News from 2021
-
October 12th 2021 Security Releases
Updates are now available for the v16.x, v14.x, and v12.x Node.js release lines for the following issues.
The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). More details will be available at CVE-2021-22959 after publication.
-
Node v12.22.7 (LTS)
- CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
- The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). More details will be available at CVE-2021-22959 after publication.
- CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
- The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. More details will be available at CVE-2021-22960 after publication.
- CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
-
Node v14.18.1 (LTS)
- CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
- The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). More details will be available at CVE-2021-22959 after publication.
- CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
- The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. More details will be available at CVE-2021-22960 after publication.
- CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
-
Node v16.11.1 (Current)
- CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
- The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). More details will be available at CVE-2021-22959 after publication.
- CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
- The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. More details will be available at CVE-2021-22960 after publication.
- CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
- Node v16.11.0 (Current)
-
Retiring the Node.js Community Committee
tl;dr: we're going to be retiring the Node.js Community Committee, moving our existing Initiatives to exist under the Node.js Technical Steering Committee (TSC).
From the Community Committee's side, we've seen a convergence of our initiatives' goals with the goals of the work that is generally under the TSC. Further, we've seen a decline in the number of people who can consistently dedicate the necessary amount of time/energy. As such, separation between the TSC and Community Committee has become more of a barrier to accomplishing our collective goals rather than the helpful and necessary construct it once was.
-
Node v14.18.0 (LTS)
- [
3a60de0135] - assert: change status of legacy asserts (James M Snell) #38113 - [
df37c106a7] - (SEMVER-MINOR) buffer: introduce Blob (James M Snell) #36811 - [
223494c548] - (SEMVER-MINOR) buffer: add base64url encoding option (Filip Skokan) #36952 - [
14fc4ddabc] - (SEMVER-MINOR) child_process: allowoptions.cwdreceive a URL (Khaidi Chu) #38862 - [
b68b13acb3] - (SEMVER-MINOR) child_process: add timeout to spawn and fork (Nitzan Uziely) #37256 - [
da98c9f99b] - (SEMVER-MINOR) child_process: allow promisified exec to be cancel (Carlos Fuentes) #34249 - [
779310ac87] - (SEMVER-MINOR) child_process: add 'overlapped' stdio flag (Thiago Padilha) #29412 - [
40eb3b79f1] - (SEMVER-MINOR) cli: add -C alias for --conditions flag (Guy Bedford) #38755 - [
39eba0a2e1] - (SEMVER-MINOR) cli: add --node-memory-debug option (Anna Henningsen) #35537 - [
d8d9a9628a] - (SEMVER-MINOR) dns: add "tries" option to Resolve options (Luan Devecchi) #39610 - [
15ba19b020] - (SEMVER-MINOR) dns: allow--dns-result-orderto change default dns verbatim (Ouyang Yadong) #38099 - [
307c1d817f] - doc: refactor fs docs structure (James M Snell) #37170 - [
9ee3f77e32] - (SEMVER-MINOR) errors: remove experimental from --enable-source-maps (Benjamin Coe) #37362 - [
e73bfed2f4] - esm: deprecate legacy main lookup for modules (Guy Bedford) #36918 - [
989c204a58] - (SEMVER-MINOR) fs: allow empty string for temp directory prefix (Voltrex) #39028 - [
ef72490cde] - (SEMVER-MINOR) fs: allow no-params fsPromises fileHandle read (Nitzan Uziely) #38287 - [
cad9d20f64] - (SEMVER-MINOR) fs: add support for async iterators tofsPromises.writeFile(HiroyukiYagihashi) #37490 - [
2b0e2706c0] - fs: improve fsPromises readFile performance (Nitzan Uziely) #37608 - [
fe12cc07b3] - (SEMVER-MINOR) fs: add fsPromises.watch() (James M Snell) #37179 - [
2459c115a8] - (SEMVER-MINOR) fs: allowpositionparameter to be aBigIntin read and readSync (Darshan Sen) #36190 - [
6544cfb4b9] - (SEMVER-MINOR) http2: add support for sensitive headers (Anna Henningsen) #34145 - [
a6c6cbb4e6] - (SEMVER-MINOR) http2: allow setting the local window size of a session (Yongsheng Zhang) #35978 - [
1e5aca550c] - inspector: mark as stable (Gireesh Punathil) #37748 - [
93af04afbb] - (SEMVER-MINOR) module: add support forURLtoimport.meta.resolve(Antoine du Hamel) #38587 - [
f9f9389d83] - (SEMVER-MINOR) module: add support fornode:‑prefixedrequire(…)calls (ExE Boss) #37246 - [
87c71065eb] - (SEMVER-MINOR) net: introduce net.BlockList (James M Snell) #34625 - [
b421d99a48] - (SEMVER-MINOR) node-api: allow retrieval of add-on file name (Gabriel Schulhof) #37195 - [
6a4811df8a] - (SEMVER-MINOR) os: add os.devNull (Luigi Pinca) #38569 - [
4a88ddeeca] - (SEMVER-MINOR) perf_hooks: introduce createHistogram (James M Snell) #37155 - [
1a6bf1c4a3] - (SEMVER-MINOR) process: add api to enable source-maps programmatically (legendecas) #39085 - [
99735a6fe8] - (SEMVER-MINOR) process: add'worker'event (James M Snell) #38659 - [
3982919317] - (SEMVER-MINOR) process: add direct access to rss without iterating pages (Adrien Maret) #34291 - [
526e6c7bde] - (SEMVER-MINOR) readline: add AbortSignal support to interface (Nitzan Uziely) #37932 - [
e6eee08692] - (SEMVER-MINOR) readline: add support for the AbortController to the question method (Mattias Runge-Broberg) #33676 - [
32de361d70] - (SEMVER-MINOR) readline: add history event and option to set initial history (Mattias Runge-Broberg) #33662 - [
797f7f8a38] - (SEMVER-MINOR) repl: add auto‑completion fornode:‑prefixedrequire(…)calls (ExE Boss) #37246 - [
abfd71b64c] - (SEMVER-MINOR) src: call overload ctor from the original ctor (Darshan Sen) #39768 - [
1efae01b18] - (SEMVER-MINOR) src: add a constructor overload for CallbackScope (Darshan Sen) #39768 - [
f7933804ba] - (SEMVER-MINOR) src: allow to negate boolean CLI flags (Michaël Zasso) #39023 - [
6d06ac2202] - (SEMVER-MINOR) src: add --heapsnapshot-near-heap-limit option (Joyee Cheung) #33010 - [
577d228ca0] - (SEMVER-MINOR) src: add way to get IsolateData and allocator from Environment (Anna Henningsen) #36441 - [
658a266cd4] - (SEMVER-MINOR) src: allow preventing SetPrepareStackTraceCallback (Shelley Vohr) #36447 - [
f421422ea4] - (SEMVER-MINOR) src: add maybe versions of EmitExit and EmitBeforeExit (Anna Henningsen) #35486 - [
a62d4d60f4] - (SEMVER-MINOR) stream: add readableDidRead if has been read from (Robert Nagy) #39589 - [
63502131a3] - (SEMVER-MINOR) stream: pipeline accept Buffer as a valid first argument (Nitzan Uziely) #37739 - [
68bbebd42c] - (SEMVER-MINOR) tls: allow reading data into a static buffer (Andrey Pechkurov) #35753 - [
1cbb74d63d] - (SEMVER-MINOR) url: expose urlToHttpOptions utility (Yongsheng Zhang) #35960 - [
8eb11356dd] - (SEMVER-MINOR) util: expose toUSVString (Robert Nagy) #39814 - [
84fcdc3074] - (SEMVER-MINOR) v8: implement v8.stopCoverage() (Joyee Cheung) #33807 - [
b238b6bf17] - (SEMVER-MINOR) v8: implement v8.takeCoverage() (Joyee Cheung) #33807 - [
9f6bc58da8] - (SEMVER-MINOR) worker: add setEnvironmentData/getEnvironmentData (James M Snell) #37486
- [
-
Node v16.10.0 (Current)
- [
fb226ff2ee] - (SEMVER-MINOR) crypto: add rsa-pss keygen parameters (Filip Skokan) #39927 - [
85206b7311] - deps: upgrade npm to 7.24.0 (npm team) #40167 - [
98f56d179c] - deps: update Acorn to v8.5.0 (Michaël Zasso) #40015 - [
9655329772] - doc: add Ayase-252 to collaborators (Qingyu Deng) #40078 - [
59fff925be] - (SEMVER-MINOR) fs: makeopenandclosestream override optional when unused (Antoine du Hamel) #40013 - [
a63a4bce90] - (SEMVER-MINOR) http: limit requests per connection (Artur K) #40082- The maximum number of requests a socket can handle before closing keep alive connection can be set with
server.maxRequestsPerSocket.
- The maximum number of requests a socket can handle before closing keep alive connection can be set with
- [
9a672961fa] - (SEMVER-MINOR) src: add --no-global-search-paths cli option (Cheng Zhao) #39754- Adds the
--no-global-search-pathscommand-line option to not search modules from global paths like$HOME/.node_modulesand$NODE_PATH.
- Adds the
- [
fe920b6cbf] - (SEMVER-MINOR) src: make napi_create_reference accept symbol (JckXia) #39926 - [
97f3072ceb] - (SEMVER-MINOR) stream: add signal support to pipeline generators (Robert Nagy) #39067
- [
-
Node v16.9.1 (Current)
This release fixes a regression introduced by the V8 9.3 update in Node.js 16.9.0.
- [
04f1943109] - deps: V8: cherry-pick 9a607043cb31 (Jiawen Geng) #40046
- [
-
Node v16.9.0 (Current)
Corepack
Node.js now includes Corepack, a script that acts as a bridge between Node.js projects and the package managers they are intended to be used with during development. In practical terms, Corepack will let you use Yarn and pnpm without having to install them - just like what currently happens with npm, which is shipped in Node.js by default. Please head over to the Corepack documentation page for more information on how to use it.
- August 31 2021 Security Releases
- Node v14.17.6 (LTS)
- Node v12.22.6 (LTS)
- Node v16.8.0 (Current)
- Node v16.7.0 (Current)
- Node v16.6.2 (Current)
- Node v14.17.5 (LTS)
- Node v12.22.5 (LTS)
- August 2021 Security Releases
- Node v16.6.1 (Current)
- Node v16.6.0 (Current)
- Node v14.17.4 (LTS)
- Node v12.22.4 (LTS)
- July 2021 Security Releases
- Node v16.5.0 (Current)
- Node v16.4.2 (Current)
- Node v14.17.3 (LTS)
- Node v12.22.3 (LTS)
- July 2021 Security Releases
- Node v14.17.2 (LTS)
- Node v12.22.2 (LTS)
- Node v16.4.1 (Current)
- Node v16.4.0 (Current)
- Node v14.17.1 (LTS)
- Node v16.3.0 (Current)
- Node v16.2.0 (Current)
- Node v14.17.0 (LTS)
- Node v16.1.0 (Current)
- Node v16.0.0 (Current)
- April 2021 Security Releases
- Node v15.14.0 (Current)
- Node v14.16.1 (LTS)
- Node v12.22.1 (LTS)
- Node v10.24.1 (LTS)
- Node v15.13.0 (Current)
- Node v12.22.0 (LTS)
- Node v15.12.0 (Current)
- Node v15.11.0 (Current)
- February 2021 Security Releases
- Node v14.16.0 (LTS)
- Node v12.21.0 (LTS)
- Node v15.10.0 (Current)
- Node v10.24.0 (LTS)
- Node v15.9.0 (Current)
- Node v12.20.2 (LTS)
- Node v10.23.3 (LTS)
- Node v14.15.5 (LTS)
- Node v15.8.0 (Current)
- Node v10.23.2 (LTS)
- Node v15.7.0 (Current)
- Node v15.6.0 (Current)
- January 2021 Security Releases
- Node v12.20.1 (LTS)
- Node v10.23.1 (LTS)
- Node v14.15.4 (LTS)
- Node v15.5.1 (Current)