News from 2018
-
Node v10.9.0 (Current)
This is a security release, fixing a number of vulnerabilities in OpenSSL and Node.js. Refer to the August 2018 Security Releases announcement for full details.
- buffer:
- Fix out-of-bounds (OOB) write in
Buffer.write()for UCS-2 encoding (CVE-2018-12115) - Fix unintentional exposure of uninitialized memory in
Buffer.alloc()(CVE-2018-7166)
- Fix out-of-bounds (OOB) write in
- deps:
- Upgrade to OpenSSL 1.1.0i, fixing:
- Client DoS due to large DH parameter (CVE-2018-0732)
- ECDSA key extraction via local side-channel (CVE not assigned)
- Upgrade V8 from 6.7 to 6.8 (Michaël Zasso) #21079
- Memory reduction and performance improvements, details at: https://v8project.blogspot.com/2018/06/v8-release-68.html
- Upgrade to OpenSSL 1.1.0i, fixing:
- http:
http.get()andhttp.request()(andhttpsvariants) can now accept three arguments to allow for aURLand anoptionsobject (Sam Ruby) #21616 - Added new collaborators
- Sam Ruby (https://github.com/rubys)
- George Adams (https://github.com/gdams)
- buffer:
-
Node v8.11.4 (LTS)
This is a security release, fixing a number of vulnerabilities in OpenSSL and Node.js. Refer to the August 2018 Security Releases announcement for full details.
- buffer: Fix out-of-bounds (OOB) write in
Buffer.write()for UCS-2 encoding (CVE-2018-12115) - deps: Upgrade to OpenSSL 1.0.2p, fixing:
- Client DoS due to large DH parameter (CVE-2018-0732)
- ECDSA key extraction via local side-channel (CVE not assigned)
- buffer: Fix out-of-bounds (OOB) write in
-
Node v6.14.4 (LTS)
This is a security release, fixing a number of vulnerabilities in OpenSSL and Node.js. Refer to the August 2018 Security Releases announcement for full details.
- buffer: Fix out-of-bounds (OOB) write in
Buffer.write()for UCS-2 encoding (CVE-2018-12115) - deps: Upgrade to OpenSSL 1.0.2p, fixing:
- Client DoS due to large DH parameter (CVE-2018-0732)
- ECDSA key extraction via local side-channel (CVE not assigned)
- buffer: Fix out-of-bounds (OOB) write in
-
August 2018 Security Releases
(Update 16-August-2018) Security releases available
Updates are now available for all active Node.js release lines. These include upgrades for OpenSSL and fixes for the vulnerabilities identified in the initial announcement (below).
We recommend that all users upgrade as soon as practical.
-
Node v10.8.0 (Current)
- deps:
- Upgrade npm to 6.2.0. #21592
- npm has moved. This release updates various URLs to point to the right places for bugs, support, and PRs.
- Fix the regular expression matching in
xcode_emulationinnode-gypto also handle version numbers with multiple-digit major versions which would otherwise break under use of XCode 10. - The npm tree has been significantly flattened. Tarball size for the npm package has gone from 8MB to 4.8MB.
- Changelogs: 6.2.0-next.0, 6.2.0-next.1, 6.2.0.
- Upgrade npm to 6.2.0. #21592
- deps:
-
Node v10.7.0 (Current)
- console:
- The
console.timeLog()method has been implemented. #21312
- The
- deps:
- http:
- Added support for passing both
timeoutandagentoptions tohttp.request. #21204
- Added support for passing both
- inspector:
- Expose the original console API in
require('inspector').console. #21659
- Expose the original console API in
- napi:
- Added experimental support for functions dealing with bigint numbers. #21226
- process:
- trace_events:
- Added process_name metadata. #21477
- Added new collaborators
- codebytere - Shelley Vohr
- console:
-
Node v10.6.0 (Current)
- dns:
- An experimental promisified version of the dns module is now available. Give
it a try with
require('dns').promises. #21264
- An experimental promisified version of the dns module is now available. Give
it a try with
- fs:
fs.lchownhas been undeprecated now that libuv supports it. #21498
- lib:
- n-api:
- Add API for asynchronous functions. #17887
- util:
util.inspectis now able to return a result instead of throwing when the maximum call stack size is exceeded during inspection. #20725
- vm:
- Add
script.createCachedData(). This API replaces theproduceCachedDataoption of theScriptconstructor that is now deprecated. #20300
- Add
- worker:
- Support for relative paths has been added to the
Workerconstructor. Paths are interpreted relative to the current working directory. #21407
- Support for relative paths has been added to the
- dns:
- Node v10.5.0 (Current)
-
Node v8.11.3 (LTS)
- buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where calling Buffer.fill() could hang
- http2
- (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the http2 implementation to not crash under certain circumstances during cleanup
- (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading nghttp2 to 1.32.0
-
Node v6.14.3 (LTS)
- buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where calling Buffer.fill() could hang
- [
7dbcfc6217] - src: avoid hanging on Buffer#fill 0-length input (Сковорода Никита Андреевич) nodejs-private/node-private#121
- Node v9.11.2 (Current)
- Node v10.4.1 (Current)
- June 2018 Security Releases
- Node v10.4.0 (Current)
- Node v10.3.0 (Current)
- Node v10.2.1 (Current)
- Node v10.2.0 (Current)
- Node v8.11.2 (LTS)
- Node v10.1.0 (Current)
- Node v6.14.2 (LTS)
- Node v10.0.0 (Current)
- Node v9.11.1 (Current)
- Node v9.11.0 (Current)
- Node v9.10.1 (Current)
- Node v8.11.1 (LTS)
- Node v6.14.1 (LTS)
- Node v4.9.1 (Maintenance)
- Node v9.10.0 (Current)
- Node v8.11.0 (LTS)
- Node v6.14.0 (LTS)
- Node v4.9.0 (Maintenance)
- March 2018 Security Releases
- Node v9.9.0 (Current)
- Node v9.8.0 (Current)
- Node v8.10.0 (LTS)
- Node v6.13.1 (LTS)
- Node v9.7.1 (Current)
- Node v9.7.0 (Current)
- Node v9.6.1 (Current)
- Node v9.6.0 (Current)
- Node v6.13.0 (LTS)
- Node v9.5.0 (Current)
- Node v9.4.0 (Current)
- Meltdown and Spectre - Impact On Node.js
- Node v8.9.4 (LTS)
- Node v6.12.3 (LTS)