News from 2021
- Node v14.17.0 (LTS)
-
Node v16.1.0 (Current)
- [
8a90f55a05] - (SEMVER-MINOR) fs: allow no-params fsPromises fileHandle read (Nitzan Uziely) #38287
- [
28e16488cf] - async_hooks,doc: replace process.stdout.fd with 1 (Darshan Sen) #38382 - [
cbab7ec6e5] - benchmark: avoid usingconsole.log()(Antoine du Hamel) #38370 - [
ba15b20062] - benchmark: useprocess.hrtime.bigint()(Antoine du Hamel) #38369 - [
bc6e719884] - bootstrap: freeze more intrinsics (Antoine du Hamel) #38217 - [
29faf0f12e] - build: fix label-pr workflow (Michaël Zasso) #38399 - [
b5d669a6ea] - build: label PRs with GitHub Action instead of nodejs-github-bot (Phillip Johnsen) #38301 - [
195f679331] - crypto: don't crash with some selfsigned certs (Nils Dralle) #37990 - [
4b073b0beb] - crypto: fix generateKeyPair type checks (Nitzan Uziely) #38364 - [
c1d9b5b386] - crypto: fix scrypt keylen validation (Antoine du Hamel) #38385 - [
7354479ad5] - crypto: fix DiffieHellmangeneratorvalidation (eladkeyshawn) #38311 - [
0e446d6048] - debugger: enable linter oninternal/inspector/inspect_client(Antoine du Hamel) #38417 - [
9f0e80aa4d] - debugger: refactorinternal/inspector/_inspectto use more primordials (Antoine du Hamel) #38406 - [
a0c566f85a] - debugger: apply automatic lint fixes for inspect_repl.js (Rich Trott) #38411 - [
b884ea739b] - debugger: apply automatic lint fixes for _inspect.js (Rich Trott) #38411 - [
f946aa0360] - debugger: remove unused function argument (Rich Trott) #38400 - [
203a9689a3] - debugger: align message with Node.js standard (Rich Trott) #38400 - [
ef617dcbb0] - debugger: add usage example for--port(Rafael Gonzaga) #38400 - [
37b5ce2d5a] - debugger: fix race condition/deadlock on initialization (Rich Trott) #38161 - [
2a6203d155] - debugger: replace internal use of deprecated API (Rich Trott) #38161 - [
6fff9fff97] - debugger: allow longer time to connect (Rich Trott) #38161 - [
def85daace] - debugger: accommodate line chunking in Windows (Rich Trott) #38161 - [
07361e6b77] - debugger: fix inspect restart on Windows (Rich Trott) #38161 - [
d65615e119] - debugger: remove unused code (Rich Trott) #38161 - [
62b03bc4f6] - debugger: move node-inspect to internal library (Rich Trott) #38161 - [
e3b75cb5aa] - deps: V8: cherry-pick fd75c97d3f56 (Michaël Zasso) #38455 - [
aabddfbeb5] - deps: upgrade npm to 7.11.2 (Ruy Adorno) #38475 - [
7b9fb92d51] - deps: update to [email protected] (Guy Bedford) #38450 - [
47626c52a3] - deps: patch V8 to 9.0.257.24 (Michaël Zasso) #38423 - [
f455e08621] - deps: patch V8 to 9.0.257.21 (Michaël Zasso) #38333 - [
dd61a26d8c] - deps: update llhttp to 6.0.1 (Fedor Indutny) #38359 - [
05f41cdbcc] - deps: patch V8 to 9.0.257.19 (Michaël Zasso) #38270 - [
224faa0a05] - Revert "doc: os.uptime() temporary bug notice" (Michaël Zasso) #38494 - [
3b0480dde8] - doc: document'secureConnect'event limitation (James M Snell) #38447 - [
92586046ec] - doc: fix outdated util inspect documentation and layout example (Ruben Bridgewater) #37079 - [
13de4cf1ca] - doc: mark Node.js 10 as End-of-Life (Richard Lau) #38482 - [
3cbfde1f25] - doc: mark querystring api as legacy (James M Snell) #38436 - [
a5929c2487] - doc: update node-api support matrix (Michael Dawson) #38424 - [
f08650cefe] - doc: add arguments for stream event of Http2Server and Http2SecureServer (Qingyu Deng) #37892 - [
2d59273bed] - doc: indicate that abort tests do not generate core files (Rich Trott) #38422 - [
f1970127ee] - doc: add try/catch in http2 respondWithFile example (Matteo Collina) #38410 - [
f6f1317f43] - doc: note the system requirements for V8 tests (DeeDeeG) #38319 - [
4b19beaf3c] - doc: minor clarification to pathObject (James M Snell) #38437 - [
1eae4af6f7] - doc: clarify that fs.Dir async iterator closes automatically (James M Snell) #38438 - [
14afb39259] - doc: document new TCP_KEEPCNT and TCP_KEEPINTVL socket option defaults (Arnold Zokas) #38313 - [
ed5ef21690] - doc: do not mention TCP in the allowHalfOpen option description (Luigi Pinca) #38360 - [
042985c139] - doc: update message to match actual output (Rich Trott) #35271 - [
bcc5e2af76] - doc: request default snap track be updated for LTS (Rod Vagg) #37708 - [
dfd4c7ba93] - doc: markprocess.hrtime()as legacy (Antoine du Hamel) #38371 - [
67cd88da00] - doc: fix typo in worker_threads.md (takayama) #38368 - [
a9314cda7d] - doc: fix version history for"exports"patterns (Antoine du Hamel) #38355 - [
76885cd578] - doc: fixpackage.json"imports"field history (Antoine du Hamel) #38356 - [
0e88ae7ec1] - doc: fix typo in buffer.md (divlo) #38323 - [
1cccc2da51] - doc: fix YAML comment opening tags (Jayden Seric) #38324 - [
25052dc987] - doc: add nodejs-sec email template (Daniel Bevenius) #38290 - [
3858029262] - doc: update TSC members list with three new members (Rich Trott) #38352 - [
2eef587674] - doc: usefoo.prototype.barnotation in buffer.md (Voltrex) #38032 - [
8a90f55a05] - (SEMVER-MINOR) fs: allow no-params fsPromises fileHandle read (Nitzan Uziely) #38287 - [
a696f1080c] - inspector: remove redundant method for connection check (Yash Ladha) #37986 - [
fcac2e0363] - lib: harden lint checks for globals (Antoine du Hamel) #38419 - [
277122e1fa] - lib: fix and improve os typings (Akhil Marsonya) #38316 - [
f2c0258b4c] - lib: add support for JSTransferable as a mixin (James M Snell) #38383 - [
96f54d3446] - meta: post comment when pr labeled fast-track (James M Snell) #38446 - [
4711f57cf2] - perf_hooks: add toJSON to performance class (Yash Ladha) #37771 - [
013fa59602] - perf_hooks: fix PerformanceObserver 'gc' crash (James M Snell) #38414 - [
10147f191e] - readline: move utilities to internal modules (Antoine du Hamel) #38466 - [
620ee42ab4] - repl: document top level await limitation with const/let (James M Snell) #38449 - [
aa24681dcb] - repl: display prompt once after error callback (Anna Henningsen) #38314 - [
9c06103a4f] - src: fix validation of negative offset to avoid abort (James M Snell) #38421 - [
7d8cc2abf1] - src: use %progbits instead of @progbits (Stephen Gallagher) #38312 - [
17856f1f88] - src: print arbitrary javascript exception value in node report (legendecas) #38009 - [
769a210d55] - src: refactor to use THROW_* argument based snprintf (Filip Skokan) #38357 - [
e3538bbcd2] - src: fix abort in pbkdf2 (Tobias Nießen) #38354 - [
09cacd7418] - src: fix setting Converter sub char length (James M Snell) #38331 - [
3649ec5276] - src: avoid deferred gc/cleanup for Buffer.from (James M Snell) #38337 - [
f2ffaba78c] - stream: the position of _read() is wrong (helloyou2012) #38292 - [
7ce39b8608] - test: fixcommon.mustCalllengthandnameproperties (Antoine du Hamel) #38464 - [
d1cd1178e7] - test: address deprecation warning (Rich Trott) #38448 - [
67e9e71f75] - test: crypto KeyObject.from() ERR_INVALID_ARG_TYPE (pezhmanparsaee) #37890 - [
9ad611c0b2] - test: fix flaky test-crypto-timing-safe-dqual-benchmarks (Rich Trott) #38476 - [
10b6b4e244] - test: update url Web Platform Tests (Leko) #38435 - [
4f6c4eb144] - test: move abort test from pummel to abort directory (Rich Trott) #38396 - [
231ef4b0ce] - test: move slower tests into pummel and skip on slow devices (Rich Trott) #38395 - [
45322dfa12] - test: skip some pummel tests on slower machines (Rich Trott) #38394 - [
1bc47a4c0f] - test: fix test to allow quictls fork of OpenSSL 3 (Richard Lau) #38372 - [
6ac02755f5] - test: extend timeout on debugger tests for slower machines (Rich Trott) #38161 - [
93b0c78de0] - test: fix comment typo (Rich Trott) #38161 - [
6c3e5043b0] - test: fix test-inspector-cli-address (Rich Trott) #38161 - [
27d7588ad5] - test: add ancestor package.json checks for tmpdir (Richard Lau) #38285 - [
30de03630e] - test: replace function with arrow function and remove unused argument (Andres) #38235 - [
eb8f5ce44f] - test: use .test domain for not found address (Richard Lau) #38286 - [
a4084d66c6] - test,debugger: migrate node-inspect tests to core (Rich Trott) #38161 - [
16eb078aa8] - test,readline: improve tab completion coverage (Antoine du Hamel) #38465 - [
b3ca1b358e] - timers: remove redundant unref calls (Giora Guttsait) #38320 - [
5b393d9258] - tls: validate ticket keys buffer (Antoine du Hamel) #38308 - [
f6745e9370] - tls: fixtlsSocket.setMaxSendFragmentabort (eladkeyshawn) #38170 - [
499da2d9e3] - tools: use mktemp to create the workspace directory (Luigi Pinca) #38432 - [
8a83bfd1bd] - tools: use a shallow clone of the npm/cli repository (Luigi Pinca) #38463 - [
bec959ef8b] - tools: disable LTO for "v8_cppgc_shared" target (Jesse Chan) #38346 - [
6350d35b3c] - tools: remove fixer for non-ascii-character ESLint custom rule (Rich Trott) #38413 - [
dce8d2968a] - tools: fix doc generation when version info is not available (Antoine du Hamel) #38398 - [
1033f6c8cb] - tools: add _depot_tools to PATH (for V8 tests) (DeeDeeG) #38299 - [
28f02cb8cf] - tools: update ESLint to 7.25.0 (Colin Ihrig) #38378 - [
f1ea2c8e2b] - tools: update markdown linter rules (Rich Trott) #38384 - [
02e875c645] - tools: remove node-inspect from license (Rich Trott) #38161 - [
d3bd4b4771] - tools: fix type mismatch in test runner (Richard Lau) #38289 - [
9a2651352b] - typings: add JSDoc typings for fs (Voltrex) #38306 - [
e389e86b6b] - typings: add JSDoc typings for util (Rohit Gohri) #38213 - [
ec5b06eae3] - util: fix infinite recursion during inspection (Ruben Bridgewater) #37079 - [
67bd0ec15c] - zlib: fix brotli flush range (Khaidi Chu) #38408
- [
-
Node v16.0.0 (Current)
Deprecations and Removals
- (SEMVER-MAJOR) fs: remove permissive rmdir recursive (Antoine du Hamel) #37216
- (SEMVER-MAJOR) fs: runtime deprecate rmdir recursive option (Antoine du Hamel) #37302
- (SEMVER-MAJOR) lib: runtime deprecate access to process.binding('http_parser') (James M Snell) #37813
- (SEMVER-MAJOR) lib: runtime deprecate access to process.binding('url') (James M Snell) #37799
- (SEMVER-MAJOR) lib: make process.binding('util') return only type checkers (Anna Henningsen) #37819
- (SEMVER-MAJOR) lib: runtime deprecate access to process.binding('crypto') (James M Snell) #37790
- (SEMVER-MAJOR) lib: runtime deprecate access to process.binding('signal_wrap') (James M Snell) #37800
- (SEMVER-MAJOR) lib: runtime deprecate access to process.binding('v8') (James M Snell) #37789
- (SEMVER-MAJOR) lib: runtime deprecate access to process.binding('async_wrap') (James M Snell) #37576
- (SEMVER-MAJOR) module: remove module.createRequireFromPath (Antoine du Hamel) #37201
- (SEMVER-MAJOR) module: runtime deprecate subpath folder mappings (Antoine du Hamel) #37215
- (SEMVER-MAJOR) module: runtime deprecate "main" index and extension lookups (Antoine du Hamel) #37206
- (SEMVER-MAJOR) module: runtime deprecate invalid package.json main entries (Antoine du Hamel) #37204
- (SEMVER-MAJOR) process: runtime deprecate changing process.config (James M Snell) #36902
-
April 2021 Security Releases
Updates are now available for v10,x, v12.x, v14.x and v15.x Node.js release lines for the following issues.
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
-
Node v15.14.0 (Current)
Vulnerabilties Fixed:
- CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
- Impacts:
- All versions of the 15.x, 14.x, 12.x and 10.x releases lines
- CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
- Impacts:
- All versions of the 15.x, 14.x, 12.x and 10.x releases lines
- CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
- This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh
- Impacts:
- All versions of the 14.x, 12.x and 10.x releases lines
- CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
-
Node v14.16.1 (LTS)
Vulnerabilities fixed:
- CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
- Impacts:
- All versions of the 15.x, 14.x, 12.x and 10.x releases lines
- CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
- Impacts:
- All versions of the 15.x, 14.x, 12.x and 10.x releases lines
- CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
- This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh
- Impacts:
- All versions of the 14.x, 12.x and 10.x releases lines
- CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
-
Node v12.22.1 (LTS)
Vulnerabilities fixed:
- CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
- Impacts:
- All versions of the 15.x, 14.x, 12.x and 10.x releases lines
- CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
- Impacts:
- All versions of the 15.x, 14.x, 12.x and 10.x releases lines
- CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
- This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh
- Impacts:
- All versions of the 14.x, 12.x and 10.x releases lines
- CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
-
Node v10.24.1 (LTS)
Vulerabilties fixed:
- CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
- Impacts:
- All versions of the 15.x, 14.x, 12.x and 10.x releases lines
- CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
- This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
- Impacts:
- All versions of the 15.x, 14.x, 12.x and 10.x releases lines
- CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
- This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh
- Impacts:
- All versions of the 14.x, 12.x and 10.x releases lines
- CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
- Node v15.13.0 (Current)
- Node v12.22.0 (LTS)
- Node v15.12.0 (Current)
- Node v15.11.0 (Current)
- February 2021 Security Releases
- Node v14.16.0 (LTS)
- Node v12.21.0 (LTS)
- Node v15.10.0 (Current)
- Node v10.24.0 (LTS)
- Node v15.9.0 (Current)
- Node v12.20.2 (LTS)
- Node v10.23.3 (LTS)
- Node v14.15.5 (LTS)
- Node v15.8.0 (Current)
- Node v10.23.2 (LTS)
- Node v15.7.0 (Current)
- Node v15.6.0 (Current)
- January 2021 Security Releases
- Node v12.20.1 (LTS)
- Node v10.23.1 (LTS)
- Node v14.15.4 (LTS)
- Node v15.5.1 (Current)