Node.js

News from 2018

20 Jun Node v10.5.0 (Current)
- crypto:
  - Support for crypto.scrypt() has been added. #20816
- fs:
  - BigInt support has been added to fs.stat and fs.watchFile. #20220
  - APIs that take mode as arguments no longer throw on values larger than 0o777. #20636 #20975 (Fixes: #20498)
  - Fix crashes in closed event watchers. #20985 (Fixes: #20297)
- Worker Threads:
  - Support for multi-threading has been added behind the --experimental-worker flag in the worker_threads module. This feature is experimental and may receive breaking changes at any time. #20876
Read more...
12 Jun Node v8.11.3 (LTS)
- buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where calling Buffer.fill() could hang
- http2
  - (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
  - (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0
Read more...
12 Jun Node v6.14.3 (LTS)
- buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where calling Buffer.fill() could hang
- [7dbcfc6217] - src: avoid hanging on Buffer#fill 0-length input (Сковорода Никита Андреевич) nodejs-private/node-private#121
Read more...
12 Jun Node v9.11.2 (Current)
- Fixes memory exhaustion DoS (CVE-2018-7164): Fixes a bug introduced in 9.7.0 that increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream.
- buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where calling Buffer.fill() could hang
- http2
  - (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
  - (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0
- tls (CVE-2018-7162): Fixes Denial of Service vulnerability by updating the TLS implementation to not crash upon receiving
Read more...
12 Jun Node v10.4.1 (Current)
- Fixes memory exhaustion DoS (CVE-2018-7164): Fixes a bug introduced in 9.7.0 that increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream.
- http2
  - (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
  - (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0
- tls (CVE-2018-7162): Fixes Denial of Service vulnerability by updating the TLS implementation to not crash upon receiving
- n-api: Prevent use-after-free in napi_delete_async_work
Read more...
12 Jun June 2018 Security Releases
(Update 12-June-2018) Security releases available
Updates are now available for all active Node.js release lines. These include the fix for the vulnerabilities identified in the initial announcement (below).
We recommend that all users upgrade as soon as possible.
Read more...
06 Jun Node v10.4.0 (Current)
- deps:
  - update V8 to 6.7.288.43 (Michaël Zasso) #19989
- stream:
  - ensure Stream.pipeline re-throws errors without callback (Blaine Bublitz) #20437
Read more...
29 May Node v10.3.0 (Current)
- deps:
  - upgrade npm to 6.1.0 (Rebecca Turner) #20190
- fs:
  - fix reads with pos > 4GB (Mathias Buus) #21003
- net:
  - new option to allow IPC servers to be readable and writable by all users (Bartosz Sosnowski) #19472
- stream:
  - fix removeAllListeners() for Stream.Readable to work as expected when no arguments are passed (Kael Zhang) #20924
- Added new collaborators
  - jdlaton John-David Dalton
Read more...
24 May Node v10.2.1 (Current)
This is a follow up release to fix two regressions that were introduced in v10.2.0.
- [2a9c83321b] - http: fix res emit close before user finish (Robert Nagy) #20941
- [0b1ba20fc0] - src: re-integrate headers into node.h (Anna Henningsen) #20939
- [52f21fbfbc] - test: mark test-zlib.zlib-binding.deflate as flaky (Matheus Marchini) #20935
Read more...
23 May Node v10.2.0 (Current)
- addons:
  - Fixed a memory leak for users of AsyncResource and N-API. (Michael Dawson) #20668
- assert:
  - The error parameter of assert.throws() can be an object containing regular expressions now. (Ruben Bridgewater) #20485
- crypto:
  - The authTagLength option has been made more flexible. (Tobias Nießen) #20235, #20039
- esm:
  - Builtin modules (e.g. fs) now provide named exports in ES6 modules. (Gus Caplan) #20403
- http:
  - Handling of close and aborted events has been made more consistent. (Robert Nagy) #20075, #20611
- module:
  - add --preserve-symlinks-main (David Goldstein) #19911
- timers:
  - timeout.refresh() has been added to the public API. (Jeremiah Senkpiel) #20298
- Embedder support:
  - Functions for creating V8 Isolate and Context objects with Node.js-specific behaviour have been added to the API. (Allen Yonghuang Wang) #20639
  - Node.js Environments clean up resources before exiting now. (Anna Henningsen) #19377
  - Support for multi-threaded embedding has been improved. (Anna Henningsen) #20542, #20539, #20541
Read more...
15 May Node v8.11.2 (LTS)
09 May Node v10.1.0 (Current)
30 Apr Node v6.14.2 (LTS)
24 Apr Node v10.0.0 (Current)
05 Apr Node v9.11.1 (Current)
04 Apr Node v9.11.0 (Current)
30 Mar Node v9.10.1 (Current)
30 Mar Node v8.11.1 (LTS)
30 Mar Node v6.14.1 (LTS)
30 Mar Node v4.9.1 (Maintenance)
28 Mar Node v9.10.0 (Current)
28 Mar Node v8.11.0 (LTS)
28 Mar Node v6.14.0 (LTS)
28 Mar Node v4.9.0 (Maintenance)
21 Mar March 2018 Security Releases
21 Mar Node v9.9.0 (Current)
08 Mar Node v9.8.0 (Current)
07 Mar Node v8.10.0 (LTS)
06 Mar Node v6.13.1 (LTS)
02 Mar Node v9.7.1 (Current)
01 Mar Node v9.7.0 (Current)
23 Feb Node v9.6.1 (Current)
22 Feb Node v9.6.0 (Current)
13 Feb Node v6.13.0 (LTS)
01 Feb Node v9.5.0 (Current)
10 Jan Node v9.4.0 (Current)
08 Jan Meltdown and Spectre - Impact On Node.js
03 Jan Node v8.9.4 (LTS)
02 Jan Node v6.12.3 (LTS)