News from 2016
-
Node v5.12.0 (Stable)
This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/june-2016-security-releases for details on patched vulnerabilities.
- buffer
- deps: backport 3a9bfec from v8 upstream (Ben Noordhuis) nodejs/node-private#40
- Fixes a Buffer overflow vulnerability discovered in v8. More details can be found in the CVE (CVE-2016-1699).
-
Node v4.4.6 (LTS)
This is an important security release. All Node.js users should consult the security release summary at nodejs.org for details on patched vulnerabilities.
This release is specifically related to a Buffer overflow vulnerability discovered in v8, more details can be found in the CVE
-
Node v0.12.15 (Maintenance)
This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/ for details on patched vulnerabilities.
- libuv: (CVE-2014-9748) Fixes a bug in the read/write locks implementation for Windows XP and Windows 2003 that can lead to undefined and potentially unsafe behaviour. More information can be found at https://github.com/libuv/libuv/issues/515 or at https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/.
- V8: (CVE-2016-1669) Fixes a potential Buffer overflow vulnerability discovered in V8, more details can be found in the CVE at https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1669 or at https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/.
-
Node v0.10.46 (Maintenance)
This is a security release. All Node.js users should consult the security release summary at https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/ for details on patched vulnerabilities.
- libuv: (CVE-2014-9748) Fixes a bug in the read/write locks implementation for Windows XP and Windows 2003 that can lead to undefined and potentially unsafe behaviour. More information can be found at https://github.com/libuv/libuv/issues/515 or at https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/.
- V8: (CVE-2016-1669) Fixes a potential Buffer overflow vulnerability discovered in V8, more details can be found in the CVE at https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1669 or at https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/.
-
Node v6.2.2 (Current)
- http:
req.read(0)could cause incoming connections to stall and time out under certain conditions. (Fedor Indutny) #7211- When freeing the socket to be reused in keep-alive Agent wait for both prefinish and end events. Otherwise the next request may be written before the previous one has finished sending the body, leading to parser errors. (Fedor Indutny) #7149
- npm: upgrade npm to 3.9.5 (Kat Marchán) #7139
- http:
-
Weekly Update - June 16th, 2016
Node v6.2.1 (Current). Complete changelog from previous releases can be found on GitHub.
Community downloads now include binaries for Linux on Power Systems with big endian in addition to the existing little endian binaries.
-
Security updates for all active release lines, June 2016
After a thorough assessment of the fixes we were planning on including, we have decided to scale back this security update to only include a subset. We are deferring some fixes while we improve the required API changes in order to decrease the disruption that it may cause to users. The vulnerabilities that the deferred fixes address are low severity.
-
Node v6.2.1 (Current)
- buffer: Ignore negative lengths in calls to
Buffer()andBuffer.allocUnsafe(). This fixes a possible security concern (reported by Feross Aboukhadijeh) where user input is passed unchecked to the Buffer constructor orallocUnsafe()as it can expose parts of the memory slab used by other Buffers in the application. Note that negative lengths are not supported by the Buffer API and user input to the constructor should always be sanitised and type-checked. (Anna Henningsen) #7051 - npm: Upgrade npm to 3.9.3 (Kat Marchán) #7030
npm/[email protected]npm/npm#12685 When usingnpm ls <pkg>without a semver specifier,npm lswould skip any packages in your tree that matched by name, but had a prerelease version in theirpackage.json. (@zkat)npm/[email protected]npm/npm#10013 `[email protected]: Fixes an issue wherenpm installwould fail if yournode_modules` was symlinked. (@iarna)b894413#12372 Changing a nested dependency in annpm-shrinkwrap.jsonand then runningnpm installwould not get up the updated package. This corrects that. (@misterbyrne)- This release includes `[email protected]`, which is the result of our Windows testing push -- the test suite (should) pass on Windows now. We're working on getting AppVeyor to a place where we can just rely on it like Travis.
- tty: Default to blocking mode for stdio on OS X. A bug fix in libuv 1.9.0, introduced in Node.js v6.0.0, exposed problems with Node's use of non-blocking stdio, particularly on OS X which has a small output buffer. This change should fix CLI applications that have been having problems with output since Node.js v6.0.0 on OS X. The core team is continuing to address stdio concerns that exist across supported platforms and progress can be tracked at https://github.com/nodejs/node/issues/6980. (Jeremiah Senkpiel) #6895
- V8: Upgrade to V8 5.0.71.52. This includes a fix that addresses problems experienced by users of node-inspector since Node.js v6.0.0, see https://github.com/node-inspector/node-inspector/issues/864 for details. (Michaël Zasso) #6928
- buffer: Ignore negative lengths in calls to
-
Weekly Update - May 30th, 2016
Node v4.4.5 (LTS). Complete changelog from previous releases can be found on GitHub.
- NodeUp podcast episode 102: A Node v6.0 Show with Anna Henningsen, James Snell, Rich Trott, and Rod Vagg.
- Node Hero - Getting Started With Node.js: you can learn how to get started with Node.js and deliver software products using it.
- A Quick Guide To Reading Node.js Core Source: One person's approach to understanding the source code that makes up Node.js core. "Your mileage may vary. Warranty void if seal is broken."
-
Node v4.4.5 (LTS)
- buffer:
- Buffer no longer errors if you call lastIndexOf with a search term longer than the buffer (Anna Henningsen) #6511
- contextify:
- Context objects are now properly garbage collected, this solves a problem some individuals were experiencing with extreme memory growth (Ali Ijaz Sheikh) #6871
- deps:
- update npm to 2.15.5 (Rebecca Turner) #6663
- http:
- Invalid status codes can no longer be sent. Limited to 3 digit numbers between 100 - 999 (Brian White) #6291
- buffer:
- Node v6.2.0 (Current)
- Node v4.4.4 (LTS)
- Node v0.12.14 (Maintenance)
- Node v0.10.45 (Maintenance)
- Node v6.1.0 (Current)
- Node v5.11.1 (Stable)
- OpenSSL updates, 1.0.1t and 1.0.2h
- Weekly Update - Apr 29th, 2016
- Node v6.0.0 (Current)
- World’s Fastest Growing Open Source Platform Pushes Out New Release
- Weekly Update - Apr 23rd, 2016
- Node v5.11.0 (Stable)
- Weekly Update - Apr 17th, 2016
- Node v4.4.3 (LTS)
- New Node.js Foundation Survey Reports New “Full Stack” In Demand Among Enterprise Developers
- Node v5.10.1 (Current)
- Node v0.10.44 (Maintenance)
- Node v5.10.0 (Current)
- Node v4.4.2 (LTS)
- Node v0.12.13 (LTS)
- npm security updates v2.15.1 and v3.8.3
- Welcome Google Cloud Platform!
- Node v5.9.1 (Current)
- Node v4.4.1 (LTS)
- Node v5.9.0 (Current)
- Weekly Update - Mar 14th, 2016
- AppDynamics, New Relic, Opbeat and Sphinx Join the Node.js Foundation as Silver Members
- Node v4.4.0 (LTS)
- Node v5.8.0 (Current)
- Node v0.12.12 (LTS)
- Weekly Update - Mar 7th, 2016
- Node v0.10.43 (Maintenance)
- Node v0.12.11 (LTS)
- Node v5.7.1 (Current)
- Node v4.3.2 (LTS)
- Weekly Update - Mar 1st, 2016
- OpenSSL updates, 1.0.2g and 1.0.1s
- Weekly Update - Feb 23rd, 2016
- Node v5.7.0 (Current)
- Node v4.3.1 (LTS)
- Weekly Update - Feb 15th, 2016
- Node.js Foundation to Add Express to its Incubator Program
- February 2016 Security Release Summary
- Node v0.10.42 (LTS)
- Node v0.12.10 (LTS)
- Node v4.3.0 (LTS)
- Node v5.6.0 (Current)
- Weekly Update - Feb 8th, 2016
- Weekly Update - Jan 29th, 2016
- OpenSSL upgrade low-severity Node.js security fixes
- Weekly Update - Jan 22th, 2016
- Node v4.2.6 (LTS)
- Node v5.5.0 (Current)
- Node v4.2.5 (LTS)
- Weekly Update - Jan 18th, 2016
- Node v5.4.1 (Current)
- Weekly Update - Jan 11th, 2016
- Node v5.4.0 (Current)
- Weekly Update - Jan 1st, 2016