the security release summary at:

https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

• CVE-2018-0732 (OpenSSL)
• CVE-2018-7166 (Node.js)
• CVE-2018-12115 (Node.js)

Notable Changes

• buffer:
  • Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding (CVE-2018-12115)
  • Fix unintentional exposure of uninitialized memory in Buffer.alloc() (CVE-2018-7166)
• deps:
  • Upgrade to OpenSSL 1.1.0i, fixing:
    • Client DoS due to large DH parameter (CVE-2018-0732)
    • ECDSA key extraction via local side-channel (CVE not assigned)
  • Upgrade V8 from 6.7 to 6.8 (Michaël Zasso) #21079
    • Memory reduction and performance improvements, details at: https://v8project.blogspot.com/2018/06/v8-release-68.html
• http: http.get() and http.request() (and https variants) can now accept three arguments to allow for a URL and an options object (Sam Ruby) #21616
• Added new collaborators
  • Sam Ruby (https://github.com/rubys)
  • George Adams (https://github.com/gdams)

Commits

• [58a9ae118e] - assert: fix loose assert with map and set (Ruben Bridgewater) #22145
• [1c577016b8] - benchmark: improve assert benchmarks (Ruben Bridgewater) #22211
• [734323d9eb] - buffer: stop alloc() uninitialized memory return (cjihrig) nodejs-private/node-private#137
• [2c4c17b708] - buffer: avoid overrun on UCS-2 string write (Rod Vagg) nodejs-private/node-private#138
• [6622ac798d] - buffer: use FastBuffer when fill is set to 0 (Сковорода Никита Андреевич) #21989
• [f506a5f46e] - build: make --shared-[...]-path work on Windows (Jeremy Apthorp) #21530
• [1be6fb93c8] - build: add CONFIG_FLAGS to with-code-cache target (Daniel Bevenius) [#22207](https
  ://github.com//pull/22207)
• [4520bb8a73] - build: make tools/doc/node_modules non-phony (Daniel Bevenius) #22189
• [c42ff4ebd8] - build: add crypto check to build targets (Daniel Bevenius) #22148
• [cdb8c1b44d] - build: extract common parts from addon .buildstamp (Daniel Bevenius) #22171
• [1e7a8c3016] - build: reset embedder string to "-node.0" (Michaël Zasso) #21079
• [86ab2c041e] - crypto: remove unused SSLWrap handle methods (Jon Moss) #22216
• [9212875406] - crypto: simplify state failure handling (Tobias Nießen) #22131
• [916a1d59f0] - crypto: simplify Hmac::HmacUpdate (Tobias Nießen) #22132
• [2dc7f17e8b] - (SEMVER-MINOR) crypto: add better scrypt option aliases (Anna Henningsen) #21525
• [fcf422e921] - deps: backport c608122b from upstream (Ruben Bridgewater) #22210
• [a07ccaeb19] - deps: update archs files for OpenSSL-1.1.0i (Shigeki Ohtsu) #22318
• [473996c90f] - deps: add s390 asm rules for OpenSSL-1.1.0 (Shigeki Ohtsu) #19794
• [05e48fd018] - deps: upgrade openssl sources to 1.1.0i (Shigeki Ohtsu) #22318
• [f8bc5d6320] - deps: cherry-pick 09bca09 from upstream V8 (Matheus Marchini) #22068
• [c69fdc9d5f] - (SEMVER-MINOR) deps: remove thread_local to fix V8 compilation (Peter Marshall) #21668
• [981fff714e] - deps: refactor v8.gyp (Michaël Zasso) #22017
• [5fa3ffad20] - (SEMVER-MINOR) deps: patch the V8 API to be backwards compatible with 6.7 (Peter Marshall) #21668
• [6eed40acbb] - deps: cherry-pick 804a693 from upstream V8 (Matheus Marchini) #21855
• [7eccaf86d6] - deps: V8: Backport of 0dd3390 from upstream (James M Snell) #21899
• [328c89925a] - deps: cherry-pick 907d7bc from upstream V8 (Michaël Zasso) #21838
• [afacfd2992] - deps: cherry-pick 2075910 from upstream V8 (Michaël Zasso) #21838
• [4f24256274] - deps: cherry-pick 555c811 from upstream V8 (Anna Henningsen) #21741
• [7b4272a14d] - deps: cherry-pick 477df06 from upstream v8 (Gus Caplan) #21644
• [a0bf7aa07c] - deps: cherry-pick 70c4340 from upstream V8 (Matheus Marchini) #21126
• [4994ac65b0] - deps: cherry-pick acc336c from upstream V8 (Matheus Marchini) #21126
• [be569f82f1] - deps: cherry-pick b20faff from upstream V8 (Matheus Marchini) #21126
• [6df5feb13f] - deps: cherry-pick aa6ce3e from upstream V8 (Michaël Zasso) #21079
• [8b9a956f9e] - deps: cherry-pick 5dd3395 from upstream V8 (Matheus Marchini) #21386
• [548008a6f6] - deps: update v8.gyp and run Torque (Michaël Zasso) #21079
• [9c74271a96] - deps: update V8 to 6.8.275.24 (Michaël Zasso) #21079
• [a3f3c40966] - doc: simplify urlObject.hash text (Rich Trott) #22326
• [d2848697dc] - doc: simplify urlObject.hash description (Rich Trott) #22326
• [6d29986f4d] - doc: simplify format description of urlObject.auth (Rich Trott) #22324
• [a658a4df34] - doc: remove redundant explanation of format (Rich Trott) #22324
• [3236697c0b] - doc: use italics for words-as-words (Rich Trott) #22324
• [da76b61f59] - doc: bump ICU version to avoid confusion (Csaba Palfi) #22313
• [e04b0532bf] - doc: document 'inherit' option for stdio (non-shorthand) (James Bromwell) #22309
• [882c2c017a] - doc: clarify http2 docs around class exports (James M Snell) #22247
• [dd96ba5b89] - doc: add multiple issue templates for GitHub (Tobias Nießen) #22215
• [d95a22c304] - doc: declare al...

2018-08-15, Version 8.11.4 'Carbon' (LTS), @rvagg

This is a security release. All Node.js users should consult the security release summary at:

https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

• CVE-2018-0732 (OpenSSL)
• CVE-2018-12115 (Node.js)

Notable Changes

• buffer: Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding (CVE-2018-12115)
• deps: Upgrade to OpenSSL 1.0.2p, fixing:
  • Client DoS due to large DH parameter (CVE-2018-0732)
  • ECDSA key extraction via local side-channel (CVE not assigned)

Commits

• [fc14d812b7] - buffer: avoid overrun on UCS-2 string write (Rod Vagg) nodejs-private/node-private#138
• [8f59838ae7] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) #1836
• [97607f8622] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) #1389
• [46e4917d98] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) #1389
• [1b93677a81] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) #22320
• [ebf399473b] - deps: upgrade openssl sources to 1.0.2p (Shigeki Ohtsu) #22320
• [131c5ed438] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) #1389
• [3139897ff5] - test: fix error messages for OpenSSL-1.0.2p (Shigeki Ohtsu) #22320
• [0c047c4d9a] - test: update certificates and private keys (Fedor Indutny) #22184
• [7c6d0f604b] - test: update keys/Makefile to clean and build all (Daniel Bevenius) #19975

2018-08-15, Version 6.14.4 'Boron' (LTS), @rvagg

This is a security release. All Node.js users should consult the security release summary at:

https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

• CVE-2018-0732 (OpenSSL)
• CVE-2018-12115 (Node.js)

Notable Changes

• buffer: Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding (CVE-2018-12115)
• deps: Upgrade to OpenSSL 1.0.2p, fixing:
  • Client DoS due to large DH parameter (CVE-2018-0732)
  • ECDSA key extraction via local side-channel (CVE not assigned)

Commits

• [0052926476] - buffer: avoid overrun on UCS-2 string write (Rod Vagg) nodejs-private/node-private#138
• [dbe6551b89] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) #1836
• [7829bbcacb] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) #1389
• [cddca629b5] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) #1389
• [e6014aed52] - deps: copy all openssl header files to include dir (Shigeki Ohtsu) #22320
• [37ddce514d] - deps: upgrade openssl sources to 1.0.2p (Shigeki Ohtsu) #22320
• [08a150fcca] - inspector: don't bind to 0.0.0.0 by default (Ben Noordhuis) #21376
• [19b9d7fd77] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) #1389
• [7ccb0422fc] - test: fix error messages for OpenSSL-1.0.2p (Shigeki Ohtsu) #22320
• [58b9497ca8] - test: update certificates and private keys (Fedor Indutny) #22184
• [9863e11ea8] - test: update keys/Makefile to clean and build all (Daniel Bevenius) #19975

2018-08-01, Version 10.8.0 (Current), @targos

Notable Changes

• deps:
  • Upgrade npm to 6.2.0. #21592
    • npm has moved. This release updates various URLs to point to the right
      places for bugs, support, and PRs.
    • Fix the regular expression matching in xcode_emulation in node-gyp to
      also handle version numbers with multiple-digit major versions which would
      otherwise break under use of XCode 10.
    • The npm tree has been significantly flattened. Tarball size for the npm
      package has gone from 8MB to 4.8MB.
    • Changelogs:
      6.2.0-next.0,
      6.2.0-next.1,
      6.2.0.

Commits

• [335575e49b] - benchmark: remove arrays benchmark (Peter Marshall) #21831
• [62024b651e] - build: create V8 code cache after script is run (Joyee Cheung) #21567
• [50ccda2a00] - build: increase macOS minimum supported version (Michaël Zasso) #21883
• [5e1ceaabaa] - build: remove redundant Makefile target (Rich Trott) #21915
• [4f00562ef0] - build: add new benchmark targets (Kenny Yuan) #20905
• [4c5fc5c7ce] - build: move to npm ci where possible (Rich Trott) #21802
• [e0f3d5703a] - build,win,v8: allow precompiling objects-inl.h (João Reis) #21772
• [87ed6e6351] - (SEMVER-MINOR) deps: upgrade npm to 6.2.0 (Kat Marchán) #21592
• [f868415cf6] - deps: cherry-pick 804a693 from upstream V8 (Matheus Marchini) #21855
• [b56c8ad879] - deps: V8: Backport of 0dd3390 from upstream (James M Snell) #21899
• [ec0ff7008a] - deps: cherry-pick 907d7bc from upstream V8 (Michaël Zasso) #21838
• [c23e8b51ea] - deps: cherry-pick 2075910 from upstream V8 (Michaël Zasso) #21838
• [40fedd3620] - dgram: add getters/setters for private APIs (cjihrig) #21923
• [98ef8cfb8e] - dgram: make _createSocketHandle() internal only (cjihrig) #21923
• [ae17d18013] - dgram: hide underscored Socket properties (cjihrig) #21923
• [b5b74382e0] - dgram: hide _healthCheck() and _stopReceiving() (cjihrig) #21923
• [b5ae33959b] - doc: add pronouns to readme (Teddy Katz) #22036
• [f4b6031e39] - doc: clarify text about internal module changes (MaleDong) #22024
• [1f9570bd10] - doc: add missing worker error (Benjamin Gruenbaum) #21947
• [67d7a15886] - doc: fix typo in releases.md (Vitor Bruno de Oliveira Barth) #21990
• [2a0fa4792e] - doc: do not advise to cancel full CI on onboarding (Vse Mozhet Byt) #21977
• [478dbee8fe] - doc: replace deprecated CI job (Vse Mozhet Byt) #21938
• [5b0c451e61] - doc: add guide for updating N-API API surface (Hitesh Kanwathirtha) #21877
• [96bb6052e9] - doc: add node-test-commit-custom-suites to docs (Rich Trott) #21927
• [c44df51249] - doc: link n-api module init to multi-load addons (Gabriel Schulhof) #21891
• [c3d9000111] - doc: document http2 network error behaviour (Anna Henningsen) #21861
• [e8d5787840] - doc: document MODULE_NOT_FOUND error (Jacob Page) #21894
• [5e562fd792] - doc: fix sorting in the vm.Module section (Vse Mozhet Byt) #21931
• [eabe907e03] - doc: fix descriptions of sync methods in fs.md (Tim Ruffles) #21747
• [bd352f0298] - doc: update and improve the release guide (Michaël Zasso) #21868
• [fd5a0c7a1f] - doc: fix incorrect method name (Anto Aravinth) #21908
• [af1530e06d] - doc: add cjihrig pronouns (cjihrig) #21901
• [4d78a21d8c] - doc: add missing require to example in http2.md (Kevin Simper) #21858
• [ab0da57150] - doc: make minor improvements to collab guide (Rich Trott) #21862
• [b510cdc756] - doc: fix worker example to receive message (Sakthipriyan Vairamani (thefourtheye)) #21486
• [d91742aa9a] - fs: reduce memory retention when streaming small files (Anna Henningsen) #21968
• [484140e223] - fs: stop lazy loading stream constructors (Michaël Zasso) #21776
• [8799f43fb0] - http: revert "http: always emit close on req and res" (Michaël Zasso) #21809
• [a5928712c9] - http: name anonymous function in _http_common.js (Petras) #21755
• [337b2df82f] - http2: release request()'s "connect" event listener after it runs (James Ide) #21916
• [1e15581823] - http2: remove unused nghttp2 error list (Anna Henningsen) #21827
• [baf3027c77] - lib: remove usc-2 encoding (Brian White) #21964
• [9817e405ee] - (SEMVER-MINOR) lib,src: replace all C++ promises with JS promises (Ruben Bridgewater) #20830
• [45816c50ac] - n-api: guard against cond null dereference (Gabriel Schulhof) #21871
• [2548f75a92] - src: use UTF-8 for naming interfaces in unix (Ujjwal Sharma) #21926
• [6b6a26bb8d] - src: use kInternalized instead of kNormal (Ujjwal Sharma) #21926
• [2c95b96e8e] - src: remove calls to deprecated v8 functions (NewFromUtf8) (Ujjwal Sharma) #21926
• [e0336b2891] - src: fix may be uninitialized warning in n-api (Michael Dawson) #21898
• [2f3a28dbf2] - src: use available ReqWrap instance for libuv req (Jon Moss) [#21980](https://github...

2018-07-18, Version 10.7.0 (Current), @targos

Notable Changes

• console:
  • The console.timeLog() method has been implemented. #21312
• deps:
  • Upgrade to libuv 1.22.0. #21731
  • Upgrade to ICU 62.1 (Unicode 11, CLDR 33.1). #21728
• http:
  • Added support for passing both timeout and agent options to
    http.request. #21204
• inspector:
  • Expose the original console API in require('inspector').console. #21659
• napi:
  • Added experimental support for functions dealing with bigint numbers. #21226
• process:
  • The process.hrtime.bigint() method has been implemented. #21256
  • Added the --title command line argument to set the process title on
    startup. #21477
• trace_events:
  • Added process_name metadata. #21477
• Added new collaborators
  • codebytere - Shelley Vohr

Commits

• [8c97ffb2f5] - assert: improve simple assert (Ruben Bridgewater) #21626
• [9776f1cbef] - benchmark: add n-api function args benchmark (Kenny Yuan) #21555
• [576f1ea978] - buffer: remove superfluous assignment (Tobias Nießen) #21844
• [6bb2b5a51d] - build: account for pure C sources in build-addons-napi (Anna Henningsen) #21797
• [c02fb88936] - build: enabling lto at configure (Octavian Soldea) #21677
• [2a0862cec9] - console: fix timeEnd() not coercing the input (Ruben Bridgewater) #21779
• [f3c397cd21] - (SEMVER-MINOR) console: implement timeLog method (Michaël Zasso) #21312
• [73cafd853c] - console,util: avoid pair array generation in C++ (Anna Henningsen) #20831
• [d9825c7a16] - crypto: prevent Sign::SignFinal from crashing (Tobias Nießen) #21815
• [07cce880bf] - crypto: handle OpenSSL error queue in CipherBase (Tobias Nießen) #21288
• [355c5e3c95] - deps: cherry-pick 555c811 from upstream V8 (Anna Henningsen) #21741
• [42d75392c5] - deps: patch V8 to 6.7.288.49 (Myles Borins) #21727
• [6920091488] - deps: upgrade to libuv 1.22.0 (cjihrig) #21731
• [122ae24f62] - deps: icu 62.1 bump (Unicode 11, CLDR 33.1) (Steven R. Loomis) #21728
• [a5233c7e17] - deps: cherry-pick 477df06 from upstream v8 (Gus Caplan) #21644
• [506631a9f9] - doc: fix structure and formatting in inspector.md (Vse Mozhet Byt) #21709
• [53b587a5af] - doc: add documentation for buffer.byteOffset (Andreas Madsen) #21718
• [51dfebf9ac] - doc: fix vm.runInNewContext signature (Michaël Zasso) #21824
• [10f9374ea3] - doc: make markdown input compliant (Sam Ruby) #21780
• [02982998db] - doc: add my pronoun (Ruben Bridgewater) #21813
• [ca8c96035a] - doc: update readme with my pronouns (Lance Ball) #21818
• [d33281b36f] - doc: prevent some redirections (Vse Mozhet Byt) #21811
• [0de0f89d0c] - doc: add "Edit on GitHub" link (Rich Trott) #21703
• [7ab6efdb94] - doc: add policy for landing new npm releases (Myles Borins) #21594
• [3d93273bf7] - doc: add OS X to instead of only macOS (XadillaX) #21033
• [577d24baa4] - doc: fix module.children description (Travis Fischer) #21672
• [cd6601b87a] - doc: fix HTTP res 'finish' description (Sergey Zelenov) #21670
• [51db88b0f1] - doc: fix http2stream.pushStream error doc (Сковорода Никита Андреевич) #21487
• [6e1917a596] - doc: update changelog with 9.x EOL (Сковорода Никита Андреевич) #21612
• [cd77d8782a] - doc: improve documentation of fs sync methods (iwko) #21243
• [1044bafec4] - doc: remove _Node.js style callback_ (Rich Trott) #21701
• [971679328e] - doc: add codebytere as collaborator (Shelley Vohr) #21700
• [034fe19862] - doc: add links to inline HTML table (Rich Trott) #21678
• [04eed2342d] - doc: remove "note that" from fs doc (Rich Trott) #21646
• [c8d5bab022] - doc: fix doc for napi_create_function (Gabriel Schulhof)
• [f7aa22a0eb] - doc: improve guide text for CI runs (Rich Trott) #21645
• [6f8ebc08b9] - doc: unify spelling of backpressure (Thomas Watson) #21630
• [3fffc7e95f] - errors: fix undefined HTTP2 and tls errors (Shailesh Shekhawat) #21564
• [b758006c23] - fs: fix fsPromises.lchmod error on non-Mac (Masashi Hirano) #21435
• [4fa7150962] - fs: support pseudofiles in promises.readFile (Timothy Gu) #21497
• [bba500d0ea] - (SEMVER-MINOR) http: fix request with option timeout and agent (killagu) #21204
• [0b3c80ca31] - http2: fix issues with aborted respondWithFile()s (Anna Henningsen) #21561
• [238ef58841] - http2: remove waitTrailers listener after closing a stream (RidgeA) #21764
• [07160cd2fd] - http2: order declarations in core.js (Rich Trott) #21689
• [c88af232c8] - http2: pass incoming set-cookie header as array (Gerhard Stoebich) #21360
• [2922028362] - (SEMVER-MINOR) inspector: expose original console (Matteo Collina) #21659
• [b2291296ef] - inspector: split main thread interface from transport (Eugene Ostroukhov) #21182
• [[4ed4bf3bdd](https://github.com...

2018-07-04, Version 10.6.0 (Current), @targos

Notable Changes

• dns:
  • An experimental promisified version of the dns module is now available. Give
    it a try with require('dns').promises. #21264
• fs:
  • fs.lchown has been undeprecated now that libuv supports it. #21498
• lib:
  • Atomics.wake is being renamed to Atomics.notify in the ECMAScript
    specification (reference).
    Since Node.js now has experimental support for worker threads, we are being
    proactive and added a notify alias, while emitting a warning if
    wake is used. #21413 #21518
• n-api:
  • Add API for asynchronous functions. #17887
• util:
  • util.inspect is now able to return a result instead of throwing when the
    maximum call stack size is exceeded during inspection. #20725
• vm:
  • Add script.createCachedData(). This API replaces the produceCachedData
    option of the Script constructor that is now deprecated. #20300
• worker:
  • Support for relative paths has been added to the Worker constructor. Paths
    are interpreted relative to the current working directory. #21407

Commits

• [a526b4e2c7] - atomis: add notify alias (Gus Caplan) #21413
• [9030e933f4] - benchmark: create napi benchmark directory (Rich Trott) #21046
• [3d3dbae7d8] - build: remove requirement to re-run ./configure (Anna Henningsen) #21371
• [a7505c029a] - build: speed up startup with V8 code cache (Joyee Cheung) #21405
• [7d2fe5d770] - build: improve Travis CI settings (Timothy Gu) #21459
• [225063184d] - build: fail on instrumentation errors (Benjamin Coe) #21071
• [6f80e305d0] - build: build addons in parallel on Windows (Bartosz Sosnowski) #21403
• [42f5ff8346] - build: add crypto check to markdown lint target (Daniel Bevenius) #21326
• [c214403c1a] - build: fix building with --build-v8-with-gn (Yang Guo) #21330
• [76ef7acf6d] - (SEMVER-MINOR) build, win: make LTCG optional (Bartosz Sosnowski) #21186
• [45a83760ec] - crypto: fix UB in computing max message size (Ben Noordhuis) #21462
• [fefa57a7a4] - crypto: remove outdated comment (Timothy Gu) #21511
• [e7776c63da] - crypto: refer to correct deprecation id in comment (Michaël Zasso) #21399
• [b30840da5f] - deps: fix gypi sysroot settings on V8 (Matheus Marchini) #21494
• [a48d98ef04] - deps: float fix on node-gyp in npm tree (Myles Borins) #21448
• [fe6d707bc4] - deps: float 0c27d793 from openssl (ECDSA blinding) (Rod Vagg) #21345
• [f162939c32] - deps: upgrade to libuv 1.21.0 (cjihrig) #21466
• [62ca2cf21c] - deps: cherry-pick 70c4340 from upstream V8 (Matheus Marchini) #21126
• [ab27e0e785] - deps: cherry-pick acc336c from upstream V8 (Matheus Marchini) #21126
• [37a5c8c2ff] - deps: cherry-pick b20faff from upstream V8 (Matheus Marchini) #21126
• [4663d1c22e] - deps: backport aa6ce3e from upstream V8 (Matheus Marchini) #21126
• [5d7218965d] - deps: cherry-pick 5dd3395 from upstream V8 (Matheus Marchini) #21386
• [18179f8ae9] - (SEMVER-MINOR) dns: remove Resolver#cancel() from promises API (cjihrig) #21264
• [aa864ba4a9] - (SEMVER-MINOR) dns: add promisified dns module (cjihrig) #21264
• [1d73ba8322] - doc: fix some links (Vse Mozhet Byt) #21619
• [24bc6ab726] - doc: fix some typos in N-API docs (Vse Mozhet Byt) #21614
• [cadc74d92d] - doc: fix heading level in errors.md (Vse Mozhet Byt) #21618
• [eb6dcf2696] - doc: fix typo in fs.md (Hugo Josefson) #21579
• [e081866f64] - doc: add DataView to appropriate crypto methods (Gerhard Stoebich) #21549
• [51a434f711] - doc: fix some typos in deprecations.md and vm.md (Vse Mozhet Byt) #21569
• [0f1d73761d] - doc: fix function name in process.md (Joonas Rouhiainen) #21523
• [bc28398cbe] - doc: separate unrelated info about child_process.exec() (Charmander) #21516
• [504c0cdd01] - doc: fix code example and formatting in crypto.md (Victor Belozyorov) #21500
• [511d610dca] - doc: updated docs to include --experimental-worker flag (Jo Colina) #21461
• [c050279d23] - doc: add bcoe as collaborator (Benjamin Coe) #21536
• [f5fc412092] - doc: clarify setServers() methods in dns.md (Shivang Saxena) #21469
• [4647f61a94] - doc: Improve doc for Http2 headers object (Gerhard Stoebich) #21296
• [6cca5a8b0e] - doc: update AUTHORS list (Michaël Zasso) #21468
• [de195d50dd] - doc: update LICENSE file (Rich Trott) #21472
• [dad782165a] - doc: fix sort in sections, lists, tables of dns.md (Vse Mozhet Byt) #21505
• [dbd810e5d4] - doc: show options arg to new Worker is optional (Thomas Watson) #21508
• [23598239d1] - doc: fix HTTP req/res 'close' description (Robert Nagy) #21047
• [02bc99daa7] - doc: correct parameters, return types in crypto.md (ZaneHannanAU) #21420
• [5bb6e5c5df] - doc: restore documentation for two error codes (Сковорода Никита Андреевич) #21484
• [c324b85a15] - doc: sort error codes in errors.md (Сковорода Никита Андреевич) #21485
• [361e4f250c] - doc: ...

2018-06-20, Version 10.5.0 (Current), @targos

Notable Changes

• crypto:
  • Support for crypto.scrypt() has been added. #20816
• fs:
  • BigInt support has been added to fs.stat and fs.watchFile. #20220
  • APIs that take mode as arguments no longer throw on values larger than
    0o777. #20636 #20975 (Fixes: #20498)
  • Fix crashes in closed event watchers. #20985 (Fixes: #20297)
• Worker Threads:
  • Support for multi-threading has been added behind the
    --experimental-worker flag in the worker_threads module. This feature
    is experimental and may receive breaking changes at any time. #20876

Commits

• [a6986fe8b6] - async_hooks: remove deprecated example (Mathias Buus) #20998
• [4b9817bf1e] - benchmark: disable only the ESLint rule needing it (Rich Trott) #21133
• [ecba1c57b1] - (SEMVER-MINOR) benchmark: port cluster/echo to worker (Timothy Gu) #20876
• [02adb2d62c] - (SEMVER-MINOR) build: expose openssl scrypt functions to addons (Ben Noordhuis) #20816
• [c3fbac432f] - build: install markdown linter for travis (Richard Lau) #21215
• [896017b134] - build: build addon tests in parallel (Anna Henningsen) #21155
• [76927fc734] - build: stop distclean from deleting v8 files (Ujjwal Sharma) #21164
• [b044256f2a] - build: use LC_ALL of C for maximum compatibility (Rich Trott) #21222
• [78c7d666fb] - build: don't change locale on smartos (Refael Ackermann) #21220
• [c688a00a6d] - build: fix 'gas_version' check on localized environments (Evandro Oliveira) #20394
• [79b3423fb5] - build: initial .travis.yml implementation (Anna Henningsen) #21059
• [ea4be72f22] - child_process: swallow errors in internal communication (Anatoli Papirovski) #21108
• [9981220e2a] - crypto: fix behavior of createCipher in wrap mode (Tobias Nießen) #21287
• [d0cb9cbb35] - (SEMVER-MINOR) crypto: drop Math.pow(), use static exponentation (Ben Noordhuis) #20816
• [2d9c3cc89d] - (SEMVER-MINOR) crypto: refactor randomBytes() (Ben Noordhuis) #20816
• [6262fa44d6] - (SEMVER-MINOR) crypto: refactor pbkdf2() and pbkdf2Sync() methods (Ben Noordhuis) #20816
• [c9b4592dbf] - (SEMVER-MINOR) crypto: add scrypt() and scryptSync() methods (Ben Noordhuis) #20816
• [495756264a] - (SEMVER-MINOR) crypto: DRY type checking (Ben Noordhuis) #20816
• [e4a7e0d28b] - deps: float ea7abee from openssl / CVE-2018-0732 (Rod Vagg) #21282
• [0b90b071c4] - deps: Upgrade node-inspect to 1.11.5 (Jan Krems) #21055
• [ffc29c12da] - deps: patch V8 to 6.7.288.46 (Myles Borins) #21260
• [14bb905d18] - deps: V8: cherry-pick a440efb27f from upstream (Yang Guo) #21022
• [65b9c427ac] - dns: improve setServers() errors and performance (Jamie Davis) #20445
• [bc20ec0c0f] - doc: eliminate _you_ from N-API doc (Rich Trott) #21382
• [318d6831bf] - doc: use imperative in COLLABORATOR_GUIDE (Rich Trott) #21340
• [177a7c06a8] - doc: remove obsolete wiki references from BUILDING (Rich Trott) #21369
• [15023df050] - doc: add davisjam to collaborators (Jamie Davis) #21273
• [17c21b67ac] - doc: fix indentation in console.md (Vse Mozhet Byt) #21367
• [ef74368416] - doc: fix heading of optional console method args (Michaël Zasso) #21311
• [4f17841c20] - doc: use Class Method label consistently (Rich Trott) #21357
• [4566ebacf4] - doc: wrap style guide at 80 characters (Rich Trott) #21361
• [6c41f33571] - doc: wrap pull-requests.md at 80 characters (Rich Trott) #21361
• [b8213f17cc] - doc: remove linking of url text to url (Rich Trott) #21361
• [3f78220c2b] - doc: correct styling of _GitHub_ in onboarding doc (Rich Trott) #21361
• [9e994cb119] - doc: wrap releases.md at 80 chars (Rich Trott) #21361
• [e00e5e6d5d] - doc: switch the order of Writable and Readable (Joseph Gordon) #21333
• [e1b571d6b7] - doc: make Deprecation cycle explanation more brief (Rich Trott) #21303
• [df0f7a3b4d] - doc: clarify async execute callback usage (Michael Dawson) #21217
• [c5a65594ef] - doc: move 5 collaborators to emeritus status (Rich Trott) #21272
• [c1d53f86f8] - doc: update NODE_OPTIONS section in cli.md (Vse Mozhet Byt) #21229
• [13fd09bfa7] - doc: add build wg info to releases.md (Jon Moss) #21275
• [0da910f9a5] - doc: move Italo A. Casas to Release Emeritus (Myles Borins) #21315
• [6f7de0b8d9] - doc: trim deprecation level definition text (Rich Trott) #21241
• [dd2fc90dcf] - doc: fix reference to workerData in worker_threads (Jeremiah Senkpiel) #21180
• [5e46c16371] - doc: fix type in stream doc (Aliaksei Tuzik) #21178
• [85dc9ac418] - doc: add Michaël Zasso to Release team (Michaël Zasso) #21114
• [5fa5ab6c48] - doc: naming function as suggested in addon docs (Tommaso Allevi) #21067
• [fe5d35123b] - (SEMVER-MINOR) doc: document BigInt supp...

2018-06-12, Version 10.4.1 (Current), @evanlucas

Notable Changes

• Fixes memory exhaustion DoS (CVE-2018-7164): Fixes a bug introduced in 9.7.0 that increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream.
• http2
  • (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
  • (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0
• tls (CVE-2018-7162): Fixes Denial of Service vulnerability by updating the TLS implementation to not crash upon receiving
• n-api: Prevent use-after-free in napi_delete_async_work

Commits

• [1bbfe9a72b] - build: fix configure script for double-digits (Misty De Meo) #21183
• [4c90ee8fc6] - deps: update to nghttp2 1.32.0 (James M Snell) nodejs-private/node-private#117
• [e5c2f575b1] - deps: patch V8 to 6.7.288.45 (Michaël Zasso) #21192
• [03ded94ffe] - deps: patch V8 to 6.7.288.44 (Michaël Zasso) #21146
• [4de7e0c96c] - deps,npm: float node-gyp patch on npm (Rich Trott) #21239
• [92d7b6c9a0] - fs: fix promises reads with pos > 4GB (cjihrig) #21148
• [8681402228] - http2: fixup http2stream cleanup and other nits (James M Snell) nodejs-private/node-private#115
• [53f8563353] - n-api: back up env before async work finalize (Gabriel Schulhof) #21129
• [9ba8ed1371] - src: re-add Realloc() shrink after reading stream data (Anna Henningsen) nodejs-private/node-private#128
• [8e979482fa] - Revert "src: restore stdio on program exit" (Evan Lucas) #21257
• [cb5ec64956] - src: reset TTY mode before cleaning up resources (Anna Henningsen) #21257
• [ae5567eaea] - test: add regression test for nghttp2 CVE-2018-1000168 (James M Snell) nodejs-private/node-private#117
• [e87bf625dd] - test: add tls write error regression test (Shigeki Ohtsu) nodejs-private/node-private#127
• [eea2bce58d] - tls: fix SSL write error handling (Anna Henningsen) nodejs-private/node-private#127
• [1e49eadd68] - tools,gyp: fix regex for version matching (Rich Trott) #21216

2018-06-12, Version 9.11.2 (Current), @evanlucas

Notable Changes

• Fixes memory exhaustion DoS (CVE-2018-7164): Fixes a bug introduced in 9.7.0 that increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream.
• buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where calling Buffer.fill() could hang
• http2
  • (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
  • (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0
• tls (CVE-2018-7162): Fixes Denial of Service vulnerability by updating the TLS implementation to not crash upon receiving

Commits

• [65ed3213ca] - deps: update to nghttp2 1.32.0 (James M Snell) nodejs-private/node-private#124
• [f0af3b09bd] - doc: buffer.fill() can zero-fill on invalid input (Сковорода Никита Андреевич) nodejs-private/node-private#120
• [828159fcd4] - http2: fixup http2stream cleanup and other nits (James M Snell) nodejs-private/node-private#122
• [be103eba41] - src: re-add Realloc() shrink after reading stream data (Anna Henningsen) nodejs-private/node-private#129
• [555696df51] - src: avoid hanging on Buffer#fill 0-length input (Сковорода Никита Андреевич) nodejs-private/node-private#120
• [7684ba63c4] - test: add tls write error regression test (Shigeki Ohtsu) nodejs-private/node-private#130
• [0ab90acaf3] - test: add regression test for nghttp2 CVE-2018-1000168 (James M Snell) nodejs-private/node-private#124
• [84f23d2f12] - tls: fix SSL write error handling (Anna Henningsen) nodejs-private/node-private#130

2018-06-12, Version 8.11.3 'Carbon' (LTS), @evanlucas

Notable Changes

• buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where calling Buffer.fill() could hang
• http2
  • (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
  • (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0

Commits

• [e1ff7c3cbc] - deps: update to nghttp2 1.32.0 (James M Snell) nodejs-private/node-private#125
• [c5a2748d8f] - doc: buffer.fill() can zero-fill on invalid input (Сковорода Никита Андреевич) nodejs-private/node-private#119
• [354f2d97ff] - http2: fixup http2stream cleanup and other nits (James M Snell) nodejs-private/node-private#123
• [25c5111ca4] - src: avoid hanging on Buffer#fill 0-length input (Сковорода Никита Андреевич) nodejs-private/node-private#119
• [10c5adf19b] - test: add Realloc() shrink after reading stream data test (Anna Henningsen) nodejs-private/node-private#132
• [bc91220ca2] - test: add tls write error regression test (Shigeki Ohtsu) nodejs-private/node-private#131
• [acd11b01c4] - test: add regression test for nghttp2 CVE-2018-1000168 (James M Snell) nodejs-private/node-private#125