News from 2017

• 15 Aug Node v8.4.0 (Current)

  • HTTP2

    • Experimental support for the built-in http2 has been added via the --expose-http2 flag. #14239

  • Inspector

    • require() is available in the inspector console now. #8837
    • Multiple contexts, as created by the vm module, are supported now. #14465

  • N-API

    • New APIs for creating number values have been introduced. #14573

  • Stream

    • For Duplex streams, the high water mark option can now be set independently for the readable and the writable side. #14636

  • Util

    • util.format now supports the %o and %O specifiers for printing objects. #14558

  Read more...

• 10 Aug Node v8.3.0 (Current)

  Thank you to @addaleax for preparing the majority of this release.

  V8 6.0

  The V8 engine has been upgraded to version 6.0, which has a significantly changed performance profile. #14574

  Read more...

• 01 Aug Node v6.11.2 (LTS)
  • configure:
    • add mips64el to valid_arch (Aditya Anand) #13620
  • crypto:
    • Updated root certificates based on NSS 3.30 (Ben Noordhuis)
      • #13279
      • #12402
  • deps:
    • upgrade OpenSSL to version 1.0.2.l (Shigeki Ohtsu) #12913
  • http:
    • parse errors are now reported when NODE_DEBUG=http (Sam Roberts) #13206
    • Agent construction can now be envoked without new (cjihrig) #12927
  • zlib:
    • node will now throw an Error when zlib rejects the value of windowBits, instead of crashing (Alexey Orlenko) #13098

  Read more...

• 20 Jul Node v8.2.1 (Current)
  • http: Writes no longer abort if the Socket is missing.
  • process, async_hooks: Avoid problems when triggerAsyncId is undefined.
  • zlib: Streams no longer attempt to process data when destroyed.

  Read more...

• 19 Jul Node v8.2.0 (Current)

  Big thanks to @addaleax who prepared the vast majority of this release.

  • Async Hooks

    • Multiple improvements to Promise support in async_hooks have been made.

  • Build

    • The compiler version requirement to build Node with GCC has been raised to GCC 4.9.4. [820b011ed6] #13466

  • Cluster

    • Users now have more fine-grained control over the inspector port used by individual cluster workers. Previously, cluster workers were restricted to incrementing from the master's debug port. [dfc46e262a] #14140

  • DNS

    • The server used for DNS queries can now use a custom port. [ebe7bb29aa] #13723
    • Support for dns.resolveAny() has been added. [6e30e2558e] #13137

  • npm

    • The npm CLI has been updated to version 5.3.0. In particular, it now comes with the npx binary, which is also shipped with Node. [dc3f6b9ac1] #14235
    • npm Changelogs:
      • v5.0.4
      • v5.1.0
      • v5.2.0
      • v5.3.0

  Read more...

• 11 Jul Node v8.1.4 (Current)
  • build:
    • Disable V8 snapshots - The hashseed embedded in the snapshot is currently the same for all runs of the binary. This opens node up to collision attacks which could result in a Denial of Service. We have temporarily disabled snapshots until a more robust solution is found (Ali Ijaz Sheikh)
  • deps:
    • CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. This patch checks that there is enough data for the required elements of an NAPTR record (2 int16, 3 bytes for string lengths) before processing a record. (David Drysdale)

  Read more...

• 11 Jul Node v7.10.1 (Current)
  • build:
    • Disable V8 snapshots - The hashseed embedded in the snapshot is currently the same for all runs of the binary. This opens node up to collision attacks which could result in a Denial of Service. We have temporarily disabled snapshots until a more robust solution is found (Ali Ijaz Sheikh)
  • deps:
    • CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. This patch checks that there is enough data for the required elements of an NAPTR record (2 int16, 3 bytes for string lengths) before processing a record. (David Drysdale)

  Read more...

• 11 Jul Security updates for all active release lines, July 2017

  The vulnerability has been patched upstream and snapshots have been re-enabled in 8.3.0

  Expect a backport and update with the next release of 6.x

  Download

  • Node.js v8 (Current)

  Updates are now available for all active Node.js release lines as well as the 7.x line. These include the fix for the high severity vulnerability identified in the initial announcement, one additional lower priority Node.js vulnerability in the 4.x release line, as well as some lower priority fixes for Node.js dependencies across the current release lines.

  Read more...

• 11 Jul Node v6.11.1 (LTS)
  • build:
    • Disable V8 snapshots - The hashseed embedded in the snapshot is currently the same for all runs of the binary. This opens node up to collision attacks which could result in a Denial of Service. We have temporarily disabled snapshots until a more robust solution is found (Ali Ijaz Sheikh)
  • deps:
    • CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. This patch checks that there is enough data for the required elements of an NAPTR record (2 int16, 3 bytes for string lengths) before processing a record. (David Drysdale)

  Read more...

• 11 Jul Node v4.8.4 (Maintenance)
  • build:
    • Disable V8 snapshots - The hashseed embedded in the snapshot is currently the same for all runs of the binary. This opens node up to collision attacks which could result in a Denial of Service. We have temporarily disabled snapshots until a more robust solution is found (Ali Ijaz Sheikh)
  • deps:
    • CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. This patch checks that there is enough data for the required elements of an NAPTR record (2 int16, 3 bytes for string lengths) before processing a record. (David Drysdale)

  Read more...

• 29 Jun Node v8.1.3 (Current)
• 15 Jun Node v8.1.2 (Current)
• 13 Jun Node v8.1.1 (Current)
• 08 Jun Node v8.1.0 (Current)
• 06 Jun Node v6.11.0 (LTS)
• 30 May Node v8.0.0 (Current)
• 03 May Node v7.10.0 (Current)
• 02 May Node v4.8.3 (Maintenance)
• 02 May Node v6.10.3 (LTS)
• 11 Apr Node v7.9.0 (Current)
• 04 Apr Node v4.8.2 (Maintenance)
• 04 Apr Node v6.10.2 (LTS)
• 29 Mar Node v7.8.0 (Current)
• 21 Mar Node v7.7.4 (Current)
• 21 Mar Node v6.10.1 (LTS)
• 21 Mar Node v4.8.1 (LTS)
• 14 Mar Node v7.7.3 (Current)
• 08 Mar Node v7.7.2 (Current)
• 02 Mar Node v7.7.1 (Current)
• 01 Mar Node v7.7.0 (Current)
• 28 Feb Diag WG Update - Many new tools, phasing out some old ones
• 22 Feb Node v7.6.0 (Current)
• 22 Feb Node.js - Quality with Speed
• 22 Feb Node v6.10.0 (LTS)
• 22 Feb Node v4.8.0 (LTS)
• 10 Feb Weekly Update - February 10th, 2017
• 01 Feb Node v7.5.0 (Current)
• 01 Feb Node v4.7.3 (LTS)
• 01 Feb Node v6.9.5 (LTS)
• 27 Jan OpenSSL update, 1.0.2k
• 26 Jan The Node.js Foundation Partners with The Linux Foundation on New Node.js Certification Program
• 20 Jan Node.js Foundation Individual Membership Director election opens Friday, January 20
• 05 Jan Node v6.9.4 (LTS)
• 05 Jan Node v4.7.2 (LTS)
• 04 Jan Node v7.4.0 (Current)
• 04 Jan Node v4.7.1 (LTS)
• 04 Jan Node v6.9.3 (LTS)