News from 2019

• 12 Sep OpenSSL security releases do not require Node.js security releases

  The OpenSSL Security releases of September 10th, 2019 do not affect Node.js.

  Our assessment of the security advisory is:

  • ECDSA remote timing attack (CVE-2019-1547) Not affected. Node supports only named curves for ECDSA signing.

  • Fork Protection (CVE-2019-1549) Not affected. Node.js always call exec() after fork() so will not duplicate the PRNG state in the forked process.

  • Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563) Not affected. Node does not support PCKS7 and CMS.

  Read more...

• 05 Sep OpenSSL security releases may require Node.js security releases

  The Node.js project may be releasing new versions across all of its supported release lines early next week to incorporate upstream patches from OpenSSL. Please read on for full details.

  The OpenSSL project announced this week that they will be releasing versions 1.0.2t and 1.1.1d on the 10th of September, UTC. The releases will fix two security defects that are labelled as "LOW" severity under their security policy, meaning they are:

  Read more...

• 04 Sep Node v12.10.0 (Current)
  • deps:
    • Update npm to 6.10.3 (isaacs) #29023
  • fs:
    • Add recursive option to rmdir() (cjihrig) #29168
    • Allow passing true to emitClose option (Giorgos Ntemiris) #29212
    • Add *timeNs properties to BigInt Stats objects (Joyee Cheung) #21387
  • net:
    • Allow reading data into a static buffer (Brian White) #25436

  Read more...

• 26 Aug Node v12.9.1 (Current)

  This release fixes two regressions in the http module:

  • Fixes an event listener leak in the HTTP client. This resulted in lots of warnings during npm/yarn installs (Robert Nagy) #29245.
  • Fixes a regression preventing the 'end' event from being emitted for keepalive requests in case the full body was not parsed (Matteo Collina) #29263.

  Read more...

• 20 Aug Node v12.9.0 (Current)
  • crypto:
    • Added an oaepHash option to asymmetric encryption which allows users to specify a hash function when using OAEP padding (Tobias Nießen) #28335.
  • deps:
    • Updated V8 to 7.6.303.29 (Michaël Zasso) #28955.
      • Improves the performance of various APIs such as JSON.parse and methods called on frozen arrays.
      • Adds the Promise.allSettled method.
      • Improves support of BigInt in Intl methods.
      • For more information: https://v8.dev/blog/v8-release-76
    • Updated libuv to 1.31.0 (cjihrig) #29070.
      • UV_FS_O_FILEMAP has been added for faster access to memory mapped files on Windows.
      • uv_fs_mkdir() now returns UV_EINVAL for invalid filenames on Windows. It previously returned UV_ENOENT.
      • The uv_fs_statfs() API has been added.
      • The uv_os_environ() and uv_os_free_environ() APIs have been added.
  • fs:
    • Added fs.writev, fs.writevSync and filehandle.writev (promise version) methods. They allow to write an array of ArrayBufferViews to a file descriptor (Anas Aboureada) #25925, (cjihrig) #29186.
  • http:
    • Added three properties to OutgoingMessage.prototype: writableObjectMode, writableLength and writableHighWaterMark #29018.
  • stream:
    • Added an new property readableEnded to readable streams. Its value is set to true when the 'end' event is emitted. (Robert Nagy) #28814.
    • Added an new property writableEnded to writable streams. Its value is set to true after writable.end() has been called. (Robert Nagy) #28934.

  Read more...

• 16 Aug August 2019 Security Releases

  Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information.

  Read more...

• 15 Aug Node v10.16.3 (LTS)

  This is a security release.

  Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information.

  Read more...

• 15 Aug Node v8.16.1 (LTS)

  This is a security release.

  Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information.

  Read more...

• 15 Aug Node v12.8.1 (Current)

  This is a security release.

  Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information.

  Read more...

• 06 Aug Node v10.16.2 (LTS)

  This release patches a regression in the OpenSSL upgrade to 1.1.1c that causes intermittent hangs in machines that have low entropy.

  • [894a9dd230] - deps: cherry-pick c19c5a6 from openssl upstream (Ali Ijaz Sheikh) #28983

  Read more...

• 06 Aug Node v12.8.0 (Current)
• 31 Jul Node v10.16.1 (LTS)
• 23 Jul Node v12.7.0 (Current)
• 03 Jul Node v12.6.0 (Current)
• 27 Jun Node v12.5.0 (Current)
• 04 Jun Node v12.4.0 (Current)
• 28 May Node v10.16.0 (LTS)
• 22 May Node v12.3.1 (Current)
• 21 May Node v12.3.0 (Current)
• 07 May Node v12.2.0 (Current)
• 30 Apr Node v11.15.0 (Current)
• 29 Apr Node v12.1.0 (Current)
• 23 Apr Node v12.0.0 (Current)
• 16 Apr Node v8.16.0 (LTS)
• 11 Apr Node v11.14.0 (Current)
• 03 Apr Node v6.17.1 (LTS)
• 28 Mar Node v11.13.0 (Current)
• 15 Mar Node v11.12.0 (Current)
• 06 Mar Node v11.11.0 (Current)
• 05 Mar Node v10.15.3 (LTS)
• 28 Feb February 2019 Security Releases
• 28 Feb Node v11.10.1 (Current)
• 28 Feb Node v10.15.2 (LTS)
• 28 Feb Node v8.15.1 (LTS)
• 28 Feb Node v6.17.0 (LTS)
• 14 Feb Node v11.10.0 (Current)
• 30 Jan Node v11.9.0 (Current)
• 29 Jan Node v10.15.1 (LTS)
• 25 Jan Node v11.8.0 (Current)
• 18 Jan Node v11.7.0 (Current)