News from 2019

• 11 Oct Node v12.12.0 (Current)
  • build:
    • Add --force-context-aware flag to prevent usage of native node addons that aren't context aware #29631
  • deprecations:
    • Add documentation-only deprecation for process._tickCallback() #29781
  • esm:
    • Using JSON modules is experimental again #29754
  • fs:
    • Introduce opendir() and fs.Dir to iterate through directories #29349
  • process:
    • Add source-map support to stack traces by using --enable-source-maps#29564
  • tls:
    • Honor pauseOnConnect option #29635
    • Add option for private keys for OpenSSL engines #28973

  Read more...

• 09 Oct Node v8.16.2 (LTS)
  • deps: upgrade openssl sources to 1.0.2s (Sam Roberts) #28230

  • [cc9d005628] - crypto: update root certificates (Sam Roberts) #28808
  • [347fcd35e3] - crypto: update root certificates (Sam Roberts) #27374
  • [b2a6b3254d] - crypto: update root certificates (Sam Roberts) #25113
  • [5682e50325] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#1836
  • [9663ae3546] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#1389
  • [87eee99466] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#1389
  • [da99d3f972] - deps: copy all openssl header files to include dir (Sam Roberts) #28230
  • [dc9d645ac4] - deps: upgrade openssl sources to 1.0.2s (Sam Roberts) #28230
  • [37e24b19a0] - deps: V8: backport d520ebb (Michaël Zasso) #27358
  • [1a5dc6a3e7] - http: check for existance in resetHeadersTimeoutOnReqEnd (Matteo Collina) #26402
  • [e45b6a3b98] - http2: do not start reading after write if new write is on wire (Anna Henningsen) #29399
  • [559a8e342b] - http2: do not crash on stream listener removal w/ destroyed session (Anna Henningsen) #29459
  • [dd285968c4] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) iojs/io.js#1389
  • [3ee076f03d] - stream: ensure writable.destroy() emits error once (Luigi Pinca) #26057
  • [a7e5fe1f06] - test: unskip tests that now pass on AIX (Sam Roberts) #29054
  • [65e9b0f5a2] - test: specialize OOM check for AIX (Sam Roberts) #28857
  • [7aca9cb09b] - test: fix pty test hangs on aix (Ben Noordhuis) #28600
  • [588b761fca] - test: skip stringbytes-external-exceed-max on AIX (Sam Roberts) #28516
  • [930647d0fe] - test: skip tests related to CI failures on AIX (Sam Roberts) #28469
  • [92a2f8bbe3] - test,win: cleanup exec-timeout processes (João Reis) #28723
  • [d57f79726d] - tls: partially backport pull request #26415 (Ben Noordhuis) #26415
  • [c582fef5cc] - tools: update certdata.txt (Sam Roberts) #28808
  • [4fbadf6a9e] - tools: update certdata.txt (Sam Roberts) #27374
  • [529b2ad25f] - tools: update certdata.txt (Sam Roberts) #25113

  Read more...

• 01 Oct Node v12.11.1 (Current)
  • build:
    • This release fixes a regression that prevented from building Node.js using the official source tarball (Richard Lau) #29712.
  • deps:
    • Updated small-icu data to support "unit" style in the Intl.NumberFormat API (Michaël Zasso) #29735.

  Read more...

• 25 Sep Node v12.11.0 (Current)
  • crypto:
    • Add oaepLabel option #29489
  • deps:
    • Update V8 to 7.7.299.11 #28918
      • More efficient memory handling
      • Stack trace serialization got faster
      • The Intl.NumberFormat API gained new functionality
      • For more information: https://v8.dev/blog/v8-release-77
  • events:
    • Add support for EventTarget in once #29498
  • fs:
    • Expose memory file mapping flag UV_FS_O_FILEMAP #29260
  • inspector:
    • New API - Session.connectToMainThread #28870
  • process:
    • Initial SourceMap support via env.NODE_V8_COVERAGE #28960
  • stream:
    • Make _write() optional when _writev() is implemented #29639
  • tls:
    • Add option to override signature algorithms #29598
  • util:
    • Add encodeInto to TextEncoder #29524
  • worker:
    • The worker_thread module is now stable #29512

  Read more...

• 12 Sep OpenSSL security releases do not require Node.js security releases

  The OpenSSL Security releases of September 10th, 2019 do not affect Node.js.

  Our assessment of the security advisory is:

  • ECDSA remote timing attack (CVE-2019-1547) Not affected. Node supports only named curves for ECDSA signing.

  • Fork Protection (CVE-2019-1549) Not affected. Node.js always call exec() after fork() so will not duplicate the PRNG state in the forked process.

  • Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563) Not affected. Node does not support PCKS7 and CMS.

  Read more...

• 05 Sep OpenSSL security releases may require Node.js security releases

  The Node.js project may be releasing new versions across all of its supported release lines early next week to incorporate upstream patches from OpenSSL. Please read on for full details.

  The OpenSSL project announced this week that they will be releasing versions 1.0.2t and 1.1.1d on the 10th of September, UTC. The releases will fix two security defects that are labelled as "LOW" severity under their security policy, meaning they are:

  Read more...

• 04 Sep Node v12.10.0 (Current)
  • deps:
    • Update npm to 6.10.3 (isaacs) #29023
  • fs:
    • Add recursive option to rmdir() (cjihrig) #29168
    • Allow passing true to emitClose option (Giorgos Ntemiris) #29212
    • Add *timeNs properties to BigInt Stats objects (Joyee Cheung) #21387
  • net:
    • Allow reading data into a static buffer (Brian White) #25436

  Read more...

• 26 Aug Node v12.9.1 (Current)

  This release fixes two regressions in the http module:

  • Fixes an event listener leak in the HTTP client. This resulted in lots of warnings during npm/yarn installs (Robert Nagy) #29245.
  • Fixes a regression preventing the 'end' event from being emitted for keepalive requests in case the full body was not parsed (Matteo Collina) #29263.

  Read more...

• 20 Aug Node v12.9.0 (Current)
  • crypto:
    • Added an oaepHash option to asymmetric encryption which allows users to specify a hash function when using OAEP padding (Tobias Nießen) #28335.
  • deps:
    • Updated V8 to 7.6.303.29 (Michaël Zasso) #28955.
      • Improves the performance of various APIs such as JSON.parse and methods called on frozen arrays.
      • Adds the Promise.allSettled method.
      • Improves support of BigInt in Intl methods.
      • For more information: https://v8.dev/blog/v8-release-76
    • Updated libuv to 1.31.0 (cjihrig) #29070.
      • UV_FS_O_FILEMAP has been added for faster access to memory mapped files on Windows.
      • uv_fs_mkdir() now returns UV_EINVAL for invalid filenames on Windows. It previously returned UV_ENOENT.
      • The uv_fs_statfs() API has been added.
      • The uv_os_environ() and uv_os_free_environ() APIs have been added.
  • fs:
    • Added fs.writev, fs.writevSync and filehandle.writev (promise version) methods. They allow to write an array of ArrayBufferViews to a file descriptor (Anas Aboureada) #25925, (cjihrig) #29186.
  • http:
    • Added three properties to OutgoingMessage.prototype: writableObjectMode, writableLength and writableHighWaterMark #29018.
  • stream:
    • Added an new property readableEnded to readable streams. Its value is set to true when the 'end' event is emitted. (Robert Nagy) #28814.
    • Added an new property writableEnded to writable streams. Its value is set to true after writable.end() has been called. (Robert Nagy) #28934.

  Read more...

• 16 Aug August 2019 Security Releases

  Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information.

  Read more...

• 15 Aug Node v10.16.3 (LTS)
• 15 Aug Node v8.16.1 (LTS)
• 15 Aug Node v12.8.1 (Current)
• 06 Aug Node v10.16.2 (LTS)
• 06 Aug Node v12.8.0 (Current)
• 31 Jul Node v10.16.1 (LTS)
• 23 Jul Node v12.7.0 (Current)
• 03 Jul Node v12.6.0 (Current)
• 27 Jun Node v12.5.0 (Current)
• 04 Jun Node v12.4.0 (Current)
• 28 May Node v10.16.0 (LTS)
• 22 May Node v12.3.1 (Current)
• 21 May Node v12.3.0 (Current)
• 07 May Node v12.2.0 (Current)
• 30 Apr Node v11.15.0 (Current)
• 29 Apr Node v12.1.0 (Current)
• 23 Apr Node v12.0.0 (Current)
• 16 Apr Node v8.16.0 (LTS)
• 11 Apr Node v11.14.0 (Current)
• 03 Apr Node v6.17.1 (LTS)
• 28 Mar Node v11.13.0 (Current)
• 15 Mar Node v11.12.0 (Current)
• 06 Mar Node v11.11.0 (Current)
• 05 Mar Node v10.15.3 (LTS)
• 28 Feb February 2019 Security Releases
• 28 Feb Node v11.10.1 (Current)
• 28 Feb Node v10.15.2 (LTS)
• 28 Feb Node v8.15.1 (LTS)
• 28 Feb Node v6.17.0 (LTS)
• 14 Feb Node v11.10.0 (Current)
• 30 Jan Node v11.9.0 (Current)
• 29 Jan Node v10.15.1 (LTS)
• 25 Jan Node v11.8.0 (Current)
• 18 Jan Node v11.7.0 (Current)