Skip to content

Releases: nodejs/node

2018-08-15, Version 10.9.0 (Current), @rvagg

16 Aug 02:17
v10.9.0
Compare
Choose a tag to compare

This is a security release. All Node.js users should consult the security release summary at:

https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

Notable Changes

Commits

Read more

2018-08-15, Version 8.11.4 'Carbon' (LTS), @rvagg

16 Aug 02:15
v8.11.4
Compare
Choose a tag to compare

This is a security release. All Node.js users should consult the security release summary at:

https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

Notable Changes

  • buffer: Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding (CVE-2018-12115)
  • deps: Upgrade to OpenSSL 1.0.2p, fixing:
    • Client DoS due to large DH parameter (CVE-2018-0732)
    • ECDSA key extraction via local side-channel (CVE not assigned)

Commits

2018-08-15, Version 6.14.4 'Boron' (LTS), @rvagg

16 Aug 02:12
v6.14.4
Compare
Choose a tag to compare

This is a security release. All Node.js users should consult the security release summary at:

https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

for details on patched vulnerabilities.

Fixes for the following CVEs are included in this release:

Notable Changes

  • buffer: Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding (CVE-2018-12115)
  • deps: Upgrade to OpenSSL 1.0.2p, fixing:
    • Client DoS due to large DH parameter (CVE-2018-0732)
    • ECDSA key extraction via local side-channel (CVE not assigned)

Commits

2018-08-01, Version 10.8.0 (Current), @targos

01 Aug 19:14
v10.8.0
89f483b
Compare
Choose a tag to compare

Notable Changes

  • deps:
    • Upgrade npm to 6.2.0. #21592
      • npm has moved. This release updates various URLs to point to the right
        places for bugs, support, and PRs.
      • Fix the regular expression matching in xcode_emulation in node-gyp to
        also handle version numbers with multiple-digit major versions which would
        otherwise break under use of XCode 10.
      • The npm tree has been significantly flattened. Tarball size for the npm
        package has gone from 8MB to 4.8MB.
      • Changelogs:
        6.2.0-next.0,
        6.2.0-next.1,
        6.2.0.

Commits

  • [335575e49b] - benchmark: remove arrays benchmark (Peter Marshall) #21831
  • [62024b651e] - build: create V8 code cache after script is run (Joyee Cheung) #21567
  • [50ccda2a00] - build: increase macOS minimum supported version (Michaël Zasso) #21883
  • [5e1ceaabaa] - build: remove redundant Makefile target (Rich Trott) #21915
  • [4f00562ef0] - build: add new benchmark targets (Kenny Yuan) #20905
  • [4c5fc5c7ce] - build: move to npm ci where possible (Rich Trott) #21802
  • [e0f3d5703a] - build,win,v8: allow precompiling objects-inl.h (João Reis) #21772
  • [87ed6e6351] - (SEMVER-MINOR) deps: upgrade npm to 6.2.0 (Kat Marchán) #21592
  • [f868415cf6] - deps: cherry-pick 804a693 from upstream V8 (Matheus Marchini) #21855
  • [b56c8ad879] - deps: V8: Backport of 0dd3390 from upstream (James M Snell) #21899
  • [ec0ff7008a] - deps: cherry-pick 907d7bc from upstream V8 (Michaël Zasso) #21838
  • [c23e8b51ea] - deps: cherry-pick 2075910 from upstream V8 (Michaël Zasso) #21838
  • [40fedd3620] - dgram: add getters/setters for private APIs (cjihrig) #21923
  • [98ef8cfb8e] - dgram: make _createSocketHandle() internal only (cjihrig) #21923
  • [ae17d18013] - dgram: hide underscored Socket properties (cjihrig) #21923
  • [b5b74382e0] - dgram: hide _healthCheck() and _stopReceiving() (cjihrig) #21923
  • [b5ae33959b] - doc: add pronouns to readme (Teddy Katz) #22036
  • [f4b6031e39] - doc: clarify text about internal module changes (MaleDong) #22024
  • [1f9570bd10] - doc: add missing worker error (Benjamin Gruenbaum) #21947
  • [67d7a15886] - doc: fix typo in releases.md (Vitor Bruno de Oliveira Barth) #21990
  • [2a0fa4792e] - doc: do not advise to cancel full CI on onboarding (Vse Mozhet Byt) #21977
  • [478dbee8fe] - doc: replace deprecated CI job (Vse Mozhet Byt) #21938
  • [5b0c451e61] - doc: add guide for updating N-API API surface (Hitesh Kanwathirtha) #21877
  • [96bb6052e9] - doc: add node-test-commit-custom-suites to docs (Rich Trott) #21927
  • [c44df51249] - doc: link n-api module init to multi-load addons (Gabriel Schulhof) #21891
  • [c3d9000111] - doc: document http2 network error behaviour (Anna Henningsen) #21861
  • [e8d5787840] - doc: document MODULE_NOT_FOUND error (Jacob Page) #21894
  • [5e562fd792] - doc: fix sorting in the vm.Module section (Vse Mozhet Byt) #21931
  • [eabe907e03] - doc: fix descriptions of sync methods in fs.md (Tim Ruffles) #21747
  • [bd352f0298] - doc: update and improve the release guide (Michaël Zasso) #21868
  • [fd5a0c7a1f] - doc: fix incorrect method name (Anto Aravinth) #21908
  • [af1530e06d] - doc: add cjihrig pronouns (cjihrig) #21901
  • [4d78a21d8c] - doc: add missing require to example in http2.md (Kevin Simper) #21858
  • [ab0da57150] - doc: make minor improvements to collab guide (Rich Trott) #21862
  • [b510cdc756] - doc: fix worker example to receive message (Sakthipriyan Vairamani (thefourtheye)) #21486
  • [d91742aa9a] - fs: reduce memory retention when streaming small files (Anna Henningsen) #21968
  • [484140e223] - fs: stop lazy loading stream constructors (Michaël Zasso) #21776
  • [8799f43fb0] - http: revert "http: always emit close on req and res" (Michaël Zasso) #21809
  • [a5928712c9] - http: name anonymous function in _http_common.js (Petras) #21755
  • [337b2df82f] - http2: release request()'s "connect" event listener after it runs (James Ide) #21916
  • [1e15581823] - http2: remove unused nghttp2 error list (Anna Henningsen) #21827
  • [baf3027c77] - lib: remove usc-2 encoding (Brian White) #21964
  • [9817e405ee] - (SEMVER-MINOR) lib,src: replace all C++ promises with JS promises (Ruben Bridgewater) #20830
  • [45816c50ac] - n-api: guard against cond null dereference (Gabriel Schulhof) #21871
  • [2548f75a92] - src: use UTF-8 for naming interfaces in unix (Ujjwal Sharma) #21926
  • [6b6a26bb8d] - src: use kInternalized instead of kNormal (Ujjwal Sharma) #21926
  • [2c95b96e8e] - src: remove calls to deprecated v8 functions (NewFromUtf8) (Ujjwal Sharma) #21926
  • [e0336b2891] - src: fix may be uninitialized warning in n-api (Michael Dawson) #21898
  • [2f3a28dbf2] - src: use available ReqWrap instance for libuv req (Jon Moss) [#21980](https://github...
Read more

2018-07-18, Version 10.7.0 (Current), @targos

18 Jul 18:36
v10.7.0
Compare
Choose a tag to compare

Notable Changes

  • console:
    • The console.timeLog() method has been implemented. #21312
  • deps:
    • Upgrade to libuv 1.22.0. #21731
    • Upgrade to ICU 62.1 (Unicode 11, CLDR 33.1). #21728
  • http:
    • Added support for passing both timeout and agent options to
      http.request. #21204
  • inspector:
    • Expose the original console API in require('inspector').console. #21659
  • napi:
    • Added experimental support for functions dealing with bigint numbers. #21226
  • process:
    • The process.hrtime.bigint() method has been implemented. #21256
    • Added the --title command line argument to set the process title on
      startup. #21477
  • trace_events:
    • Added process_name metadata. #21477
  • Added new collaborators

Commits

  • [8c97ffb2f5] - assert: improve simple assert (Ruben Bridgewater) #21626
  • [9776f1cbef] - benchmark: add n-api function args benchmark (Kenny Yuan) #21555
  • [576f1ea978] - buffer: remove superfluous assignment (Tobias Nießen) #21844
  • [6bb2b5a51d] - build: account for pure C sources in build-addons-napi (Anna Henningsen) #21797
  • [c02fb88936] - build: enabling lto at configure (Octavian Soldea) #21677
  • [2a0862cec9] - console: fix timeEnd() not coercing the input (Ruben Bridgewater) #21779
  • [f3c397cd21] - (SEMVER-MINOR) console: implement timeLog method (Michaël Zasso) #21312
  • [73cafd853c] - console,util: avoid pair array generation in C++ (Anna Henningsen) #20831
  • [d9825c7a16] - crypto: prevent Sign::SignFinal from crashing (Tobias Nießen) #21815
  • [07cce880bf] - crypto: handle OpenSSL error queue in CipherBase (Tobias Nießen) #21288
  • [355c5e3c95] - deps: cherry-pick 555c811 from upstream V8 (Anna Henningsen) #21741
  • [42d75392c5] - deps: patch V8 to 6.7.288.49 (Myles Borins) #21727
  • [6920091488] - deps: upgrade to libuv 1.22.0 (cjihrig) #21731
  • [122ae24f62] - deps: icu 62.1 bump (Unicode 11, CLDR 33.1) (Steven R. Loomis) #21728
  • [a5233c7e17] - deps: cherry-pick 477df06 from upstream v8 (Gus Caplan) #21644
  • [506631a9f9] - doc: fix structure and formatting in inspector.md (Vse Mozhet Byt) #21709
  • [53b587a5af] - doc: add documentation for buffer.byteOffset (Andreas Madsen) #21718
  • [51dfebf9ac] - doc: fix vm.runInNewContext signature (Michaël Zasso) #21824
  • [10f9374ea3] - doc: make markdown input compliant (Sam Ruby) #21780
  • [02982998db] - doc: add my pronoun (Ruben Bridgewater) #21813
  • [ca8c96035a] - doc: update readme with my pronouns (Lance Ball) #21818
  • [d33281b36f] - doc: prevent some redirections (Vse Mozhet Byt) #21811
  • [0de0f89d0c] - doc: add "Edit on GitHub" link (Rich Trott) #21703
  • [7ab6efdb94] - doc: add policy for landing new npm releases (Myles Borins) #21594
  • [3d93273bf7] - doc: add OS X to instead of only macOS (XadillaX) #21033
  • [577d24baa4] - doc: fix module.children description (Travis Fischer) #21672
  • [cd6601b87a] - doc: fix HTTP res 'finish' description (Sergey Zelenov) #21670
  • [51db88b0f1] - doc: fix http2stream.pushStream error doc (Сковорода Никита Андреевич) #21487
  • [6e1917a596] - doc: update changelog with 9.x EOL (Сковорода Никита Андреевич) #21612
  • [cd77d8782a] - doc: improve documentation of fs sync methods (iwko) #21243
  • [1044bafec4] - doc: remove _Node.js style callback_ (Rich Trott) #21701
  • [971679328e] - doc: add codebytere as collaborator (Shelley Vohr) #21700
  • [034fe19862] - doc: add links to inline HTML table (Rich Trott) #21678
  • [04eed2342d] - doc: remove "note that" from fs doc (Rich Trott) #21646
  • [c8d5bab022] - doc: fix doc for napi_create_function (Gabriel Schulhof)
  • [f7aa22a0eb] - doc: improve guide text for CI runs (Rich Trott) #21645
  • [6f8ebc08b9] - doc: unify spelling of backpressure (Thomas Watson) #21630
  • [3fffc7e95f] - errors: fix undefined HTTP2 and tls errors (Shailesh Shekhawat) #21564
  • [b758006c23] - fs: fix fsPromises.lchmod error on non-Mac (Masashi Hirano) #21435
  • [4fa7150962] - fs: support pseudofiles in promises.readFile (Timothy Gu) #21497
  • [bba500d0ea] - (SEMVER-MINOR) http: fix request with option timeout and agent (killagu) #21204
  • [0b3c80ca31] - http2: fix issues with aborted respondWithFile()s (Anna Henningsen) #21561
  • [238ef58841] - http2: remove waitTrailers listener after closing a stream (RidgeA) #21764
  • [07160cd2fd] - http2: order declarations in core.js (Rich Trott) #21689
  • [c88af232c8] - http2: pass incoming set-cookie header as array (Gerhard Stoebich) #21360
  • [2922028362] - (SEMVER-MINOR) inspector: expose original console (Matteo Collina) #21659
  • [b2291296ef] - inspector: split main thread interface from transport (Eugene Ostroukhov) #21182
  • [[4ed4bf3bdd](https://github.com...
Read more

2018-07-04, Version 10.6.0 (Current), @targos

05 Jul 06:32
v10.6.0
4716fd1
Compare
Choose a tag to compare

Notable Changes

  • dns:
    • An experimental promisified version of the dns module is now available. Give
      it a try with require('dns').promises. #21264
  • fs:
    • fs.lchown has been undeprecated now that libuv supports it. #21498
  • lib:
    • Atomics.wake is being renamed to Atomics.notify in the ECMAScript
      specification (reference).
      Since Node.js now has experimental support for worker threads, we are being
      proactive and added a notify alias, while emitting a warning if
      wake is used. #21413 #21518
  • n-api:
    • Add API for asynchronous functions. #17887
  • util:
    • util.inspect is now able to return a result instead of throwing when the
      maximum call stack size is exceeded during inspection. #20725
  • vm:
    • Add script.createCachedData(). This API replaces the produceCachedData
      option of the Script constructor that is now deprecated. #20300
  • worker:
    • Support for relative paths has been added to the Worker constructor. Paths
      are interpreted relative to the current working directory. #21407

Commits

Read more

2018-06-20, Version 10.5.0 (Current), @targos

20 Jun 19:25
v10.5.0
e1c28f4
Compare
Choose a tag to compare

Notable Changes

  • crypto:
    • Support for crypto.scrypt() has been added. #20816
  • fs:
    • BigInt support has been added to fs.stat and fs.watchFile. #20220
    • APIs that take mode as arguments no longer throw on values larger than
      0o777. #20636 #20975 (Fixes: #20498)
    • Fix crashes in closed event watchers. #20985 (Fixes: #20297)
  • Worker Threads:
    • Support for multi-threading has been added behind the
      --experimental-worker flag in the worker_threads module. This feature
      is experimental and may receive breaking changes at any time. #20876

Commits

  • [a6986fe8b6] - async_hooks: remove deprecated example (Mathias Buus) #20998
  • [4b9817bf1e] - benchmark: disable only the ESLint rule needing it (Rich Trott) #21133
  • [ecba1c57b1] - (SEMVER-MINOR) benchmark: port cluster/echo to worker (Timothy Gu) #20876
  • [02adb2d62c] - (SEMVER-MINOR) build: expose openssl scrypt functions to addons (Ben Noordhuis) #20816
  • [c3fbac432f] - build: install markdown linter for travis (Richard Lau) #21215
  • [896017b134] - build: build addon tests in parallel (Anna Henningsen) #21155
  • [76927fc734] - build: stop distclean from deleting v8 files (Ujjwal Sharma) #21164
  • [b044256f2a] - build: use LC_ALL of C for maximum compatibility (Rich Trott) #21222
  • [78c7d666fb] - build: don't change locale on smartos (Refael Ackermann) #21220
  • [c688a00a6d] - build: fix 'gas_version' check on localized environments (Evandro Oliveira) #20394
  • [79b3423fb5] - build: initial .travis.yml implementation (Anna Henningsen) #21059
  • [ea4be72f22] - child_process: swallow errors in internal communication (Anatoli Papirovski) #21108
  • [9981220e2a] - crypto: fix behavior of createCipher in wrap mode (Tobias Nießen) #21287
  • [d0cb9cbb35] - (SEMVER-MINOR) crypto: drop Math.pow(), use static exponentation (Ben Noordhuis) #20816
  • [2d9c3cc89d] - (SEMVER-MINOR) crypto: refactor randomBytes() (Ben Noordhuis) #20816
  • [6262fa44d6] - (SEMVER-MINOR) crypto: refactor pbkdf2() and pbkdf2Sync() methods (Ben Noordhuis) #20816
  • [c9b4592dbf] - (SEMVER-MINOR) crypto: add scrypt() and scryptSync() methods (Ben Noordhuis) #20816
  • [495756264a] - (SEMVER-MINOR) crypto: DRY type checking (Ben Noordhuis) #20816
  • [e4a7e0d28b] - deps: float ea7abee from openssl / CVE-2018-0732 (Rod Vagg) #21282
  • [0b90b071c4] - deps: Upgrade node-inspect to 1.11.5 (Jan Krems) #21055
  • [ffc29c12da] - deps: patch V8 to 6.7.288.46 (Myles Borins) #21260
  • [14bb905d18] - deps: V8: cherry-pick a440efb27f from upstream (Yang Guo) #21022
  • [65b9c427ac] - dns: improve setServers() errors and performance (Jamie Davis) #20445
  • [bc20ec0c0f] - doc: eliminate _you_ from N-API doc (Rich Trott) #21382
  • [318d6831bf] - doc: use imperative in COLLABORATOR_GUIDE (Rich Trott) #21340
  • [177a7c06a8] - doc: remove obsolete wiki references from BUILDING (Rich Trott) #21369
  • [15023df050] - doc: add davisjam to collaborators (Jamie Davis) #21273
  • [17c21b67ac] - doc: fix indentation in console.md (Vse Mozhet Byt) #21367
  • [ef74368416] - doc: fix heading of optional console method args (Michaël Zasso) #21311
  • [4f17841c20] - doc: use Class Method label consistently (Rich Trott) #21357
  • [4566ebacf4] - doc: wrap style guide at 80 characters (Rich Trott) #21361
  • [6c41f33571] - doc: wrap pull-requests.md at 80 characters (Rich Trott) #21361
  • [b8213f17cc] - doc: remove linking of url text to url (Rich Trott) #21361
  • [3f78220c2b] - doc: correct styling of _GitHub_ in onboarding doc (Rich Trott) #21361
  • [9e994cb119] - doc: wrap releases.md at 80 chars (Rich Trott) #21361
  • [e00e5e6d5d] - doc: switch the order of Writable and Readable (Joseph Gordon) #21333
  • [e1b571d6b7] - doc: make Deprecation cycle explanation more brief (Rich Trott) #21303
  • [df0f7a3b4d] - doc: clarify async execute callback usage (Michael Dawson) #21217
  • [c5a65594ef] - doc: move 5 collaborators to emeritus status (Rich Trott) #21272
  • [c1d53f86f8] - doc: update NODE_OPTIONS section in cli.md (Vse Mozhet Byt) #21229
  • [13fd09bfa7] - doc: add build wg info to releases.md (Jon Moss) #21275
  • [0da910f9a5] - doc: move Italo A. Casas to Release Emeritus (Myles Borins) #21315
  • [6f7de0b8d9] - doc: trim deprecation level definition text (Rich Trott) #21241
  • [dd2fc90dcf] - doc: fix reference to workerData in worker_threads (Jeremiah Senkpiel) #21180
  • [5e46c16371] - doc: fix type in stream doc (Aliaksei Tuzik) #21178
  • [85dc9ac418] - doc: add Michaël Zasso to Release team (Michaël Zasso) #21114
  • [5fa5ab6c48] - doc: naming function as suggested in addon docs (Tommaso Allevi) #21067
  • [fe5d35123b] - (SEMVER-MINOR) doc: document BigInt supp...
Read more

2018-06-12, Version 10.4.1 (Current), @evanlucas

13 Jun 00:25
v10.4.1
Compare
Choose a tag to compare

Notable Changes

  • Fixes memory exhaustion DoS (CVE-2018-7164): Fixes a bug introduced in 9.7.0 that increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream.
  • http2
    • (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
    • (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0
  • tls (CVE-2018-7162): Fixes Denial of Service vulnerability by updating the TLS implementation to not crash upon receiving
  • n-api: Prevent use-after-free in napi_delete_async_work

Commits

2018-06-12, Version 9.11.2 (Current), @evanlucas

13 Jun 00:24
v9.11.2
Compare
Choose a tag to compare

Notable Changes

  • Fixes memory exhaustion DoS (CVE-2018-7164): Fixes a bug introduced in 9.7.0 that increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream.
  • buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where calling Buffer.fill() could hang
  • http2
    • (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
    • (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0
  • tls (CVE-2018-7162): Fixes Denial of Service vulnerability by updating the TLS implementation to not crash upon receiving

Commits

2018-06-12, Version 8.11.3 'Carbon' (LTS), @evanlucas

13 Jun 00:24
v8.11.3
Compare
Choose a tag to compare

Notable Changes

  • buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where calling Buffer.fill() could hang
  • http2
    • (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
    • (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0

Commits