News from 2020
Node v12.17.0 (LTS)
June 2020 Security Releases
The Node.js project will release security updates to all supported release lines on or shortly after Tuesday, June 2nd, 2020.
The highest severity fix will be "High".
All supported versions (10.x, 12.x, and 14.x) of Node.js are vulnerable. Note that 13.x will be end-of-life on June 1st, before the security release date, and according to policy it will not receive any more updates.
Node v14.3.0 (Current)
Node v14.2.0 (Current)
- Node v13.14.0 (Current)
Node v14.1.0 (Current)
- deps: upgrade openssl sources to 1.1.1g (Hassaan Pasha) #32971
- doc: add juanarbol as collaborator (Juan José Arboleda) #32906
- http: doc deprecate abort and improve docs (Robert Nagy) #32807
- module: do not warn when accessing
__esModuleof unfinished exports (Anna Henningsen) #33048
- n-api: detect deadlocks in thread-safe function (Gabriel Schulhof) #32860
- src: deprecate embedder APIs with replacements (Anna Henningsen) #32858
- vm: add importModuleDynamically option to compileFunction (Gus Caplan) #32985
Node v12.16.3 (LTS)
- ESM (experimental):
- Additional warnings are no longer printed for modules that use conditional exports or package name self resolution (Guy Bedford) #31845.
Node v14.0.0 (Current)
- (SEMVER-MAJOR) crypto: move pbkdf2 without digest to EOL (James M Snell) #31166
- (SEMVER-MAJOR) fs: deprecate closing FileHandle on garbage collection (James M Snell) #28396
- (SEMVER-MAJOR) http: move OutboundMessage.prototype.flush to EOL (James M Snell) #31164
- (SEMVER-MAJOR) lib: move GLOBAL and root aliases to EOL (James M Snell) #31167
- (SEMVER-MAJOR) os: move tmpDir() to EOL (James M Snell) #31169
- (SEMVER-MAJOR) src: remove deprecated wasm type check (Clemens Backes) #32116
- (SEMVER-MAJOR) stream: move _writableState.buffer to EOL (James M Snell) #31165
- (SEMVER-MINOR) doc: deprecate process.mainModule (Antoine du HAMEL) #32232
- (SEMVER-MINOR) doc: deprecate process.umask() with no arguments (Colin Ihrig) #32499
OpenSSL security releases do not require Node.js security releases
The OpenSSL project has released a description of the issue fixed in the OpenSSL 1.1.1g update. It only affects a function which is not called by Node.js (or its dependencies), and as such, does not affect Node.js.
No Node.js security releases are required.
For more information, see the OpenSSL announcement.
Node v13.13.0 (Current)
- Added a new function,
fs.readv(with sync and promisified versions). This function takes an array of
ArrayBufferViewelements and will write the data it reads sequentially to the buffers (Sk Sajidul Kadir) #32356.
- A new overload is available for
fs.readSync, which allows to optionally pass any of the
positionparameters (Lucas Holmquist) #32460.
- Added a new function,
- Node v10.20.1 (LTS)
- Node v12.16.2 (LTS)
- Node v10.20.0 (LTS)
- Changes to Release Schedule
- Node v13.12.0 (Current)
- Node v13.11.0 (Current)
- Node v13.10.1 (Current)
- Node v13.10.0 (Current)
- Node v13.9.0 (Current)
- Node v12.16.1 (LTS)
- Node v12.16.0 (LTS)
- February 2020 Security Releases
- Node v13.8.0 (Current)
- Node v12.15.0 (LTS)
- Node v10.19.0 (LTS)
- Node v13.7.0 (Current)
- Node v10.18.1 (LTS)
- Node v13.6.0 (Current)
- Node v12.14.1 (LTS)