2023-01-06, Version 19.4.0 (Current), @RafaelGSS

Notable Changes

• buffer:
  • (SEMVER-MINOR) add buffer.isUtf8 for utf8 validation (Yagiz Nizipli) #45947
• http:
  • (SEMVER-MINOR) improved timeout defaults handling (Paolo Insogna) #45778
• net:
  • add autoSelectFamily global getter and setter (Paolo Insogna) #45777
• os:
  • (SEMVER-MINOR) add availableParallelism() (Colin Ihrig) #45895
• util:
  • add fast path for text-decoder fatal flag (Yagiz Nizipli) #45803

Commits

• [54b748acc0] - async_hooks: refactor to use validateObject (Deokjin Kim) #46004
• [cf2ff81f26] - benchmark: include webstreams benchmark (Rafael Gonzaga) #45876
• [6e3d7f8c2d] - bootstrap: optimize modules loaded in the built-in snapshot (Joyee Cheung) #45849
• [d181b76374] - bootstrap: make CJS loader snapshotable (Joyee Cheung) #45849
• [508e830765] - bootstrap: include event_target into the built-in snapshot (Joyee Cheung) #45849
• [dd77c05480] - bootstrap: support module_wrap binding in snapshot (Joyee Cheung) #45849
• [fbe399c75c] - (SEMVER-MINOR) buffer: add buffer.isUtf8 for utf8 validation (Yagiz Nizipli) #45947
• [233a66f937] - build: fix arm64 cross-compile from powershell (Stefan Stojanovic) #45890
• [e7b98a3da2] - build: add option to disable shared readonly heap (Anna Henningsen) #45887
• [777c551edf] - crypto: ensure exported webcrypto EC keys use uncompressed point format (Ben Noordhuis) #46021
• [f7dba5bef7] - crypto: fix globalThis.crypto this check (Filip Skokan) #45857
• [56f3ad101b] - crypto: fix CryptoKey prototype WPT (Filip Skokan) #45857
• [c9747f1140] - crypto: use globalThis.crypto over require('crypto').webcrypto (Filip Skokan) #45817
• [6eede72241] - crypto: fix CryptoKey WebIDL conformance (Filip Skokan) #45855
• [c9802862b7] - crypto: fix error when getRandomValues is called without arguments (Filip Skokan) #45854
• [3d09754186] - debugger: refactor console in lib/internal/debugger/inspect.js (Debadree Chatterjee) #45847
• [fdda2ff53b] - deps: V8: cherry-pick 30861a39323d (Aaron Friel) #45851
• [71bf513062] - deps: patch V8 to 10.8.168.25 (Michaël Zasso) #45996
• [0552b13232] - deps: update simdutf to 2.0.9 (Node.js GitHub Bot) #45975
• [e73be1b3b9] - deps: update to uvwasi 0.0.14 (Colin Ihrig) #45970
• [e4323f01c1] - deps: fix updater github workflow job (Yagiz Nizipli) #45972
• [05fee67238] - Revert "deps: disable avx512 for simutf on benchmark ci" (Yagiz Nizipli) #45948
• [98fc94a444] - deps: disable avx512 for simutf on benchmark ci (Yagiz Nizipli) #45803
• [344c5ec0ea] - deps: add simdutf dependency (Yagiz Nizipli) #45803
• [7bdad948c8] - deps: V8: backport 8ca9f77d0f7c (Anna Henningsen) #45871
• [29f90cf5af] - deps: update timezone to 2022g (Node.js GitHub Bot) #45731
• [99fec0bf64] - deps: update undici to 5.14.0 (Node.js GitHub Bot) #45812
• [faee973fa7] - deps: V8: cherry-pick bc831f8ba33b (Yagiz Nizipli) #45788
• [e2944109c6] - deps: V8: cherry-pick bf0bd4868dde (Michaël Zasso) #45908
• [e113d169ee] - doc: update isUtf8 description (Yagiz Nizipli) #45973
• [9e16406066] - doc: sort http.createServer() options alphabetically (Luigi Pinca) #45680
• [49253e1a8f] - doc: use console.error for error case in timers and tls (Deokjin Kim) #46002
• [8be1b666a7] - doc: fix wrong output of example in url.protocol (Deokjin Kim) #45954
• [9251dce8b2] - doc: use os.availableParallelism() in async_context and cluster (Deokjin Kim) #45979
• [952e03ae66] - doc: make EventEmitterAsyncResource's options as optional (Deokjin Kim) #45985
• [71cc3b3712] - doc: replace single executable champion in strategic initiatives doc (Darshan Sen) #45956
• [eaf6b63637] - doc: update error message of example in repl (Deokjin Kim) #45920
• [d8b5b7da75] - doc: fix typos in packages.md (Eric Mutta) #45957
• [4457e051c9] - doc: remove port from example in url.hostname (Deokjin Kim) #45927
• [908f4fab52] - doc: show output of example in http (Deokjin Kim) #45915
• [faf5c23084] - (SEMVER-MINOR) doc: add parallelism note to os.cpus() (Colin Ihrig) #45895
• [9ed547b73c] - doc: fix wrong output of example in url.password (Deokjin Kim) #45928
• [a89f8c1337] - doc: fix some history entries in deprecations.md (Antoine du Hamel) #45891
• [cf30fca23f] - doc: add tip for NODE_MODULE (theanarkh) #45797
• [d500445aec] - doc: reduce likelihood of mismerges during release (Richard Lau) #45864
• [e229f060e3] - doc: add backticks to webcrypto rsaOaepParams (Filip Skokan) #45883
• [dfa58c1947] - doc: remove release cleanup step (Michaël Zasso) #45858
• [b93a9670a8] - doc: add stream/promises pipeline and finished to doc (Marco Ippolito) #45832
• [c86f4a17d6] - doc: remove Juan Jose keys (Rafael Gonzaga) ...

2023-01-05, Version 18.13.0 'Hydrogen' (LTS), @danielleadams

Notable changes

Add support for externally shared js builtins

By default Node.js is built so that all dependencies are bundled into the Node.js binary itself. Some Node.js distributions prefer to manage dependencies externally. There are existing build options that allow dependencies with native code to be externalized. This commit adds additional options so that dependencies with JavaScript code (including WASM) can also be externalized. This addition does not affect binaries shipped by the Node.js project but will allow other distributions to externalize additional dependencies when needed.

Contributed by Michael Dawson in #44376

Introduce File

The File class is part of the FileAPI. It can be used anywhere a Blob can, for example in URL.createObjectURL and FormData. It contains two properties that Blobs do not have: lastModified, the last time the file was modified in ms, and name, the name of the file.

Contributed by Khafra in #45139

Support function mocking on Node.js test runner

The node:test module supports mocking during testing via a top-level mock
object.

test('spies on an object method', (t) => {
  const number = {
    value: 5,
    add(a) {
      return this.value + a;
    },
  };
  t.mock.method(number, 'add');

  assert.strictEqual(number.add(3), 8);
  assert.strictEqual(number.add.mock.calls.length, 1);
});

Contributed by Colin Ihrig in #45326

Other notable changes

• build:
  • disable v8 snapshot compression by default (Joyee Cheung) #45716
• crypto:
  • update root certificates (Luigi Pinca) #45490
• deps:
  • update ICU to 72.1 (Michaël Zasso) #45068
• doc:
  • add doc-only deprecation for headers/trailers setters (Rich Trott) #45697
  • add Rafael to the tsc (Michael Dawson) #45691
  • deprecate use of invalid ports in url.parse (Antoine du Hamel) #45576
  • add lukekarrys to collaborators (Luke Karrys) #45180
  • add anonrig to collaborators (Yagiz Nizipli) #45002
  • deprecate url.parse() (Rich Trott) #44919
• lib:
  • drop fetch experimental warning (Matteo Collina) #45287
• net:
  • (SEMVER-MINOR) add autoSelectFamily and autoSelectFamilyAttemptTimeout options (Paolo Insogna) #44731
• src:
  • (SEMVER-MINOR) add uvwasi version (Jithil P Ponnan) #45639
  • (SEMVER-MINOR) add initial shadow realm support (Chengzhong Wu) #42869
• test_runner:
  • (SEMVER-MINOR) add t.after() hook (Colin Ihrig) #45792
  • (SEMVER-MINOR) don't use a symbol for runHook() (Colin Ihrig) #45792
• tls:
  • (SEMVER-MINOR) add "ca" property to certificate object (Ben Noordhuis) #44935
  • remove trustcor root ca certificates (Ben Noordhuis) #45776
• tools:
  • update certdata.txt (Luigi Pinca) #45490
• util:
  • add fast path for utf8 encoding (Yagiz Nizipli) #45412
  • improve textdecoder decode performance (Yagiz Nizipli) #45294
  • (SEMVER-MINOR) add MIME utilities (#21128) (Bradley Farias) #21128

Commits

• [40123a6bb0] - (SEMVER-MINOR) async_hooks: add hook to stop propagation (Gerhard Stöbich) #45386
• [9925d20ed8] - benchmark: add variety of inputs to text-encoder (Yagiz Nizipli) #45787
• [5e167bd658] - benchmark: make benchmarks runnable in older versions of Node.js (Joyee Cheung) #45746
• [a1421623ac] - benchmark: add v8 serialize benchmark (Yagiz Nizipli) #45476
• [fcf61884cc] - benchmark: add text-encoder benchmark (Yagiz Nizipli) #45450
• [762d285c98] - benchmark: add parameters to text-decoder benchmark (Yagiz Nizipli) #45363
• [ab891ecbff] - benchmark: fix text-decoder benchmark (Yagiz Nizipli) #45363
• [1ed312a737] - benchmark: add blob benchmark (Yagiz Nizipli) #44990
• [2ee3d81277] - bootstrap: merge main thread and worker thread initializations (Joyee Cheung) #44869
• [e638ea4f48] - bootstrap: check more metadata when loading the snapshot (Joyee Cheung) #44132
• [bfcf4f0046] - buffer: make decodeUTF8 params loose (Yagiz Nizipli) #45610
• [3a7f3d5993] - (SEMVER-MINOR) buffer: introduce File (Khafra) #45139
• [345b847aa6] - buffer: fix validation of options in Blob constructor (Antoine du Hamel) #45156
• [1ddc438444] - build: disable v8 snapshot compression by default (Joyee Cheung) #45716
• [bd1a2fbd91] - build: add python 3.11 support for android (Mohammed Keyvanzadeh) #45765
• [2b0ace302d] - build: rework gyp files for zlib (Richard Lau) #45589
• [5ab7a30a06] - build: avoid redefined macro (Michaël Zasso) #45544
• [f58b32c22e] - build: fix env.h for cpp20 (Jiawen Geng) #45516
• [1de1f679ec] - Revert "build: remove precompiled header and debug information for host builds" (Stefan Stojanovic) #45432
• [89d1eb58b0] - build: add --v8-disable-object-print flag (MURAKAMI Masahiko) #45458
• [f2a4def232] - build: make scripts in gyp run with right python (Jiawen Geng) #45435
• [473a879c91] - build: workaround for node-core-utils (Jiawen Geng) #45199
• [abcc034c61] - build: fix icu-small build with ICU 72.1 (Steven R. Loomis) #45195
• [8a99221a21] - build: remove unused language files (Ben Noordhuis) #45138
• [3fb44f9413] - build: add GitHub token to auto-start-ci workflow (Richard Lau) #45185
• [2aac993bb2] - build: add version info to timezone update PR (Darshan Sen) #45021
• [0db19b3c60] - build: support Python 3.11 (Luigi Pinca) #45191
• [fb008a2e9b] - build,deps,src: fix Intel VTune profiling support (Shi Lei) #45248
• [61bc27a5b4] - build,win: pass --debug-nghttp2 to configure (Santiago Gimeno) #45209
• [7b68c06988] - child_process: validate arguments for null bytes (Darshan Sen) #44782
• [bac6b7d900] - crypto: simplify lazy loading of internal modules (Antoin...

2022-12-14, Version 19.3.0 (Current), @targos

Notable Changes

Updated npm to 9.2.0

Based on the list of guidelines we've established on integrating npm and node,
here is a grouped list of the breaking changes with the reasoning as to why they
fit within the guidelines linked above. Note that all the breaking changes were
made in 9.0.0.
All subsequent minor and patch releases after npm@9.0.0 do not contain any
breaking changes.

Engines

Explanation: the node engines supported by npm@9 make it safe to allow npm@9 as the default in any LTS version of 14 or 16, as well as anything later than or including 18.0.0

• npm is now compatible with the following semver range for node: ^14.17.0 || ^16.13.0 || >=18.0.0

Filesystem

Explanation: when run as root previous versions of npm attempted to manage file ownership automatically on the user's behalf. this behavior was problematic in many cases and has been removed in favor of allowing users to manage their own filesystem permissions

• npm will no longer attempt to modify ownership of files it creates.

Auth

Explanation: any errors thrown from users having unsupported auth configurations will show npm config fix in the remediation instructions, which will allow the user to automatically have their auth config fixed.

• The presence of auth related settings that are not scoped to a specific
  registry found in a config file is no longer supported and will throw errors.

Login

Explanation: the default auth-type has changed and users can opt back into the old behavior with npm config set auth-type=legacy. login and adduser have also been seperated making each command more closely match it's name instead of being aliases for each other.

• Legacy auth types sso, saml & legacy have been consolidated into "legacy".
• auth-type defaults to "web"
• login and adduser are now separate commands that send different data to the registry.
• auth-type config values web and legacy only try their respective methods,
  npm no longer tries them all and waits to see which one doesn't fail.

Tarball Packing

Explanation: previously using multiple ignore/allow lists when packing was an undefined behavior, and now the order of operations is strictly defined when packing a tarball making it easier to follow and should only affect users relying on the previously undefined behavior.

• npm pack now follows a strict order of operations when applying ignore rules.
  If a files array is present in the package.json, then rules in .gitignore
  and .npmignore files from the root will be ignored.

Display/Debug/Timing Info

Explanation: these changes center around the display of information to the terminal including timing and debug log info. We do not anticipate these changes breaking any existing workflows.

• Links generated from git urls will now use HEAD instead of master as the default ref.
• timing has been removed as a value for --loglevel.
• --timing will show timing information regardless of --loglevel, except when --silent.
• When run with the --timing flag, npm now writes timing data to a file
  alongside the debug log data, respecting the logs-dir option and falling
  back to <CACHE>/_logs/ dir, instead of directly inside the cache directory.
• The timing file data is no longer newline delimited JSON, and instead each run
  will create a uniquely named <ID>-timing.json file, with the <ID> portion
  being the same as the debug log.
• npm now outputs some json errors on stdout. Previously npm would output
  all json formatted errors on stderr, making it difficult to parse as the
  stderr stream usually has logs already written to it.

Config/Command Deprecations or Removals

Explanation: install-links is the only config or command in the list that has an effect on package installs. We fixed a number of issues that came up during prereleases with this change. It will also only be applied to new package trees created without a package-lock.json file. Any install with an existing lock file will not be changed.

• Deprecate boolean install flags in favor of --install-strategy.
• npm config set will no longer accept deprecated or invalid config options.
• install-links config defaults to "true".
• node-version config has been removed.
• npm-version config has been removed.
• npm access subcommands have been renamed.
• npm birthday has been removed.
• npm set-script has been removed.
• npm bin has been removed (use npx or npm exec to execute binaries).

Other notable changes

• [03db415540] - build: disable v8 snapshot compression by default (Joyee Cheung) #45716
• [9f51b9e50d] - doc: add doc-only deprecation for headers/trailers setters (Rich Trott) #45697
• [b010820c4e] - doc: add Rafael Gonzaga to the TSC (Michael Dawson) #45691
• [b8b13dccd9] - (SEMVER-MINOR) net: add autoSelectFamily and autoSelectFamilyAttemptTimeout options (Paolo Insogna) #44731
• [5d7cd363ab] - (SEMVER-MINOR) src: add uvwasi version (Jithil P Ponnan) #45639
• [4165dcddf0] - (SEMVER-MINOR) test_runner: add t.after() hook (Colin Ihrig) #45792
• [d1bd7796ad] - (SEMVER-MINOR) test_runner: don't use a symbol for runHook() (Colin Ihrig) #45792
• [691f58e76c] - tls: remove trustcor root ca certificates (Ben Noordhuis) #45776

Commits

• [382efdf460] - benchmark: add variety of inputs to text-encoder (Yagiz Nizipli) #45787
• [102c2dc071] - benchmark: make benchmarks runnable in older versions of Node.js (Joyee Cheung) #45746
• [e2caf7ced9] - bootstrap: lazy load non-essential modules (Joyee Cheung) #45659
• [49840d443c] - buffer: remove unnecessary lazy loading (Antoine du Hamel) #45807
• [17847683dc] - buffer: make decodeUTF8 params loose (Yagiz Nizipli) #45610
• [03db415540] - build: disable v8 snapshot compression by default (Joyee Cheung) #45716
• [95a23e24f3] - build: add python 3.11 support for android (Mohammed Keyvanzadeh) #45765
• [09bc89daba] - build: rework gyp files for zlib (Richard Lau) #45589
• [b5b56b6b45] - crypto: simplify lazy loading of internal modules (Antoine du Hamel) #45809
• [2e4d37e3f0] - crypto: fix CipherBase Update int32 overflow (Marco Ippolito) #45769
• [573eab9235] - crypto: refactor ArrayBuffer to bigint conversion utils (Antoine du Hamel) #45567
• [845f805490] - crypto: refactor verify acceptable key usage functions (Filip Skokan) #45569
• [7cc9998737] - crypto: fix ECDH webcrypto public CryptoKey usages (Filip Skokan) #45569
• [d030963f37] - crypto: validate CFRG webcrypto JWK import "d" and "x" are a pair (Filip Skokan) #45569
• [9cd106efdc] - crypto: use DataError for CFRG webcrypto raw and jwk import key checks (Filip Skokan) #45569
• [9e2e3de6ce] - crypto: use DataError for webcrypto keyData import failures (Filip Skokan) #45569
• [40037b4e79] - crypto: fix X25519 and X448 webcrypto public CryptoKey usages (Filip Skokan) #45569
• [de2b6b97b9] - crypto: ensure "x" is present when importing private CFRG webcrypto keys (Filip Skokan) #45569
• [[75dbce9a07](https://git...

2022-12-13, Version 16.19.0 'Gallium' (LTS), @richardlau

Notable Changes

OpenSSL 1.1.1s

This update is a bugfix release and does not address any security
vulnerabilities.

Root certificates updated to NSS 3.85

Certificates added:

• Autoridad de Certificacion Firmaprofesional CIF A62634068
• Certainly Root E1
• Certainly Root R1
• D-TRUST BR Root CA 1 2020
• D-TRUST EV Root CA 1 2020
• DigiCert TLS ECC P384 Root G5
• DigiCert TLS RSA4096 Root G5
• E-Tugra Global Root CA ECC v3
• E-Tugra Global Root CA RSA v3
• HiPKI Root CA - G1
• ISRG Root X2
• Security Communication ECC RootCA1
• Security Communication RootCA3
• Telia Root CA v2
• vTrus ECC Root CA
• vTrus Root CA

Certificates removed:

• Cybertrust Global Root
• DST Root CA X3
• GlobalSign Root CA - R2
• Hellenic Academic and Research Institutions RootCA 2011

Time zone update to 2022f

Time zone data has been updated to 2022f. This includes changes to Daylight
Savings Time (DST) for Fiji and Mexico. For more information, see
https://mm.icann.org/pipermail/tz-announce/2022-October/000075.html.

Other Notable Changes

• [33707dcd03] - dgram: add dgram send queue info (theanarkh) #44149

Dependency updates:

• [3b2b70d792] - deps: upgrade npm to 8.19.3 (npm team) #45322

Experimental features:

• [1e0dcd1ee0] - cli: add --watch (Moshe Atlow) #44366
• [8c73279ebb] - util: add default value option to parsearg (Manuel Spigolon) #44631

Commits

• [bbef3c42f6] - build: add version info to timezone update PR (Darshan Sen) #45021
• [cc2c7648e0] - build: support Python 3.11 (Luigi Pinca) #45191
• [ac24c80663] - build: remove redundant condition from common.gypi (Richard Lau) #45076
• [03dcbe3030] - build: fix bad upstream merge (Stephen Gallagher) #44642
• [1e0dcd1ee0] - cli: add --watch (Moshe Atlow) #44366
• [96d131665e] - cluster: use inspector utils (Moshe Atlow) #44592
• [704836033a] - crypto: update root certificates (Luigi Pinca) #45490
• [5a776d4a69] - deps: update timezone to 2022f (Richard Lau) #45613
• [3b2b70d792] - deps: upgrade npm to 8.19.3 (npm team) #45322
• [9fbc8b21db] - deps: update corepack to 0.15.1 (Node.js GitHub Bot) #45331
• [87e3d002ca] - deps: update corepack to 0.15.0 (Node.js GitHub Bot) #45235
• [e972ff7b13] - deps: V8: backport bbd800c6e359 (Chengzhong Wu) #44947
• [af9d8217c0] - deps: V8: cherry-pick b95354290941 (Chengzhong Wu) #44947
• [38202d321b] - deps: update undici to 5.12.0 (Node.js GitHub Bot) #45236
• [7c0da6adf9] - deps: update archs files for OpenSSL-1.1.1s (RafaelGSS) #45274
• [1149ead6f7] - deps: upgrade openssl sources to OpenSSL_1_1_1s (RafaelGSS) #45274
• [cd54bce4f5] - deps: update timezone (Node.js GitHub Bot) #44950
• [2901abe4f0] - deps: update undici to 5.11.0 (Node.js GitHub Bot) #44929
• [c80cf97033] - deps: update corepack to 0.14.2 (Node.js GitHub Bot) #44775
• [33707dcd03] - dgram: add dgram send queue info (theanarkh) #44149
• [c708d9bb94] - doc: fix typo in parseArgs default value (Tobias Nießen) #45083
• [5a0efa05d2] - node-api: handle no support for external buffers (Michael Dawson) #45181
• [db31de634e] - readline: refactor to avoid unsafe regex primordials (Antoine du Hamel) #43475
• [fbc52e5729] - src: disambiguate terms used to refer to builtins and addons (Joyee Cheung) #44135
• [953072d3db] - src: let http2 streams end after session close (Santiago Gimeno) #45153
• [54608d8dc3] - src: split property helpers from node::Environment (Chengzhong Wu) #44056
• [6733556783] - test: add test to validate changelogs for releases (Richard Lau) #45325
• [821d832cef] - test: mark test-watch-mode* as flaky on all platforms (Pierrick Bouvier) #45049
• [02a18eac69] - test: fix test-runner-inspect (Moshe Atlow) #44620
• [197df63f74] - test: add a test to ensure the correctness of timezone upgrades (Darshan Sen) #45299
• [42e9d8016a] - test: fix textdecoder test for small-icu builds (Richard Lau) #45225
• [6d736a56d8] - test: fix watch mode test flake (Moshe Atlow) #44739
• [543d3d2bf3] - test: deflake watch mode tests (Moshe Atlow) #44621
• [97f6caf4eb] - test: split watch mode inspector tests to sequential (Moshe Atlow) #44551
• [499750ff7a] - test: update list of known globals (Antoine du Hamel) #45255
• [64d343af74] - test_runner: support using --inspect with --test (Moshe Atlow) #44520
• [99ee5e484d] - test_runner: fix duration_ms to be milliseconds (Moshe Atlow) #44450
• [37e909251c] - test_runner: support programmatically running --test (Moshe Atlow) #44241
• [0ae5694f88] - tools: update certdata.txt (Luigi Pinca) #45490
• [891368cefd] - tools: remove faulty early termination logic from update-timezone.mjs (Darshan Sen) #44870
• [543493c242] - tools: fix timezone update tool (Darshan Sen) #44870
• [c77f660b75] - tools: fix create-or-update-pull-request-action hash on GHA (Antoine du Hamel) #45166
• [58c30dd049] - tools: update gr2m/create-or-update-pull-request-action (Luigi Pinca) #45022
• [749a4b3e5e] - tools: use Python 3.11 in GitHub Actions workflows (Lu...

2022-12-13, Version 14.21.2 'Fermium' (LTS), @richardlau

Notable Changes

OpenSSL 1.1.1s

This update is a bugfix release and does not address any security
vulnerabilities.

Root certificates updated to NSS 3.85

Certificates added:

• Autoridad de Certificacion Firmaprofesional CIF A62634068
• Certainly Root E1
• Certainly Root R1
• D-TRUST BR Root CA 1 2020
• D-TRUST EV Root CA 1 2020
• DigiCert TLS ECC P384 Root G5
• DigiCert TLS RSA4096 Root G5
• E-Tugra Global Root CA ECC v3
• E-Tugra Global Root CA RSA v3
• HiPKI Root CA - G1
• ISRG Root X2
• Security Communication ECC RootCA1
• Security Communication RootCA3
• Telia Root CA v2
• vTrus ECC Root CA
• vTrus Root CA

Certificates removed:

• Cybertrust Global Root
• DST Root CA X3
• GlobalSign Root CA - R2
• Hellenic Academic and Research Institutions RootCA 2011

Time zone update to 2022f

Time zone data has been updated to 2022f. This includes changes to Daylight
Savings Time (DST) for Fiji and Mexico. For more information, see
https://mm.icann.org/pipermail/tz-announce/2022-October/000075.html.

Commits

• [436a596e99] - crypto: update root certificates (Luigi Pinca) #45490
• [4b422d34af] - deps: V8: cherry-pick d2db7fa7f786 (Richard Lau) #45785
• [625f4bf3a9] - deps: update corepack to 0.15.1 (Node.js GitHub Bot) #45331
• [48a9810de8] - deps: update corepack to 0.15.0 (Node.js GitHub Bot) #45235
• [9f4e64b603] - deps: update timezone to 2022f (Richard Lau) #45521
• [f297b6bd21] - deps: update archs files for OpenSSL-1.1.1s (RafaelGSS) #45272
• [11629fef15] - deps: upgrade openssl sources to 1.1.1s (RafaelGSS) #45272
• [c3a90c4b44] - http2: fix memory leak when nghttp2 hd threshold is reached (rogertyang) #41502
• [785dc3efee] - module: cjs-module-lexer WebAssembly fallback (Guy Bedford) #43612
• [2dbeb889f6] - node-api: handle no support for external buffers (Michael Dawson) #45181
• [5b2ea124f3] - test: add test to validate changelogs for releases (Richard Lau) #45325
• [f13f889956] - test: add a test to ensure the correctness of timezone upgrades (Darshan Sen) #45299
• [5608e6fa72] - tools: update certdata.txt (Luigi Pinca) #45490
• [d6f1d7107b] - tools: have test-asan use ubuntu-20.04 (Filip Skokan) #45581
• [370a00f737] - tools: make license-builder.sh comply with shellcheck 0.8.0 (Rich Trott) #41258

2022-11-29, Version 19.2.0 (Current), @ruyadorno

Notable changes

Time zone update

Time zone data has been updated to 2022f. This includes changes to Daylight Savings Time (DST) for Fiji and Mexico. For more information, see https://mm.icann.org/pipermail/tz-announce/2022-October/000075.html.

Other notable changes

• buffer
  • (SEMVER-MINOR) introduce File class (Khafra) #45139
• deps
  • update V8 to 10.8.168.20 (Michaël Zasso) #45230
• doc
  • deprecate use of invalid ports in url.parse (Antoine du Hamel) #45576
• util
  • add fast path for utf8 encoding (Yagiz Nizipli) #45412

Commits

• [7cff1e14ba] - (SEMVER-MINOR) async_hooks: add hook to stop propagation (Gerhard Stöbich) #45386
• [f08f6a64a3] - benchmark: add v8 serialize benchmark (Yagiz Nizipli) #45476
• [26ad54c1a2] - benchmark: add text-encoder benchmark (Yagiz Nizipli) #45450
• [6c56c9722b] - (SEMVER-MINOR) buffer: introduce File (Khafra) #45139
• [6e1e25d6dd] - build: avoid redefined macro (Michaël Zasso) #45544
• [5c9b2a7c82] - build: fix env.h for cpp20 (Jiawen Geng) #45516
• [54fd8a1966] - build: reset embedder string to "-node.0" (Michaël Zasso) #45230
• [0f3cf7e5ce] - Revert "build: remove precompiled header and debug information for host builds" (Stefan Stojanovic) #45432
• [62ef1eb4ff] - build: add --v8-disable-object-print flag (MURAKAMI Masahiko) #45458
• [1ce2f56cf6] - build: make scripts in gyp run with right python (Jiawen Geng) #45435
• [9ffe3c051a] - build,deps,src: fix Intel VTune profiling support (Shi Lei) #45248
• [bd3accc7b2] - crypto: clear OpenSSL error queue after calling X509_check_private_key() (Filip Skokan) #45495
• [724addb293] - crypto: update root certificates (Luigi Pinca) #45490
• [efe19eb7f5] - crypto: clear OpenSSL error queue after calling X509_verify() (Takuro Sato) #45377
• [f63ae525fa] - deps: V8: cherry-pick 2ada52cffbff (Michaël Zasso) #45573
• [43e002e3d4] - deps: update base64 to 0.5.0 (Facundo Tuesca) #45509
• [aaa4ac7735] - deps: V8: cherry-pick 9df5ef70ff18 (Yagiz Nizipli) #45230
• [e70c3090ff] - deps: V8: cherry-pick f1c888e7093e (Michaël Zasso) #45230
• [51eb323c50] - deps: V8: cherry-pick 92a7385171bb (Michaël Zasso) #45230
• [1370b1a769] - deps: fix V8 build on Windows with MSVC (Michaël Zasso) #45230
• [3cd6367e6a] - deps: silence irrelevant V8 warning (Michaël Zasso) #45230
• [9348bdd28d] - deps: V8: fix v8-cppgc.h for MSVC (Jiawen Geng) #45230
• [e9292544b0] - deps: fix V8 build issue with inline methods (Jiawen Geng) #45230
• [a3b9967553] - deps: update V8 to 10.8.168.20 (Michaël Zasso) #45230
• [117efe98b0] - deps: V8: cherry-pick 9df5ef70ff18 (Yagiz Nizipli) #45474
• [628891d4dd] - deps: update timezone to 2022f (Node.js GitHub Bot) #45289
• [45ba14b3be] - deps: fix zlib compilation for CPUs without SIMD features (Anna Henningsen) #45387
• [c41e67fe1d] - deps: update zlib to upstream 8bbd6c31 (Luigi Pinca) #45387
• [413bf9ad39] - deps: patch V8 to 10.7.193.22 (Michaël Zasso) #45460
• [ad8da86b3f] - deps: update acorn to 8.8.1 (Node.js GitHub Bot) #45441
• [17e6031bf0] - deps: V8: cherry-pick 031b98b25cba (Michaël Zasso) #45375
• [9e0e97c121] - diagnostics_channel: built-in channels should remain experimental (Stephen Belanger) #45423
• [44886e55e1] - diagnostics_channel: mark as stable (Stephen Belanger) #45290
• [b6b5b51687] - doc: deprecate use of invalid ports in url.parse (Antoine du Hamel) #45576
• [d805d5a894] - doc: clarify changes in readableFlowing (Kohei Ueno) #45554
• [015842f3d2] - doc: use console.error for error case in http2 (Deokjin Kim) #45577
• [4345732900] - doc: add version description about fsPromise.constants (chlorine) #45556
• [16643dbb19] - doc: add missing documentation for paramEncoding (Tobias Nießen) #45523
• [246cd358b5] - doc: fix typo in threat model (Tobias Nießen) #45558
• [5b1df22db0] - doc: add Node.js Threat Model (Rafael Gonzaga) #45223
• [19d8493c92] - doc: run license-builder (github-actions[bot]) #45553
• [6f0bc097ea] - doc: add async_hooks migration note (Geoffrey Booth) #45335
• [118de4b44c] - doc: fix RESOLVE_ESM_MATCH in modules.md (翠 / green) #45280
• [4de67d1ef4] - doc: add arm64 to os.machine() (Carter Snook) #45374
• [1812a89c00] - doc: add lint rule to enforce trailing commas (Antoine du Hamel) #45471
• [4128c27f66] - doc: include v19.1.0 in CHANGELOG.md (Rafael Gonzaga) #45462
• [94a6a97ec6] - doc: adjust wording to eliminate awkward typography (Konv) #45398
• [a6fe707b62] - doc: fix typo in maintaining-dependencies.md (Tobias Nießen) #45428
• [8906a4e58e] - esm: add JSDoc property descriptions for loader (Rich Trott) #45370
• [[4e5ad9df50](https://github.com/nodejs/node/com...

2022-11-14, Version 19.1.0 (Current), @RafaelGSS

Notable changes

Support function mocking on Node.js test runner

The node:test module supports mocking during testing via a top-level mock
object.

test('spies on an object method', (t) => {
  const number = {
    value: 5,
    add(a) {
      return this.value + a;
    },
  };
  t.mock.method(number, 'add');

  assert.strictEqual(number.add(3), 8);
  assert.strictEqual(number.add.mock.calls.length, 1);
});

Contributed by Colin Ihrig in #45326

fs.watch recursive support on Linux

fs.watch supports recursive watch using the recursive: true option.

const watcher = fs.watch(testDirectory, { recursive: true });
watcher.on('change', function(event, filename) {
});

Contributed by Yagiz Nizipli in #45098

Other notable changes

• deps
  • update ICU to 72.1 (Michaël Zasso) #45068
• doc
  • add lukekarrys to collaborators (Luke Karrys) #45180
  • add anonrig to collaborators (Yagiz Nizipli) #45002
• lib
  • drop fetch experimental warning (Matteo Collina) #45287
• util
  • (SEMVER-MINOR) add MIME utilities (Bradley Farias) #21128
  • improve textdecoder decode performance (Yagiz Nizipli) #45294

Commits

• [c9cf399ec7] - benchmark: add parameters to text-decoder benchmark (Yagiz Nizipli) #45363
• [79f6bb061d] - benchmark: fix text-decoder benchmark (Yagiz Nizipli) #45363
• [a27c994ced] - benchmark: add blob benchmark (Yagiz Nizipli) #44990
• [c45b6aee78] - bootstrap: merge main thread and worker thread initializations (Joyee Cheung) #44869
• [33691208df] - buffer: fix validation of options in Blob constructor (Antoine du Hamel) #45156
• [7b938df296] - build: support Python 3.11 (Luigi Pinca) #45191
• [75e0a2d109] - build: workaround for node-core-utils (Jiawen Geng) #45199
• [f598edbdf4] - build: fix icu-small build with ICU 72.1 (Steven R. Loomis) #45195
• [29b9f4f90c] - build: remove unused language files (Ben Noordhuis) #45138
• [3a1ee940d1] - build: add GitHub token to auto-start-ci workflow (Richard Lau) #45185
• [17349a2f42] - build: restore Windows resource file (Richard Lau) #45042
• [24e24bd063] - build: add version info to timezone update PR (Darshan Sen) #45021
• [8d7aa53e6b] - build,win: pass --debug-nghttp2 to configure (Santiago Gimeno) #45209
• [b2e60480f3] - child_process: validate arguments for null bytes (Darshan Sen) #44782
• [1f0edde412] - crypto: handle more webcrypto errors with OperationError (Filip Skokan) #45320
• [13fb05e12b] - crypto: handle unsupported AES ciphers in webcrypto (Filip Skokan) #45321
• [c168cbfbb3] - deps: V8: cherry-pick 56816d76c121 (Shi Pujin) #45353
• [1432474abf] - deps: upgrade npm to 8.19.3 (npm team) #45322
• [f35d56200d] - deps: update corepack to 0.15.1 (Node.js GitHub Bot) #45331
• [44de2321aa] - deps: patch V8 to 10.7.193.20 (Michaël Zasso) #45228
• [bfe3819f08] - deps: upgrade to libuv 1.44.2 (Luigi Pinca) #42340
• [0d41df96b3] - deps: update corepack to 0.15.0 (Node.js GitHub Bot) #45235
• [0d241638ca] - deps: update undici to 5.12.0 (Node.js GitHub Bot) #45236
• [f58996188a] - Revert "deps: make V8 compilable with older glibc" (Michaël Zasso) #45162
• [8cda730e58] - deps: update ICU to 72.1 (Michaël Zasso) #45068
• [0a6ed6f710] - Revert "deps: V8: forward declaration of Rtl*FunctionTable" (Michaël Zasso) #45119
• [2f7518ada2] - deps: update timezone (Node.js GitHub Bot) #44950
• [3bfba6df79] - deps: patch V8 to 10.7.193.16 (Michaël Zasso) #45023
• [b5baaa61b3] - dns: fix port validation (Antoine du Hamel) #45135
• [0e9bad97cc] - doc: allow for holidays in triage response (Michael Dawson) #45267
• [d4aabb9d3d] - doc: include last security release date (Juan José Arboleda) #45368
• [ba45373164] - doc: fix email for Ashley (Michael Dawson) #45364
• [d5e5c75b13] - doc: fix test runner's only tests section header (Colin Ihrig) #45343
• [a7c5f31c47] - doc: run license-builder (github-actions[bot]) #45349
• [3de125743e] - doc: add more info for timer.setInterval (theanarkh) #45232
• [5a1252d9b4] - doc: use module names in stability overview table (Filip Skokan) #45312
• [4d38bf2c5f] - doc: add node: prefix for examples (Daeyeon Jeong) #45328
• [b4b6b95f48] - doc: update name of Node.js core Slack channel (Rich Trott) #45293
• [7d7e7c316b] - doc: fix "task_processor.js" typo (andreysoktoev) #45257
• [b9039a54af] - doc: add history section to fetch-related globals (Antoine du Hamel) #45198
• [d9163f1632] - doc: clarify moderation in onboarding.md (Benjamin Gruenbaum) #41930
• [c179c1478b] - doc: change make lint to make lint-md (RafaelGSS) #45197
• [58bec56fab] - doc: add more lts update steps to release guide (Ruy Adorno) #45177
• [8f8d7e76ac] - doc: add bmuenzenmeyer to triagers (Brian Muenzenmeyer) #45155
• [de2df550f6] - doc: update process.release (Filip Skokan) #45170
• [[916e8760ba](916e87...

2022-11-04, Version 19.0.1 (Current), @RafaelGSS

This is a security release.

Notable changes

The following CVEs are fixed in this release:

• CVE-2022-3602: X.509 Email Address 4-byte Buffer Overflow (High)
• CVE-2022-3786: X.509 Email Address Variable Length Buffer Overflow (High)
• CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP address (Medium)

More detailed information on each of the vulnerabilities can be found in November 2022 Security Releases blog post.

Commits

• [e58e8d70a8] - deps: update archs files for quictls/openssl-3.0.7+quic (RafaelGSS) #45286
• [85f4548d57] - deps: upgrade openssl sources to quictls/openssl-3.0.7+quic (RafaelGSS) #45286
• [43403f56f7] - inspector: harden IP address validation again (Tobias Nießen) nodejs-private/node-private#354

2022-11-04, Version 18.12.1 'Hydrogen' (LTS), @juanarbol

This is a security release.

Notable changes

The following CVEs are fixed in this release:

• CVE-2022-3602: X.509 Email Address 4-byte Buffer Overflow (High)
• CVE-2022-3786: X.509 Email Address Variable Length Buffer Overflow (High)
• CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP address (Medium)

More detailed information on each of the vulnerabilities can be found in November 2022 Security Releases blog post.

Commits

• [39f8a672e3] - deps: update archs files for quictls/openssl-3.0.7+quic nodejs/node#45286
• [80218127c8] - deps: upgrade openssl sources to quictls/openssl-3.0.7+quic nodejs/node#45286
• [165342beac] - inspector: harden IP address validation again (Tobias Nießen) nodejs-private/node-private#354

2022-11-04, Version 16.18.1 'Gallium' (LTS), @BethGriggs

This is a security release.

Notable changes

The following CVEs are fixed in this release:

• CVE-2022-43548: DNS rebinding in --inspect via invalid octal IP address (Medium)

More detailed information on each of the vulnerabilities can be found in November 2022 Security Releases blog post.

Commits

• [9ffddd7098] - inspector: harden IP address validation again (Tobias Nießen) nodejs-private/node-private#354