News from 2019

• 06 Nov Node v13.1.0 (Current)
  • cli:
    • Added a new flag (--trace-uncaught) that makes Node.js print the stack trace at the time of throwing uncaught exceptions, rather than at the creation of the Error object, if there is any. This is disabled by default because it affects GC behavior (Anna Henningsen) #30025.
  • crypto:
    • Added Hash.prototype.copy() method. It returns a new Hash object with its internal state cloned from the original one (Ben Noordhuis) #29910.
  • dgram:
    • Added source-specific multicast support. This adds methods to Datagram sockets to support RFC 4607 for IPv4 and IPv6 (Lucas Pardue) #15735.
  • fs:
    • Added a bufferSize option to fs.opendir(). It allows to control the number of entries that are buffered internally when reading from the directory (Anna Henningsen) #30114.
  • meta:
    • Added Chengzhong Wu to collaborators #30115.

  Read more...

• 23 Oct Node v13.0.1 (Current)
  • deps:
    • Fixed a bug in npm 6.12.0 where warnings are emitted on Node.js 13.x (Jordan Harband) #30079.
  • esm:
    • Changed file extension resolution order of --es-module-specifier-resolution=node to match that of the CommonJS loader (Myles Borins) #29974.

  Read more...

• 22 Oct Node v10.17.0 (LTS)
  • crypto:
    • add support for chacha20-poly1305 for AEAD (chux0519) #24081
    • increase maxmem range from 32 to 53 bits (Tobias Nießen) #28799
  • deps:
    • update npm to 6.11.3 (claudiahdz) #29430
    • upgrade openssl sources to 1.1.1d (Sam Roberts) #29921
  • dns: remove dns.promises experimental warning (cjihrig) #26592
  • fs: remove experimental warning for fs.promises (Anna Henningsen) #26581
  • http: makes response.writeHead return the response (Mark S. Everitt) #25974
  • http2: makes response.writeHead return the response (Mark S. Everitt) #25974
  • n-api:
    • make func argument of napi_create_threadsafe_function optional (legendecas) #27791
    • mark version 5 N-APIs as stable (Gabriel Schulhof) #29401
    • implement date object (Jarrod Connolly) #25917
  • process: add --unhandled-rejections flag (Ruben Bridgewater) #26599
  • stream:
    • implement Readable.from async iterator utility (Guy Bedford) #27660
    • make Symbol.asyncIterator support stable (Matteo Collina) #26989

  Read more...

• 22 Oct Node v13.0.0 (Current)
  • assert:
    • If the validation function passed to assert.throws() or assert.rejects() returns a value other than true, an assertion error will be thrown instead of the original error to highlight the programming mistake (Ruben Bridgewater) #28263.
    • If a constructor function is passed to validate the instance of errors thrown in assert.throws() or assert.reject(), an assertion error will be thrown instead of the original error (Ruben Bridgewater) #28263.
  • build:
    • Node.js releases are now built with default full-icu support. This means that all locales supported by ICU are now included and Intl-related APIs may return different values than before (Richard Lau) #29887.
    • The minimum Xcode version supported for macOS was increased to 10. It is still possible to build Node.js with Xcode 8 but this may no longer be the case in a future v13.x release (Michael Dawson) #29622.
  • child_process:
    • ChildProcess._channel (DEP0129) is now a Runtime deprecation (cjihrig) #27949.
  • console:
    • The output console.timeEnd() and console.timeLog() will now automatically select a suitable time unit instead of always using milliseconds (Xavier Stouder) #29251.
  • deps:
    • The V8 engine was updated to version 7.8. This includes performance improvements to object destructuring, memory usage and WebAssembly startup time (Myles Borins) #29694.
  • domain:
    • The domain's error handler is now executed with the active domain set to the domain's parent to prevent inner recursion (Julien Gilli) #26211.
  • fs:
    • The undocumented method FSWatcher.prototype.start() was removed (Lucas Holmquist) #29905.
    • Calling the open() method on a ReadStream or WriteStream now emits a runtime deprecation warning. The methods are supposed to be internal and should not be called by user code (Robert Nagy) #29061.
    • fs.read/write, fs.readSync/writeSync and fd.read/write now accept any safe integer as their offset parameter. The value of offset is also no longer coerced, so a valid type must be passed to the functions (Zach Bjornson) #26572.
  • http:
    • Aborted requests no longer emit the end or error events after aborted (Robert Nagy) #27984, #20077.
    • Data will no longer be emitted after a socket error (Robert Nagy) #28711.
    • The legacy HTTP parser (previously available under the --http-parser=legacy flag) was removed (Anna Henningsen) #29589.
    • The host option for HTTP requests is now validated to be a string value (Giorgos Ntemiris) #29568.
    • The request.connection and response.connection properties are now runtime deprecated. The equivalent request.socket and response.socket should be used instead (Robert Nagy) #29015.
  • http, http2:
    • The default server timeout was removed (Ali Ijaz Sheikh) #27558.
    • Brought 425 status code name into accordance with RFC 8470. The name changed from "Unordered Collection" to "Too Early" (Sergei Osipov) #29880.
  • lib:
    • The error.errno property will now always be a number. To get the string value, use error.code instead (Joyee Cheung) #28140.
  • module:
    • module.createRequireFromPath() is deprecated. Use module.createRequire() instead (cjihrig) #27951.
  • src:
    • Changing the value of process.env.TZ will now clear the tz cache. This affects the default time zone used by methods such as Date.prototype.toString (Ben Noordhuis) #20026.
  • stream:
    • The timing and behavior of streams was consolidated for a number of edge cases. Please look at the individual commits below for more information.

  Read more...

• 21 Oct Node v12.13.0 (LTS)

  This release marks the transition of Node.js 12.x into Long Term Support (LTS) with the codename 'Erbium'. The 12.x release line now moves into "Active LTS" and will remain so until October 2020. After that time, it will move into "Maintenance" until end of life in April 2022.

  Read more...

• 11 Oct Node v12.12.0 (Current)
  • build:
    • Add --force-context-aware flag to prevent usage of native node addons that aren't context aware #29631
  • deprecations:
    • Add documentation-only deprecation for process._tickCallback() #29781
  • esm:
    • Using JSON modules is experimental again #29754
  • fs:
    • Introduce opendir() and fs.Dir to iterate through directories #29349
  • process:
    • Add source-map support to stack traces by using --enable-source-maps#29564
  • tls:
    • Honor pauseOnConnect option #29635
    • Add option for private keys for OpenSSL engines #28973

  Read more...

• 09 Oct Node v8.16.2 (LTS)
  • deps: upgrade openssl sources to 1.0.2s (Sam Roberts) #28230

  • [cc9d005628] - crypto: update root certificates (Sam Roberts) #28808
  • [347fcd35e3] - crypto: update root certificates (Sam Roberts) #27374
  • [b2a6b3254d] - crypto: update root certificates (Sam Roberts) #25113
  • [5682e50325] - deps: add -no_rand_screen to openssl s_client (Shigeki Ohtsu) nodejs/io.js#1836
  • [9663ae3546] - deps: fix asm build error of openssl in x86_win32 (Shigeki Ohtsu) iojs/io.js#1389
  • [87eee99466] - deps: fix openssl assembly error on ia32 win32 (Fedor Indutny) iojs/io.js#1389
  • [da99d3f972] - deps: copy all openssl header files to include dir (Sam Roberts) #28230
  • [dc9d645ac4] - deps: upgrade openssl sources to 1.0.2s (Sam Roberts) #28230
  • [37e24b19a0] - deps: V8: backport d520ebb (Michaël Zasso) #27358
  • [1a5dc6a3e7] - http: check for existance in resetHeadersTimeoutOnReqEnd (Matteo Collina) #26402
  • [e45b6a3b98] - http2: do not start reading after write if new write is on wire (Anna Henningsen) #29399
  • [559a8e342b] - http2: do not crash on stream listener removal w/ destroyed session (Anna Henningsen) #29459
  • [dd285968c4] - openssl: fix keypress requirement in apps on win32 (Shigeki Ohtsu) iojs/io.js#1389
  • [3ee076f03d] - stream: ensure writable.destroy() emits error once (Luigi Pinca) #26057
  • [a7e5fe1f06] - test: unskip tests that now pass on AIX (Sam Roberts) #29054
  • [65e9b0f5a2] - test: specialize OOM check for AIX (Sam Roberts) #28857
  • [7aca9cb09b] - test: fix pty test hangs on aix (Ben Noordhuis) #28600
  • [588b761fca] - test: skip stringbytes-external-exceed-max on AIX (Sam Roberts) #28516
  • [930647d0fe] - test: skip tests related to CI failures on AIX (Sam Roberts) #28469
  • [92a2f8bbe3] - test,win: cleanup exec-timeout processes (João Reis) #28723
  • [d57f79726d] - tls: partially backport pull request #26415 (Ben Noordhuis) #26415
  • [c582fef5cc] - tools: update certdata.txt (Sam Roberts) #28808
  • [4fbadf6a9e] - tools: update certdata.txt (Sam Roberts) #27374
  • [529b2ad25f] - tools: update certdata.txt (Sam Roberts) #25113

  Read more...

• 01 Oct Node v12.11.1 (Current)
  • build:
    • This release fixes a regression that prevented from building Node.js using the official source tarball (Richard Lau) #29712.
  • deps:
    • Updated small-icu data to support "unit" style in the Intl.NumberFormat API (Michaël Zasso) #29735.

  Read more...

• 25 Sep Node v12.11.0 (Current)
  • crypto:
    • Add oaepLabel option #29489
  • deps:
    • Update V8 to 7.7.299.11 #28918
      • More efficient memory handling
      • Stack trace serialization got faster
      • The Intl.NumberFormat API gained new functionality
      • For more information: https://v8.dev/blog/v8-release-77
  • events:
    • Add support for EventTarget in once #29498
  • fs:
    • Expose memory file mapping flag UV_FS_O_FILEMAP #29260
  • inspector:
    • New API - Session.connectToMainThread #28870
  • process:
    • Initial SourceMap support via env.NODE_V8_COVERAGE #28960
  • stream:
    • Make _write() optional when _writev() is implemented #29639
  • tls:
    • Add option to override signature algorithms #29598
  • util:
    • Add encodeInto to TextEncoder #29524
  • worker:
    • The worker_thread module is now stable #29512

  Read more...

• 12 Sep OpenSSL security releases do not require Node.js security releases

  The OpenSSL Security releases of September 10th, 2019 do not affect Node.js.

  Our assessment of the security advisory is:

  • ECDSA remote timing attack (CVE-2019-1547) Not affected. Node supports only named curves for ECDSA signing.

  • Fork Protection (CVE-2019-1549) Not affected. Node.js always call exec() after fork() so will not duplicate the PRNG state in the forked process.

  • Padding Oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey (CVE-2019-1563) Not affected. Node does not support PCKS7 and CMS.

  Read more...

• 05 Sep OpenSSL security releases may require Node.js security releases
• 04 Sep Node v12.10.0 (Current)
• 26 Aug Node v12.9.1 (Current)
• 20 Aug Node v12.9.0 (Current)
• 16 Aug August 2019 Security Releases
• 15 Aug Node v10.16.3 (LTS)
• 15 Aug Node v8.16.1 (LTS)
• 15 Aug Node v12.8.1 (Current)
• 06 Aug Node v10.16.2 (LTS)
• 06 Aug Node v12.8.0 (Current)
• 31 Jul Node v10.16.1 (LTS)
• 23 Jul Node v12.7.0 (Current)
• 03 Jul Node v12.6.0 (Current)
• 27 Jun Node v12.5.0 (Current)
• 04 Jun Node v12.4.0 (Current)
• 28 May Node v10.16.0 (LTS)
• 22 May Node v12.3.1 (Current)
• 21 May Node v12.3.0 (Current)
• 07 May Node v12.2.0 (Current)
• 30 Apr Node v11.15.0 (Current)
• 29 Apr Node v12.1.0 (Current)
• 23 Apr Node v12.0.0 (Current)
• 16 Apr Node v8.16.0 (LTS)
• 11 Apr Node v11.14.0 (Current)
• 03 Apr Node v6.17.1 (LTS)
• 28 Mar Node v11.13.0 (Current)
• 15 Mar Node v11.12.0 (Current)
• 06 Mar Node v11.11.0 (Current)
• 05 Mar Node v10.15.3 (LTS)
• 28 Feb February 2019 Security Releases
• 28 Feb Node v11.10.1 (Current)
• 28 Feb Node v10.15.2 (LTS)
• 28 Feb Node v8.15.1 (LTS)
• 28 Feb Node v6.17.0 (LTS)
• 14 Feb Node v11.10.0 (Current)
• 30 Jan Node v11.9.0 (Current)
• 29 Jan Node v10.15.1 (LTS)
• 25 Jan Node v11.8.0 (Current)
• 18 Jan Node v11.7.0 (Current)