News from 2021
-
Node v16.10.0 (Current)
- [
fb226ff2ee] - (SEMVER-MINOR) crypto: add rsa-pss keygen parameters (Filip Skokan) #39927 - [
85206b7311] - deps: upgrade npm to 7.24.0 (npm team) #40167 - [
98f56d179c] - deps: update Acorn to v8.5.0 (Michaël Zasso) #40015 - [
9655329772] - doc: add Ayase-252 to collaborators (Qingyu Deng) #40078 - [
59fff925be] - (SEMVER-MINOR) fs: makeopenandclosestream override optional when unused (Antoine du Hamel) #40013 - [
a63a4bce90] - (SEMVER-MINOR) http: limit requests per connection (Artur K) #40082- The maximum number of requests a socket can handle before closing keep alive connection can be set with
server.maxRequestsPerSocket.
- The maximum number of requests a socket can handle before closing keep alive connection can be set with
- [
9a672961fa] - (SEMVER-MINOR) src: add --no-global-search-paths cli option (Cheng Zhao) #39754- Adds the
--no-global-search-pathscommand-line option to not search modules from global paths like$HOME/.node_modulesand$NODE_PATH.
- Adds the
- [
fe920b6cbf] - (SEMVER-MINOR) src: make napi_create_reference accept symbol (JckXia) #39926 - [
97f3072ceb] - (SEMVER-MINOR) stream: add signal support to pipeline generators (Robert Nagy) #39067
- [
-
Node v16.9.1 (Current)
This release fixes a regression introduced by the V8 9.3 update in Node.js 16.9.0.
- [
04f1943109] - deps: V8: cherry-pick 9a607043cb31 (Jiawen Geng) #40046
- [
-
Node v16.9.0 (Current)
Corepack
Node.js now includes Corepack, a script that acts as a bridge between Node.js projects and the package managers they are intended to be used with during development. In practical terms, Corepack will let you use Yarn and pnpm without having to install them - just like what currently happens with npm, which is shipped in Node.js by default. Please head over to the Corepack documentation page for more information on how to use it.
-
August 31 2021 Security Releases
Updates are now available for v14.x, and v12.x Node.js release lines for the following issues.
These are vulnerabilities in the node-tar, arborist, and npm cli modules which are related to the initial reports and subsequent remediation of node-tar vulnerabilities CVE-2021-32803 and CVE-2021-32804. Subsequent internal security review of node-tar and additional external bounty reports have resulted in another 5 CVE being remediated in core npm CLI dependencies including node-tar, and npm arborist.
-
Node v14.17.6 (LTS)
These are vulnerabilities in the node-tar, arborist, and npm cli modules which are related to the initial reports and subsequent remediation of node-tar vulnerabilities CVE-2021-32803 and CVE-2021-32804. Subsequent internal security review of node-tar and additional external bounty reports have resulted in another 5 CVE being remediated in core npm CLI dependencies including node-tar, and npm arborist.
-
Node v12.22.6 (LTS)
These are vulnerabilities in the node-tar, arborist, and npm cli modules which are related to the initial reports and subsequent remediation of node-tar vulnerabilities CVE-2021-32803 and CVE-2021-32804. Subsequent internal security review of node-tar and additional external bounty reports have resulted in another 5 CVE being remediated in core npm CLI dependencies including node-tar, and npm arborist.
-
Node v16.8.0 (Current)
- [
2e90b10f35] - doc: deprecate type coercion fordns.lookupoptions (Antoine du Hamel) #38906 - [
a6d50a18a0] - (SEMVER-MINOR) stream: addstream.Duplex.fromutility (Robert Nagy) #39519 - [
af7047a815] - (SEMVER-MINOR) stream: addisDisturbedhelper (Robert Nagy) #39628 - [
66400374de] - (SEMVER-MINOR) util: exposetoUSVString(Robert Nagy) #39814
- [
-
Node v16.7.0 (Current)
- fs:
- experimental: add recursive cp method (Benjamin Coe) #39372
- [
a80c989306] - async_hooks: merge resource_symbol with owner_symbol (Darshan Sen) #38468 - [
69a2a6b6c3] - bootstrap: call _undestroy() inside _destroy for stdout and stderr (Matteo Collina) #39685 - [
5bc31ea0aa] - buffer: add endings option, remove Node.js specific encoding option (James M Snell) #39708 - [
091a579275] - (SEMVER-MINOR) buffer: add Blob.prototype.stream method and other cleanups (James M Snell) #39693 - [
097d898e58] - build: run coverage for inspector protocol changes (Richard Lau) #39725 - [
cf028df0ed] - build: fix V8 build with pointer compression (Michaël Zasso) #39664 - [
9d38400de1] - build: exclude markdown files from some GitHub Actions (Rich Trott) #39565 - [
eeb804a7b7] - build: use lts shorthand in GitHub Actions (Rich Trott) #39538 - [
93a904d0ba] - (SEMVER-MINOR) crypto: implement webcrypto.randomUUID (Michaël Zasso) #39648 - [
3321b65a5a] - debugger: prevent simultaneous heap snapshots (Rich Trott) #39638 - [
6c375e18b6] - debugger: remove undefined parameter (Rich Trott) #39570 - [
103bf20988] - deps: V8: cherry-pick 81814ed44574 (Stephen Belanger) #39719 - [
cf5e5b5711] - deps: upgrade to libuv 1.42.0 (Luigi Pinca) #39525 - [
5f92d2fe6d] - dgram: use simplified validator (Voltrex) #39753 - [
c7e918b06a] - (SEMVER-MINOR) dns: add "tries" option to Resolve options (Luan Devecchi) #39610 - [
5d66646b71] - doc: correct cjs code to match mjs code (Raz Luvaton) #39509 - [
f18bb2a0f1] - doc: fix typo in hmac.paramNames default (Justin) #39766 - [
338a166e83] - doc: fixfs.rmdirrecursiveoption deprecation history (Antoine du Hamel) #39728 - [
bfb1dc0a2c] - doc: fixed variable names in queueMicrotask example (ashish maurya) #39634 - [
08b31f12f8] - doc: change "Version 4 UUID" to "version 4 UUID" (Tobias Nießen) #39682 - [
f5200f9785] - doc: update debugger.md description and examples (Rich Trott) #39661 - [
4700f1e529] - doc: fix color contrast issue in light mode (Rich Trott) #39660 - [
88c83a4698] - (SEMVER-MINOR) doc: add missing change to resolver ctor (Luan Devecchi) #39610 - [
760cafa5ed] - doc: fix typo inurl.md(Howie Zhao) #39666 - [
9ab5503693] - doc: add point to ask H1 reporter about credit (Daniel Bevenius) #39585 - [
7514405456] - doc: update min mac ver + move mac arm64 to tier 1 (Ash Cripps) #39586 - [
d7c8c6dcee] - doc: add missingintroduced_inmetadata (Richard Lau) #39575 - [
8072517097] - doc: add code examples toWritable.destroy()andWritable.destroyed(Juan José Arboleda) #39491 - [
55f47cc2d0] - doc: addString.prototype.atand%TypedArray%.prototype.at(Jordan Harband) #39583 - [
0c0412e2c4] - doc: moveNODE_MODULE_VERSIONin release guide (Richard Lau) #39544 - [
5df74f9b21] - doc: remove outdated ARM information from release guide (Richard Lau) #39544 - [
8eccb11ea0] - doc: fence command examples in release guide (Richard Lau) #39544 - [
0bd97e1f2d] - doc: update backport labels in release guide (Richard Lau) #39544 - [
2129ad6a0a] - doc: add code example tofs.truncatemethod (Juan José Arboleda) #39454 - [
3ff5e153ef] - doc: add code example tohttp.createServermethod (Juan José Arboleda) #39455 - [
7d0c869cfa] - doc: add PerformanceObserverbuffereddocument (legendecas) #39514 - [
0dc167a03f] - (SEMVER-MINOR) fs: add recursive cp method (Benjamin Coe) #39372 - [
54dd3df943] - http: decodes url.username and url.password for authorization header (Lew Gordon) #39310 - [
81e62f67bf] - inspector: update inspector_protocol to 89c4adf (Rich Trott) #39650 - [
793fee4915] - inspector: update inspector_protocol to 8ec18cf (Rich Trott) #39614 - [
5afdc1f4c0] - lib: simplify validators (Voltrex) #39753 - [
ca3cb96d25] - lib: cleanup validation (Voltrex) #39652 - [
cc08d3062f] - lib: cleanup instance validation (Voltrex) #39656 - [
2751cdf6f9] - lib: use helper for readability (Voltrex) #39649 - [
c68415cba2] - lib: use validators (Voltrex) #39663 - [
be2d60dd1d] - lib: use validator (Voltrex) #39547 - [
486d51ac0c] - lib: usevalidateObject(Voltrex) #39605 - [
058e882a2a] - lib: use ERR_ILLEGAL_CONSTRUCTOR (Mestery) #39556 - [
07cadc4432] - meta: consolidate AUTHORS entries for ooHmartY (Rich Trott) #39705 - [
6c788b8030] - meta: consolidate AUTHORS entries for homosaur (Rich Trott) #39705 - [
07351edebe] - meta: consolidate AUTHORS entries for Ayase-252 (Rich Trott) #39705 - [
5fe282769b] - meta: consolidate AUTHORS entries for robin-drexler (Rich Trott) #39705 - [
fc2a626357] - meta: consolidate AUTHORS entries for samshull (Rich Trott) #39705 - [
67cfc66a47] - meta: update AUTHORS (Rich Trott) #39705 - [
91008fbdeb] - meta: consolidate email addresses for MarshallOfSound (Rich Trott) #39651 - [
a76b63536a] - meta: consolidate email addresses for tadjik1 (Rich Trott) #39651 - [
aaab2095db] - meta: consolidate email addresses for szmarczak (Rich Trott) #39651 - [
f413a9d83c] - meta: update AUTHORS (Rich Trott) #39636 - [
7a91d4bfe9] - meta: simplify mailmap (Rich Trott) #39612 - [
4ec5d2de5d] - meta: consolidate emails for tadhgcreedon (Rich Trott) #39611 - [
bb88c38eac] - meta: consolidate emails for timcosta (Rich Trott) #39611 - [
0920a8cf6f] - meta: consolidate emails for timruffles (Rich Trott) #39611 - [
1474a9d4b1] - meta: update AUTHORS (Rich Trott) #39629 - [
c59e3ec685] - meta: add mailmap entry for ryzokuken (Rich Trott) #39596 - [
34f4bb8277] - meta: add mailmap entry for uttampawar (Rich Trott) #39596 - [
fd213edda2] - meta: add mailmap entry for dmabupt (Rich Trott) #39596 - [
6b664e224b] - meta: align README/.mailmap/AUTHORS email entries (Rich Trott) #39505 - [
96d8ecbd66] - meta: add mailmap entry for garygsc (Rich Trott) #39588 - [
16d85f3f48] - meta: add mailmap entry for ttzztztz (Rich Trott) #39588 - [
60ab111fdb] - meta: update AUTHORS (Rich Trott) #39587 - [
b43f87d729] - meta: update .mailmap to remove duplication in AUTHORS (Rich Trott) #39561 - [
6f4a2aa5a4] - meta: add .mailmap entries to remove AUTHORS duplicates (Rich Trott) #39560 - [
86d144c500] - meta: add .mailmap entry to remove duplication in AUTHORS (Rich Trott) #39559 - [
110c088f02] - meta: update collaborator email in AUTHORS/.mailmap (Rich Trott) #39521 - [
72af147bb5] - meta: update collaborator email in README (Rich Trott) #39521 - [
23bc4cfb21] - meta: update collaborator email in AUTHORS/.mailmap (Rich Trott) #39521 - [
e4289728c7] - meta: move gdams to emeritus (Rich Trott) #39539 - [
4df59bc727] - module: add some typings tointernal/modules/esm/resolve(Antoine du Hamel) #39504 - [
b5858589d0] - node-api: handle pending exception in cb wrapper (Michael Dawson) #39476 - [
016b7ba616] - perf_hooks: fix PerformanceObserver gc crash (James M Snell) #39550 - [
b37575b67c] - perf_hooks: fix performance timeline wpt failures (legendecas) #39532 - [
64c02eb3cc] - (SEMVER-MINOR) perf_hooks: web performance timeline compliance (legendecas) #39297 - [
7ff21397d6] - policy: fix integrity when DEFAULT_ENCODING is set (Tobias Nießen) #39750 - [
03be967cad] - src: fix TextDecoder final flush size calculation (James M Snell) #39737 - [
9046e78943] - src: fix crash in AfterGetAddrInfo (Anna Henningsen) #39735 - [
2a00ef5ede] - (SEMVER-MINOR) src: fix align in cares_wrap.h (Luan) #39610 - [
60a2b31c68] - src: add cosmetic space character toasync_wrap.hfile (Juan José Arboleda) #39459 - [
cd9b0bf68c] - stream: ensure text() stream consumer flushes correctly (James M Snell) #39737 - [
f57a0e4d8b] - (SEMVER-MINOR) stream: utility consumers for web and node.js streams (James M Snell) #39594 - [
975edf5330] - stream: cleanendWritableNT(Mestery) #39645 - [
9e38fc6757] - (SEMVER-MINOR) stream: add readableDidRead if has been read from (Robert Nagy) #39589 - [
a5ded4a85a] - test: use simplfied validator (voltrexmaster) #39753 - [
53cf53c95a] - (SEMVER-MINOR) test: enable blob.prototype.stream tests (James M Snell) #39693 - [
7e9884598f] - test: update WPT abort tests (Michaël Zasso) #39697 - [
94381fbdf5] - test: update WPT common and resources (Michaël Zasso) #39697 - [
34a041a846] - test: fix test-debugger-heap-profiler for workers (Richard Lau) #39687 - [
9f5acfa90e] - test: increase memory for coverage action (Benjamin Coe) #39690 - [
0be15cedc4] - test: use template to concatenate string (Himadri Ganguly) #39621 - [
952a5282e2] - (SEMVER-MINOR) test: pull Web Platform Tests for WebCryptoAPI (Michaël Zasso) #39648 - [
3622fb1e03] - test: deflake test-http2-buffersize (Luigi Pinca) #39591 - [
1962c7c7b3] - test: convert anonymous function to arrow function (Himadri Ganguly) #39604 - [
635e1a0274] - test: add test-debugger-breakpoint-exists (Rich Trott) #39570 - [
cff2aea5df] - test: add known issues test for debugger heap snapshot race (Rich Trott) #39557 - [
5e1011238a] - tools: bump remark-preset-lint-node to 3.0.0 (Rich Trott) #39755 - [
eb741253fd] - tools: update path-parse in markdown linter package-lock file (Rich Trott) #39729 - [
52a172f983] - tools: fix more build warnings in inspector_protocol (Richard Lau) #39725 - [
77f9c1fa98] - tools: cherry-pick ffb34b6d5dbf0 (Darshan Sen) #39725 - [
b9510d21c9] - tools: update inspector_protocol to e8ba1a7 (Rich Trott) #39694 - [
8d509d8773] - tools: update inspector_protocol to 39ca567 (Rich Trott) #39694 - [
ee7142fa37] - tools: update inspector_protocol to 97d3146 (Rich Trott) #39694 - [
c6323d847d] - Revert "tools: fix compiler warning in inspector_protocol" (Rich Trott) #39694 - [
6e19c166e4] - tools: update inspector_protocol to a53e96d31a2755eb16ca37 (Rich Trott) #39694 - [
61c53f39d2] - tools: update inspector_protocol to fe0467fd105a (Rich Trott) #39694 - [
b1b6f20353] - tools: improve error detection in find-inactive-collaborators (Rich Trott) #39617 - [
d1360fcf48] - tools: update ESLint to 7.32.0 (Luigi Pinca) #39602 - [
af1c782cad] - tools: update ESLint to 7.31.0 (Colin Ihrig) #39424 - [
37dda19461] - (SEMVER-MINOR) url,buffer: implement URL.createObjectURL (James M Snell) #39693 - [
dcab88ad38] - worker: add brand checks for detached properties/methods (James M Snell) #39763
- fs:
-
Node v16.6.2 (Current)
- CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
- Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
- CVE-2021-22930: Use after free on close http2 on stream canceling (High)
- Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as the issue was not completely resolved by the previous fix. You can read more about it at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930.
- CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
- If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.
- CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
-
Node v14.17.5 (LTS)
- CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
- Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
- CVE-2021-22930: Use after free on close http2 on stream canceling (High)
- Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as the issue was not completely resolved by the previous fix. You can read more about it at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930.
- CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
- If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.
- CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
- Node v12.22.5 (LTS)
- August 2021 Security Releases
- Node v16.6.1 (Current)
- Node v16.6.0 (Current)
- Node v14.17.4 (LTS)
- Node v12.22.4 (LTS)
- July 2021 Security Releases
- Node v16.5.0 (Current)
- Node v16.4.2 (Current)
- Node v14.17.3 (LTS)
- Node v12.22.3 (LTS)
- July 2021 Security Releases
- Node v14.17.2 (LTS)
- Node v12.22.2 (LTS)
- Node v16.4.1 (Current)
- Node v16.4.0 (Current)
- Node v14.17.1 (LTS)
- Node v16.3.0 (Current)
- Node v16.2.0 (Current)
- Node v14.17.0 (LTS)
- Node v16.1.0 (Current)
- Node v16.0.0 (Current)
- April 2021 Security Releases
- Node v15.14.0 (Current)
- Node v14.16.1 (LTS)
- Node v12.22.1 (LTS)
- Node v10.24.1 (LTS)
- Node v15.13.0 (Current)
- Node v12.22.0 (LTS)
- Node v15.12.0 (Current)
- Node v15.11.0 (Current)
- February 2021 Security Releases
- Node v14.16.0 (LTS)
- Node v12.21.0 (LTS)
- Node v15.10.0 (Current)
- Node v10.24.0 (LTS)
- Node v15.9.0 (Current)
- Node v12.20.2 (LTS)
- Node v10.23.3 (LTS)
- Node v14.15.5 (LTS)
- Node v15.8.0 (Current)
- Node v10.23.2 (LTS)
- Node v15.7.0 (Current)
- Node v15.6.0 (Current)
- January 2021 Security Releases
- Node v12.20.1 (LTS)
- Node v10.23.1 (LTS)
- Node v14.15.4 (LTS)
- Node v15.5.1 (Current)